Analysis
-
max time kernel
152s -
max time network
163s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 03:44
Static task
static1
Behavioral task
behavioral1
Sample
16dfc02c02129c013dbc3371ad91d786b40b9ecf3f958aea44901db98e341a7c.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
16dfc02c02129c013dbc3371ad91d786b40b9ecf3f958aea44901db98e341a7c.exe
Resource
win10v2004-en-20220113
General
-
Target
16dfc02c02129c013dbc3371ad91d786b40b9ecf3f958aea44901db98e341a7c.exe
-
Size
89KB
-
MD5
d9c432d8884833ecb498caaf10aaa5f0
-
SHA1
e8a06666439ae04cc219d98a879b473d226ff535
-
SHA256
16dfc02c02129c013dbc3371ad91d786b40b9ecf3f958aea44901db98e341a7c
-
SHA512
4a90221114e9c8bd64b52c3ca1b6a709747083aa8f868d2b0eaa27221bbd2cb027eb76d4f9abf658c93dabf5564cf7c28b2305f4f7a466319c1b14bcf6b3496f
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1072 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1980 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
16dfc02c02129c013dbc3371ad91d786b40b9ecf3f958aea44901db98e341a7c.exepid process 964 16dfc02c02129c013dbc3371ad91d786b40b9ecf3f958aea44901db98e341a7c.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
16dfc02c02129c013dbc3371ad91d786b40b9ecf3f958aea44901db98e341a7c.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 16dfc02c02129c013dbc3371ad91d786b40b9ecf3f958aea44901db98e341a7c.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
16dfc02c02129c013dbc3371ad91d786b40b9ecf3f958aea44901db98e341a7c.exedescription pid process Token: SeIncBasePriorityPrivilege 964 16dfc02c02129c013dbc3371ad91d786b40b9ecf3f958aea44901db98e341a7c.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
16dfc02c02129c013dbc3371ad91d786b40b9ecf3f958aea44901db98e341a7c.execmd.exedescription pid process target process PID 964 wrote to memory of 1072 964 16dfc02c02129c013dbc3371ad91d786b40b9ecf3f958aea44901db98e341a7c.exe MediaCenter.exe PID 964 wrote to memory of 1072 964 16dfc02c02129c013dbc3371ad91d786b40b9ecf3f958aea44901db98e341a7c.exe MediaCenter.exe PID 964 wrote to memory of 1072 964 16dfc02c02129c013dbc3371ad91d786b40b9ecf3f958aea44901db98e341a7c.exe MediaCenter.exe PID 964 wrote to memory of 1072 964 16dfc02c02129c013dbc3371ad91d786b40b9ecf3f958aea44901db98e341a7c.exe MediaCenter.exe PID 964 wrote to memory of 1980 964 16dfc02c02129c013dbc3371ad91d786b40b9ecf3f958aea44901db98e341a7c.exe cmd.exe PID 964 wrote to memory of 1980 964 16dfc02c02129c013dbc3371ad91d786b40b9ecf3f958aea44901db98e341a7c.exe cmd.exe PID 964 wrote to memory of 1980 964 16dfc02c02129c013dbc3371ad91d786b40b9ecf3f958aea44901db98e341a7c.exe cmd.exe PID 964 wrote to memory of 1980 964 16dfc02c02129c013dbc3371ad91d786b40b9ecf3f958aea44901db98e341a7c.exe cmd.exe PID 1980 wrote to memory of 1964 1980 cmd.exe PING.EXE PID 1980 wrote to memory of 1964 1980 cmd.exe PING.EXE PID 1980 wrote to memory of 1964 1980 cmd.exe PING.EXE PID 1980 wrote to memory of 1964 1980 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\16dfc02c02129c013dbc3371ad91d786b40b9ecf3f958aea44901db98e341a7c.exe"C:\Users\Admin\AppData\Local\Temp\16dfc02c02129c013dbc3371ad91d786b40b9ecf3f958aea44901db98e341a7c.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:964 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1072 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\16dfc02c02129c013dbc3371ad91d786b40b9ecf3f958aea44901db98e341a7c.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1964
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
f82101ff6072a3a52a077b0df29172b8
SHA176b17597dd4a9a28c975d736355b62d4a12a9b39
SHA256369f1722fde2b8bc22a6e4c88b06ea2e23f804235dcc646e0f481a286093e1d4
SHA512f04f06b2be88e721fe90b2c1705aa81478c3f6e75e29256ef1de294632e3c2a238ad1678d0ea0735bc287811c4b3896661ba194953711bf9c90dc75f9e627069
-
MD5
f82101ff6072a3a52a077b0df29172b8
SHA176b17597dd4a9a28c975d736355b62d4a12a9b39
SHA256369f1722fde2b8bc22a6e4c88b06ea2e23f804235dcc646e0f481a286093e1d4
SHA512f04f06b2be88e721fe90b2c1705aa81478c3f6e75e29256ef1de294632e3c2a238ad1678d0ea0735bc287811c4b3896661ba194953711bf9c90dc75f9e627069