Analysis
-
max time kernel
158s -
max time network
169s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 03:46
Static task
static1
Behavioral task
behavioral1
Sample
16d0e38c6fdeb87057a71e56b5c602cd2b02218eeeea1c0d302dfff19aeaaa12.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
16d0e38c6fdeb87057a71e56b5c602cd2b02218eeeea1c0d302dfff19aeaaa12.exe
Resource
win10v2004-en-20220112
General
-
Target
16d0e38c6fdeb87057a71e56b5c602cd2b02218eeeea1c0d302dfff19aeaaa12.exe
-
Size
99KB
-
MD5
f6f903bee6576a1235efee8ebaf7e611
-
SHA1
b1f195aa0563dfedf60dc7371ab9e6c18e249fa3
-
SHA256
16d0e38c6fdeb87057a71e56b5c602cd2b02218eeeea1c0d302dfff19aeaaa12
-
SHA512
c58b262384da052c4ec258585aea31f56550ce433ff45e02ab69b43124c826495268b63c085ae6e0a6fd680df963f4d08ed5fb8dc21cbabdc988006cfed25848
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1892 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1836 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
16d0e38c6fdeb87057a71e56b5c602cd2b02218eeeea1c0d302dfff19aeaaa12.exepid process 1712 16d0e38c6fdeb87057a71e56b5c602cd2b02218eeeea1c0d302dfff19aeaaa12.exe 1712 16d0e38c6fdeb87057a71e56b5c602cd2b02218eeeea1c0d302dfff19aeaaa12.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
16d0e38c6fdeb87057a71e56b5c602cd2b02218eeeea1c0d302dfff19aeaaa12.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 16d0e38c6fdeb87057a71e56b5c602cd2b02218eeeea1c0d302dfff19aeaaa12.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
16d0e38c6fdeb87057a71e56b5c602cd2b02218eeeea1c0d302dfff19aeaaa12.exedescription pid process Token: SeIncBasePriorityPrivilege 1712 16d0e38c6fdeb87057a71e56b5c602cd2b02218eeeea1c0d302dfff19aeaaa12.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
16d0e38c6fdeb87057a71e56b5c602cd2b02218eeeea1c0d302dfff19aeaaa12.execmd.exedescription pid process target process PID 1712 wrote to memory of 1892 1712 16d0e38c6fdeb87057a71e56b5c602cd2b02218eeeea1c0d302dfff19aeaaa12.exe MediaCenter.exe PID 1712 wrote to memory of 1892 1712 16d0e38c6fdeb87057a71e56b5c602cd2b02218eeeea1c0d302dfff19aeaaa12.exe MediaCenter.exe PID 1712 wrote to memory of 1892 1712 16d0e38c6fdeb87057a71e56b5c602cd2b02218eeeea1c0d302dfff19aeaaa12.exe MediaCenter.exe PID 1712 wrote to memory of 1892 1712 16d0e38c6fdeb87057a71e56b5c602cd2b02218eeeea1c0d302dfff19aeaaa12.exe MediaCenter.exe PID 1712 wrote to memory of 1836 1712 16d0e38c6fdeb87057a71e56b5c602cd2b02218eeeea1c0d302dfff19aeaaa12.exe cmd.exe PID 1712 wrote to memory of 1836 1712 16d0e38c6fdeb87057a71e56b5c602cd2b02218eeeea1c0d302dfff19aeaaa12.exe cmd.exe PID 1712 wrote to memory of 1836 1712 16d0e38c6fdeb87057a71e56b5c602cd2b02218eeeea1c0d302dfff19aeaaa12.exe cmd.exe PID 1712 wrote to memory of 1836 1712 16d0e38c6fdeb87057a71e56b5c602cd2b02218eeeea1c0d302dfff19aeaaa12.exe cmd.exe PID 1836 wrote to memory of 1820 1836 cmd.exe PING.EXE PID 1836 wrote to memory of 1820 1836 cmd.exe PING.EXE PID 1836 wrote to memory of 1820 1836 cmd.exe PING.EXE PID 1836 wrote to memory of 1820 1836 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\16d0e38c6fdeb87057a71e56b5c602cd2b02218eeeea1c0d302dfff19aeaaa12.exe"C:\Users\Admin\AppData\Local\Temp\16d0e38c6fdeb87057a71e56b5c602cd2b02218eeeea1c0d302dfff19aeaaa12.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1892 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\16d0e38c6fdeb87057a71e56b5c602cd2b02218eeeea1c0d302dfff19aeaaa12.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1836 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1820
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
a6c98a8f8b37a0e570d28d81121cbce7
SHA17bec5a5b109f839bb22e157693fa44bf74c04e63
SHA2565732a96acd1ae2b3c2bc150ebfd74e8a20e6986b04c2448d34e2651e348ae1e8
SHA51247f8289f62064236a90f9f5a5ae0c9dfb8540c2f2442103ccc513fe1fcedef9e30dab202162b75a05c7e7c4ca1f2e3384854ff79006c2a1dfbd1bb579d4fd0ab
-
MD5
a6c98a8f8b37a0e570d28d81121cbce7
SHA17bec5a5b109f839bb22e157693fa44bf74c04e63
SHA2565732a96acd1ae2b3c2bc150ebfd74e8a20e6986b04c2448d34e2651e348ae1e8
SHA51247f8289f62064236a90f9f5a5ae0c9dfb8540c2f2442103ccc513fe1fcedef9e30dab202162b75a05c7e7c4ca1f2e3384854ff79006c2a1dfbd1bb579d4fd0ab
-
MD5
a6c98a8f8b37a0e570d28d81121cbce7
SHA17bec5a5b109f839bb22e157693fa44bf74c04e63
SHA2565732a96acd1ae2b3c2bc150ebfd74e8a20e6986b04c2448d34e2651e348ae1e8
SHA51247f8289f62064236a90f9f5a5ae0c9dfb8540c2f2442103ccc513fe1fcedef9e30dab202162b75a05c7e7c4ca1f2e3384854ff79006c2a1dfbd1bb579d4fd0ab