Analysis
-
max time kernel
148s -
max time network
159s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 03:48
Static task
static1
Behavioral task
behavioral1
Sample
16c12e4498112e163766a81dd77db105461a866bad3c35cc8b120aedc6bdfb3e.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
16c12e4498112e163766a81dd77db105461a866bad3c35cc8b120aedc6bdfb3e.exe
Resource
win10v2004-en-20220112
General
-
Target
16c12e4498112e163766a81dd77db105461a866bad3c35cc8b120aedc6bdfb3e.exe
-
Size
150KB
-
MD5
174b5a3d3fc62bc9c51aa9676ec22bf8
-
SHA1
ccf17924d38e78374028d7a4584e00cf8da213ba
-
SHA256
16c12e4498112e163766a81dd77db105461a866bad3c35cc8b120aedc6bdfb3e
-
SHA512
c78022dac820f7c809c3e3e346281682654b148bec327a58e0cdaa463322ecc1d79b75504676891097563f36e6dabe427575325365c67f45669a88308180496d
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 592 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1100 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
16c12e4498112e163766a81dd77db105461a866bad3c35cc8b120aedc6bdfb3e.exepid process 1156 16c12e4498112e163766a81dd77db105461a866bad3c35cc8b120aedc6bdfb3e.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
16c12e4498112e163766a81dd77db105461a866bad3c35cc8b120aedc6bdfb3e.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 16c12e4498112e163766a81dd77db105461a866bad3c35cc8b120aedc6bdfb3e.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
16c12e4498112e163766a81dd77db105461a866bad3c35cc8b120aedc6bdfb3e.exedescription pid process Token: SeIncBasePriorityPrivilege 1156 16c12e4498112e163766a81dd77db105461a866bad3c35cc8b120aedc6bdfb3e.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
16c12e4498112e163766a81dd77db105461a866bad3c35cc8b120aedc6bdfb3e.execmd.exedescription pid process target process PID 1156 wrote to memory of 592 1156 16c12e4498112e163766a81dd77db105461a866bad3c35cc8b120aedc6bdfb3e.exe MediaCenter.exe PID 1156 wrote to memory of 592 1156 16c12e4498112e163766a81dd77db105461a866bad3c35cc8b120aedc6bdfb3e.exe MediaCenter.exe PID 1156 wrote to memory of 592 1156 16c12e4498112e163766a81dd77db105461a866bad3c35cc8b120aedc6bdfb3e.exe MediaCenter.exe PID 1156 wrote to memory of 592 1156 16c12e4498112e163766a81dd77db105461a866bad3c35cc8b120aedc6bdfb3e.exe MediaCenter.exe PID 1156 wrote to memory of 1100 1156 16c12e4498112e163766a81dd77db105461a866bad3c35cc8b120aedc6bdfb3e.exe cmd.exe PID 1156 wrote to memory of 1100 1156 16c12e4498112e163766a81dd77db105461a866bad3c35cc8b120aedc6bdfb3e.exe cmd.exe PID 1156 wrote to memory of 1100 1156 16c12e4498112e163766a81dd77db105461a866bad3c35cc8b120aedc6bdfb3e.exe cmd.exe PID 1156 wrote to memory of 1100 1156 16c12e4498112e163766a81dd77db105461a866bad3c35cc8b120aedc6bdfb3e.exe cmd.exe PID 1100 wrote to memory of 1808 1100 cmd.exe PING.EXE PID 1100 wrote to memory of 1808 1100 cmd.exe PING.EXE PID 1100 wrote to memory of 1808 1100 cmd.exe PING.EXE PID 1100 wrote to memory of 1808 1100 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\16c12e4498112e163766a81dd77db105461a866bad3c35cc8b120aedc6bdfb3e.exe"C:\Users\Admin\AppData\Local\Temp\16c12e4498112e163766a81dd77db105461a866bad3c35cc8b120aedc6bdfb3e.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1156 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:592 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\16c12e4498112e163766a81dd77db105461a866bad3c35cc8b120aedc6bdfb3e.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1100 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1808
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
a295c7ec1e8916eae538c16cf08982fb
SHA124fbe0f4bafd04b6326df79b370e0eba7f461aff
SHA2568e76432af7e43f14d8b76dbbbec391f07f4dcccc8d6c1cd427ca3e3915ab3bf1
SHA5129b48dcb481ee709708e55139f574d65d7a107c8dbcb397d8d23f95b9954cb636aba4b72177a7f69f93d940c7e181555584dcca3c84a77b94b219bd4316429942
-
MD5
a295c7ec1e8916eae538c16cf08982fb
SHA124fbe0f4bafd04b6326df79b370e0eba7f461aff
SHA2568e76432af7e43f14d8b76dbbbec391f07f4dcccc8d6c1cd427ca3e3915ab3bf1
SHA5129b48dcb481ee709708e55139f574d65d7a107c8dbcb397d8d23f95b9954cb636aba4b72177a7f69f93d940c7e181555584dcca3c84a77b94b219bd4316429942