Analysis
-
max time kernel
140s -
max time network
160s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 03:25
Static task
static1
Behavioral task
behavioral1
Sample
17a5b98d7358c7c32f6cb1e2e7870da9994672405b9a4c9b513d7c69763d1dc2.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
17a5b98d7358c7c32f6cb1e2e7870da9994672405b9a4c9b513d7c69763d1dc2.exe
Resource
win10v2004-en-20220113
General
-
Target
17a5b98d7358c7c32f6cb1e2e7870da9994672405b9a4c9b513d7c69763d1dc2.exe
-
Size
89KB
-
MD5
aec9a21a54d3ba27628488c1192a1b83
-
SHA1
e5a22c5f0ae6a9115cbf987a72fd303fd11a751c
-
SHA256
17a5b98d7358c7c32f6cb1e2e7870da9994672405b9a4c9b513d7c69763d1dc2
-
SHA512
e1dde5c9514884bbbc3137d3125b1765cad9ae185758045bc4b045ed253e5e5fb0ec1038b6bdabf0acf2c48e433f2d4a94844711f9fbe0437523db63a8c598e4
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral1/memory/1924-59-0x0000000000400000-0x000000000041B000-memory.dmp family_sakula behavioral1/memory/2008-60-0x0000000000400000-0x000000000041B000-memory.dmp family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 2008 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 816 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
17a5b98d7358c7c32f6cb1e2e7870da9994672405b9a4c9b513d7c69763d1dc2.exepid process 1924 17a5b98d7358c7c32f6cb1e2e7870da9994672405b9a4c9b513d7c69763d1dc2.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
17a5b98d7358c7c32f6cb1e2e7870da9994672405b9a4c9b513d7c69763d1dc2.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 17a5b98d7358c7c32f6cb1e2e7870da9994672405b9a4c9b513d7c69763d1dc2.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
17a5b98d7358c7c32f6cb1e2e7870da9994672405b9a4c9b513d7c69763d1dc2.exedescription pid process Token: SeIncBasePriorityPrivilege 1924 17a5b98d7358c7c32f6cb1e2e7870da9994672405b9a4c9b513d7c69763d1dc2.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
17a5b98d7358c7c32f6cb1e2e7870da9994672405b9a4c9b513d7c69763d1dc2.execmd.exedescription pid process target process PID 1924 wrote to memory of 2008 1924 17a5b98d7358c7c32f6cb1e2e7870da9994672405b9a4c9b513d7c69763d1dc2.exe MediaCenter.exe PID 1924 wrote to memory of 2008 1924 17a5b98d7358c7c32f6cb1e2e7870da9994672405b9a4c9b513d7c69763d1dc2.exe MediaCenter.exe PID 1924 wrote to memory of 2008 1924 17a5b98d7358c7c32f6cb1e2e7870da9994672405b9a4c9b513d7c69763d1dc2.exe MediaCenter.exe PID 1924 wrote to memory of 2008 1924 17a5b98d7358c7c32f6cb1e2e7870da9994672405b9a4c9b513d7c69763d1dc2.exe MediaCenter.exe PID 1924 wrote to memory of 816 1924 17a5b98d7358c7c32f6cb1e2e7870da9994672405b9a4c9b513d7c69763d1dc2.exe cmd.exe PID 1924 wrote to memory of 816 1924 17a5b98d7358c7c32f6cb1e2e7870da9994672405b9a4c9b513d7c69763d1dc2.exe cmd.exe PID 1924 wrote to memory of 816 1924 17a5b98d7358c7c32f6cb1e2e7870da9994672405b9a4c9b513d7c69763d1dc2.exe cmd.exe PID 1924 wrote to memory of 816 1924 17a5b98d7358c7c32f6cb1e2e7870da9994672405b9a4c9b513d7c69763d1dc2.exe cmd.exe PID 816 wrote to memory of 836 816 cmd.exe PING.EXE PID 816 wrote to memory of 836 816 cmd.exe PING.EXE PID 816 wrote to memory of 836 816 cmd.exe PING.EXE PID 816 wrote to memory of 836 816 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\17a5b98d7358c7c32f6cb1e2e7870da9994672405b9a4c9b513d7c69763d1dc2.exe"C:\Users\Admin\AppData\Local\Temp\17a5b98d7358c7c32f6cb1e2e7870da9994672405b9a4c9b513d7c69763d1dc2.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1924 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:2008 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\17a5b98d7358c7c32f6cb1e2e7870da9994672405b9a4c9b513d7c69763d1dc2.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:816 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:836
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
286395bc86be0a2ac63c65eddbb0121d
SHA1841cd1d060ce046825b367903255cfecfef3c2e4
SHA256bb48ff11683c135d6e5ad23e6462552302b6b6c5a118c222cae99a42f06273a6
SHA512c8e6824029088d54d34f3be76d06f08ac6f34f37672f0ce3daba04408f91909d10efdc102aede86d1fe4b488831d6284b14441d8f4f3d4969da95fb27949fcad
-
MD5
286395bc86be0a2ac63c65eddbb0121d
SHA1841cd1d060ce046825b367903255cfecfef3c2e4
SHA256bb48ff11683c135d6e5ad23e6462552302b6b6c5a118c222cae99a42f06273a6
SHA512c8e6824029088d54d34f3be76d06f08ac6f34f37672f0ce3daba04408f91909d10efdc102aede86d1fe4b488831d6284b14441d8f4f3d4969da95fb27949fcad