Analysis
-
max time kernel
139s -
max time network
151s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 03:25
Static task
static1
Behavioral task
behavioral1
Sample
17a66f69c167316487ac18d556d9e6672202133152167073b69148724f833631.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
17a66f69c167316487ac18d556d9e6672202133152167073b69148724f833631.exe
Resource
win10v2004-en-20220112
General
-
Target
17a66f69c167316487ac18d556d9e6672202133152167073b69148724f833631.exe
-
Size
100KB
-
MD5
e9b8bd3ee3c1582828c9b01231b87f55
-
SHA1
dc1e8c0b5df76163eee6e07af447397a7daf7829
-
SHA256
17a66f69c167316487ac18d556d9e6672202133152167073b69148724f833631
-
SHA512
2ef4da80a1a4de8eb9068d152ca529904934dd793ae626e6f9bcdae4b29481d2a14a6c3a106ed5b811a1d6d8e103d5f0c894ca9e5ad06a78f7bddd0602ea6c18
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1156 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1100 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
17a66f69c167316487ac18d556d9e6672202133152167073b69148724f833631.exepid process 1532 17a66f69c167316487ac18d556d9e6672202133152167073b69148724f833631.exe 1532 17a66f69c167316487ac18d556d9e6672202133152167073b69148724f833631.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
17a66f69c167316487ac18d556d9e6672202133152167073b69148724f833631.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 17a66f69c167316487ac18d556d9e6672202133152167073b69148724f833631.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
17a66f69c167316487ac18d556d9e6672202133152167073b69148724f833631.exedescription pid process Token: SeIncBasePriorityPrivilege 1532 17a66f69c167316487ac18d556d9e6672202133152167073b69148724f833631.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
17a66f69c167316487ac18d556d9e6672202133152167073b69148724f833631.execmd.exedescription pid process target process PID 1532 wrote to memory of 1156 1532 17a66f69c167316487ac18d556d9e6672202133152167073b69148724f833631.exe MediaCenter.exe PID 1532 wrote to memory of 1156 1532 17a66f69c167316487ac18d556d9e6672202133152167073b69148724f833631.exe MediaCenter.exe PID 1532 wrote to memory of 1156 1532 17a66f69c167316487ac18d556d9e6672202133152167073b69148724f833631.exe MediaCenter.exe PID 1532 wrote to memory of 1156 1532 17a66f69c167316487ac18d556d9e6672202133152167073b69148724f833631.exe MediaCenter.exe PID 1532 wrote to memory of 1100 1532 17a66f69c167316487ac18d556d9e6672202133152167073b69148724f833631.exe cmd.exe PID 1532 wrote to memory of 1100 1532 17a66f69c167316487ac18d556d9e6672202133152167073b69148724f833631.exe cmd.exe PID 1532 wrote to memory of 1100 1532 17a66f69c167316487ac18d556d9e6672202133152167073b69148724f833631.exe cmd.exe PID 1532 wrote to memory of 1100 1532 17a66f69c167316487ac18d556d9e6672202133152167073b69148724f833631.exe cmd.exe PID 1100 wrote to memory of 1808 1100 cmd.exe PING.EXE PID 1100 wrote to memory of 1808 1100 cmd.exe PING.EXE PID 1100 wrote to memory of 1808 1100 cmd.exe PING.EXE PID 1100 wrote to memory of 1808 1100 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\17a66f69c167316487ac18d556d9e6672202133152167073b69148724f833631.exe"C:\Users\Admin\AppData\Local\Temp\17a66f69c167316487ac18d556d9e6672202133152167073b69148724f833631.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1532 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1156 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\17a66f69c167316487ac18d556d9e6672202133152167073b69148724f833631.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1100 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1808
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
b928bd83c73eb23e1ce3b39605cad1eb
SHA18dcae9bdf241ef3c8401c084f8555e54558c5f7d
SHA25609ce40343afdbfd637ec03dae437a23bc72da484a73b82a13264887b38523cde
SHA512ad09fdfb7050ff4bbb716a938b16dfcbc492c569364ab7e85398f09a9c6c125f56953bc828b89f3540792c07543b6056d40bda6e604a306371a26546c8885c4b
-
MD5
b928bd83c73eb23e1ce3b39605cad1eb
SHA18dcae9bdf241ef3c8401c084f8555e54558c5f7d
SHA25609ce40343afdbfd637ec03dae437a23bc72da484a73b82a13264887b38523cde
SHA512ad09fdfb7050ff4bbb716a938b16dfcbc492c569364ab7e85398f09a9c6c125f56953bc828b89f3540792c07543b6056d40bda6e604a306371a26546c8885c4b
-
MD5
b928bd83c73eb23e1ce3b39605cad1eb
SHA18dcae9bdf241ef3c8401c084f8555e54558c5f7d
SHA25609ce40343afdbfd637ec03dae437a23bc72da484a73b82a13264887b38523cde
SHA512ad09fdfb7050ff4bbb716a938b16dfcbc492c569364ab7e85398f09a9c6c125f56953bc828b89f3540792c07543b6056d40bda6e604a306371a26546c8885c4b