Analysis
-
max time kernel
153s -
max time network
170s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 03:47
Static task
static1
Behavioral task
behavioral1
Sample
16cc42f56fc2e4ba48149a0dc4f860908dfe1900f08f93c44f32edbe672a76b2.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
16cc42f56fc2e4ba48149a0dc4f860908dfe1900f08f93c44f32edbe672a76b2.exe
Resource
win10v2004-en-20220113
General
-
Target
16cc42f56fc2e4ba48149a0dc4f860908dfe1900f08f93c44f32edbe672a76b2.exe
-
Size
99KB
-
MD5
08d9a58e140945f5935352e22f38a569
-
SHA1
8b3c5689020de19a1073306675487d43f9216d04
-
SHA256
16cc42f56fc2e4ba48149a0dc4f860908dfe1900f08f93c44f32edbe672a76b2
-
SHA512
ce8aaad06aa11069f51fd899ec83e8ff3699ad3f9a6c478c408b593d063e06e6e848b3f99795cd1d68aa1ced66ac70b2d0c35565b6878b3ae310773d4a5daa23
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1632 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1100 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
16cc42f56fc2e4ba48149a0dc4f860908dfe1900f08f93c44f32edbe672a76b2.exepid process 1628 16cc42f56fc2e4ba48149a0dc4f860908dfe1900f08f93c44f32edbe672a76b2.exe 1628 16cc42f56fc2e4ba48149a0dc4f860908dfe1900f08f93c44f32edbe672a76b2.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
16cc42f56fc2e4ba48149a0dc4f860908dfe1900f08f93c44f32edbe672a76b2.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 16cc42f56fc2e4ba48149a0dc4f860908dfe1900f08f93c44f32edbe672a76b2.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
16cc42f56fc2e4ba48149a0dc4f860908dfe1900f08f93c44f32edbe672a76b2.exedescription pid process Token: SeIncBasePriorityPrivilege 1628 16cc42f56fc2e4ba48149a0dc4f860908dfe1900f08f93c44f32edbe672a76b2.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
16cc42f56fc2e4ba48149a0dc4f860908dfe1900f08f93c44f32edbe672a76b2.execmd.exedescription pid process target process PID 1628 wrote to memory of 1632 1628 16cc42f56fc2e4ba48149a0dc4f860908dfe1900f08f93c44f32edbe672a76b2.exe MediaCenter.exe PID 1628 wrote to memory of 1632 1628 16cc42f56fc2e4ba48149a0dc4f860908dfe1900f08f93c44f32edbe672a76b2.exe MediaCenter.exe PID 1628 wrote to memory of 1632 1628 16cc42f56fc2e4ba48149a0dc4f860908dfe1900f08f93c44f32edbe672a76b2.exe MediaCenter.exe PID 1628 wrote to memory of 1632 1628 16cc42f56fc2e4ba48149a0dc4f860908dfe1900f08f93c44f32edbe672a76b2.exe MediaCenter.exe PID 1628 wrote to memory of 1100 1628 16cc42f56fc2e4ba48149a0dc4f860908dfe1900f08f93c44f32edbe672a76b2.exe cmd.exe PID 1628 wrote to memory of 1100 1628 16cc42f56fc2e4ba48149a0dc4f860908dfe1900f08f93c44f32edbe672a76b2.exe cmd.exe PID 1628 wrote to memory of 1100 1628 16cc42f56fc2e4ba48149a0dc4f860908dfe1900f08f93c44f32edbe672a76b2.exe cmd.exe PID 1628 wrote to memory of 1100 1628 16cc42f56fc2e4ba48149a0dc4f860908dfe1900f08f93c44f32edbe672a76b2.exe cmd.exe PID 1100 wrote to memory of 1748 1100 cmd.exe PING.EXE PID 1100 wrote to memory of 1748 1100 cmd.exe PING.EXE PID 1100 wrote to memory of 1748 1100 cmd.exe PING.EXE PID 1100 wrote to memory of 1748 1100 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\16cc42f56fc2e4ba48149a0dc4f860908dfe1900f08f93c44f32edbe672a76b2.exe"C:\Users\Admin\AppData\Local\Temp\16cc42f56fc2e4ba48149a0dc4f860908dfe1900f08f93c44f32edbe672a76b2.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1628 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1632 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\16cc42f56fc2e4ba48149a0dc4f860908dfe1900f08f93c44f32edbe672a76b2.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1100 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1748
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
9c84609855db195cc576a914ed859af9
SHA12dc01320beff954c97696883011c0e888983c7f7
SHA256751da32b9080d25f8299797c2e09d76621c97aa471bd95ac0cc79f60db99b958
SHA51242651d033815ca2c4811c65e80146807d2fccb89741112d7940a653e30d739e81df9e230aca05133e1297316f95faabbb47e4524b88775abd0323612ce6a34d8
-
MD5
9c84609855db195cc576a914ed859af9
SHA12dc01320beff954c97696883011c0e888983c7f7
SHA256751da32b9080d25f8299797c2e09d76621c97aa471bd95ac0cc79f60db99b958
SHA51242651d033815ca2c4811c65e80146807d2fccb89741112d7940a653e30d739e81df9e230aca05133e1297316f95faabbb47e4524b88775abd0323612ce6a34d8
-
MD5
9c84609855db195cc576a914ed859af9
SHA12dc01320beff954c97696883011c0e888983c7f7
SHA256751da32b9080d25f8299797c2e09d76621c97aa471bd95ac0cc79f60db99b958
SHA51242651d033815ca2c4811c65e80146807d2fccb89741112d7940a653e30d739e81df9e230aca05133e1297316f95faabbb47e4524b88775abd0323612ce6a34d8