Analysis
-
max time kernel
151s -
max time network
154s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 03:22
Static task
static1
Behavioral task
behavioral1
Sample
17c66a2ca49d12bb5b3cb13067997a908551b5a8756b2e745afca45a635367a8.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
17c66a2ca49d12bb5b3cb13067997a908551b5a8756b2e745afca45a635367a8.exe
Resource
win10v2004-en-20220112
General
-
Target
17c66a2ca49d12bb5b3cb13067997a908551b5a8756b2e745afca45a635367a8.exe
-
Size
176KB
-
MD5
d505aea61d332f9099131ca149bd4651
-
SHA1
0f06ac3035d622bd152c17e631603a1058236f5c
-
SHA256
17c66a2ca49d12bb5b3cb13067997a908551b5a8756b2e745afca45a635367a8
-
SHA512
2f1e4ee1bf6e2299104c9badfa173b18fe02241cc445bd74c7bdfdd95cbddff7d25f3290bfbabc277ac9d360aa1e226a62eea20f5b56d89144b83a92bb281d40
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral1/memory/792-58-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral1/memory/1820-59-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1820 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 828 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
17c66a2ca49d12bb5b3cb13067997a908551b5a8756b2e745afca45a635367a8.exepid process 792 17c66a2ca49d12bb5b3cb13067997a908551b5a8756b2e745afca45a635367a8.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
17c66a2ca49d12bb5b3cb13067997a908551b5a8756b2e745afca45a635367a8.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 17c66a2ca49d12bb5b3cb13067997a908551b5a8756b2e745afca45a635367a8.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
17c66a2ca49d12bb5b3cb13067997a908551b5a8756b2e745afca45a635367a8.exedescription pid process Token: SeIncBasePriorityPrivilege 792 17c66a2ca49d12bb5b3cb13067997a908551b5a8756b2e745afca45a635367a8.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
17c66a2ca49d12bb5b3cb13067997a908551b5a8756b2e745afca45a635367a8.execmd.exedescription pid process target process PID 792 wrote to memory of 1820 792 17c66a2ca49d12bb5b3cb13067997a908551b5a8756b2e745afca45a635367a8.exe MediaCenter.exe PID 792 wrote to memory of 1820 792 17c66a2ca49d12bb5b3cb13067997a908551b5a8756b2e745afca45a635367a8.exe MediaCenter.exe PID 792 wrote to memory of 1820 792 17c66a2ca49d12bb5b3cb13067997a908551b5a8756b2e745afca45a635367a8.exe MediaCenter.exe PID 792 wrote to memory of 1820 792 17c66a2ca49d12bb5b3cb13067997a908551b5a8756b2e745afca45a635367a8.exe MediaCenter.exe PID 792 wrote to memory of 828 792 17c66a2ca49d12bb5b3cb13067997a908551b5a8756b2e745afca45a635367a8.exe cmd.exe PID 792 wrote to memory of 828 792 17c66a2ca49d12bb5b3cb13067997a908551b5a8756b2e745afca45a635367a8.exe cmd.exe PID 792 wrote to memory of 828 792 17c66a2ca49d12bb5b3cb13067997a908551b5a8756b2e745afca45a635367a8.exe cmd.exe PID 792 wrote to memory of 828 792 17c66a2ca49d12bb5b3cb13067997a908551b5a8756b2e745afca45a635367a8.exe cmd.exe PID 828 wrote to memory of 1804 828 cmd.exe PING.EXE PID 828 wrote to memory of 1804 828 cmd.exe PING.EXE PID 828 wrote to memory of 1804 828 cmd.exe PING.EXE PID 828 wrote to memory of 1804 828 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\17c66a2ca49d12bb5b3cb13067997a908551b5a8756b2e745afca45a635367a8.exe"C:\Users\Admin\AppData\Local\Temp\17c66a2ca49d12bb5b3cb13067997a908551b5a8756b2e745afca45a635367a8.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:792 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1820 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\17c66a2ca49d12bb5b3cb13067997a908551b5a8756b2e745afca45a635367a8.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:828 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1804
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
fc27938aca3065c9d82fff2bc45c7411
SHA1f8fb73a6380474432e3e0b4667a94ef33110aede
SHA256e4d76d73705b8a17e7b0fb19f8f84a22822e504ec21a73e9feb242a94d283eb3
SHA51289d8f5908284e52b4ed0389aae6a2fc655568c3858d582c08bd21e6866f9c903e9aaf0d3267d2cb04ab699e0f9455aa8ebd78d52ba3bf8e744e28fcdd34d924a
-
MD5
fc27938aca3065c9d82fff2bc45c7411
SHA1f8fb73a6380474432e3e0b4667a94ef33110aede
SHA256e4d76d73705b8a17e7b0fb19f8f84a22822e504ec21a73e9feb242a94d283eb3
SHA51289d8f5908284e52b4ed0389aae6a2fc655568c3858d582c08bd21e6866f9c903e9aaf0d3267d2cb04ab699e0f9455aa8ebd78d52ba3bf8e744e28fcdd34d924a