Analysis
-
max time kernel
155s -
max time network
182s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 03:24
Static task
static1
Behavioral task
behavioral1
Sample
17b7c6e32aa3028c4c04295bbf215d1755d26c7085535704874b5b6c2c345b43.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
17b7c6e32aa3028c4c04295bbf215d1755d26c7085535704874b5b6c2c345b43.exe
Resource
win10v2004-en-20220113
General
-
Target
17b7c6e32aa3028c4c04295bbf215d1755d26c7085535704874b5b6c2c345b43.exe
-
Size
200KB
-
MD5
c56e916cd6b485bf3a3583b66312ea66
-
SHA1
6eb675a1dd38606a51a71d3dd6cb6f376ce5b725
-
SHA256
17b7c6e32aa3028c4c04295bbf215d1755d26c7085535704874b5b6c2c345b43
-
SHA512
8e130ccf473fc8b0504ebd18eaef80c5cd7d36fe7b30e77b4c84f5e8cd4866e0e0a123977602716f8ac377174ac10138b80fc449216f4f61faf284d729d427cb
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral1/memory/1272-59-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral1/memory/612-60-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 612 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1256 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
17b7c6e32aa3028c4c04295bbf215d1755d26c7085535704874b5b6c2c345b43.exepid process 1272 17b7c6e32aa3028c4c04295bbf215d1755d26c7085535704874b5b6c2c345b43.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
17b7c6e32aa3028c4c04295bbf215d1755d26c7085535704874b5b6c2c345b43.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 17b7c6e32aa3028c4c04295bbf215d1755d26c7085535704874b5b6c2c345b43.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
17b7c6e32aa3028c4c04295bbf215d1755d26c7085535704874b5b6c2c345b43.exedescription pid process Token: SeIncBasePriorityPrivilege 1272 17b7c6e32aa3028c4c04295bbf215d1755d26c7085535704874b5b6c2c345b43.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
17b7c6e32aa3028c4c04295bbf215d1755d26c7085535704874b5b6c2c345b43.execmd.exedescription pid process target process PID 1272 wrote to memory of 612 1272 17b7c6e32aa3028c4c04295bbf215d1755d26c7085535704874b5b6c2c345b43.exe MediaCenter.exe PID 1272 wrote to memory of 612 1272 17b7c6e32aa3028c4c04295bbf215d1755d26c7085535704874b5b6c2c345b43.exe MediaCenter.exe PID 1272 wrote to memory of 612 1272 17b7c6e32aa3028c4c04295bbf215d1755d26c7085535704874b5b6c2c345b43.exe MediaCenter.exe PID 1272 wrote to memory of 612 1272 17b7c6e32aa3028c4c04295bbf215d1755d26c7085535704874b5b6c2c345b43.exe MediaCenter.exe PID 1272 wrote to memory of 1256 1272 17b7c6e32aa3028c4c04295bbf215d1755d26c7085535704874b5b6c2c345b43.exe cmd.exe PID 1272 wrote to memory of 1256 1272 17b7c6e32aa3028c4c04295bbf215d1755d26c7085535704874b5b6c2c345b43.exe cmd.exe PID 1272 wrote to memory of 1256 1272 17b7c6e32aa3028c4c04295bbf215d1755d26c7085535704874b5b6c2c345b43.exe cmd.exe PID 1272 wrote to memory of 1256 1272 17b7c6e32aa3028c4c04295bbf215d1755d26c7085535704874b5b6c2c345b43.exe cmd.exe PID 1256 wrote to memory of 1128 1256 cmd.exe PING.EXE PID 1256 wrote to memory of 1128 1256 cmd.exe PING.EXE PID 1256 wrote to memory of 1128 1256 cmd.exe PING.EXE PID 1256 wrote to memory of 1128 1256 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\17b7c6e32aa3028c4c04295bbf215d1755d26c7085535704874b5b6c2c345b43.exe"C:\Users\Admin\AppData\Local\Temp\17b7c6e32aa3028c4c04295bbf215d1755d26c7085535704874b5b6c2c345b43.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1272 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:612 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\17b7c6e32aa3028c4c04295bbf215d1755d26c7085535704874b5b6c2c345b43.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1256 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1128
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
aa22f97a1f9ebf6fadba024614ea2fd4
SHA1e23ed462e877aaa9ffb841be4ad527ee3d6a8cd8
SHA2561d4002f4e1e9ccec0e4768e878896f1b9fc4b9ee2d0285214426b4f370d4e5ba
SHA512aa9fa8a77ca95584c7d0e418bcb817a8483945342737afb06f30091a22eb8904b86c43abaef1a2a1fef6defc3376b88d57cad0887bce6ca5d90ae5c79a930d1e
-
MD5
aa22f97a1f9ebf6fadba024614ea2fd4
SHA1e23ed462e877aaa9ffb841be4ad527ee3d6a8cd8
SHA2561d4002f4e1e9ccec0e4768e878896f1b9fc4b9ee2d0285214426b4f370d4e5ba
SHA512aa9fa8a77ca95584c7d0e418bcb817a8483945342737afb06f30091a22eb8904b86c43abaef1a2a1fef6defc3376b88d57cad0887bce6ca5d90ae5c79a930d1e