Analysis
-
max time kernel
140s -
max time network
151s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 03:47
Static task
static1
Behavioral task
behavioral1
Sample
16c7591c5621e529a0e1d8e31dc1f27c951e61fb49191b28dd425bcb3e30f06d.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
16c7591c5621e529a0e1d8e31dc1f27c951e61fb49191b28dd425bcb3e30f06d.exe
Resource
win10v2004-en-20220113
General
-
Target
16c7591c5621e529a0e1d8e31dc1f27c951e61fb49191b28dd425bcb3e30f06d.exe
-
Size
216KB
-
MD5
eb732811d143faef9e0a90bf2992305a
-
SHA1
7f9432fd2832bf0df49017b01200c10e0727257b
-
SHA256
16c7591c5621e529a0e1d8e31dc1f27c951e61fb49191b28dd425bcb3e30f06d
-
SHA512
2d566425be4f57000f430cba80a414f6915ee6b5fd7a450e2c00aa6e38ed37b326a9cfe7c977629f2ef7c4e7ee825c3473425b9ccb26e113e00b05a7cc519feb
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral1/memory/1740-58-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral1/memory/1608-59-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1608 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 812 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
16c7591c5621e529a0e1d8e31dc1f27c951e61fb49191b28dd425bcb3e30f06d.exepid process 1740 16c7591c5621e529a0e1d8e31dc1f27c951e61fb49191b28dd425bcb3e30f06d.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
16c7591c5621e529a0e1d8e31dc1f27c951e61fb49191b28dd425bcb3e30f06d.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 16c7591c5621e529a0e1d8e31dc1f27c951e61fb49191b28dd425bcb3e30f06d.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
16c7591c5621e529a0e1d8e31dc1f27c951e61fb49191b28dd425bcb3e30f06d.exedescription pid process Token: SeIncBasePriorityPrivilege 1740 16c7591c5621e529a0e1d8e31dc1f27c951e61fb49191b28dd425bcb3e30f06d.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
16c7591c5621e529a0e1d8e31dc1f27c951e61fb49191b28dd425bcb3e30f06d.execmd.exedescription pid process target process PID 1740 wrote to memory of 1608 1740 16c7591c5621e529a0e1d8e31dc1f27c951e61fb49191b28dd425bcb3e30f06d.exe MediaCenter.exe PID 1740 wrote to memory of 1608 1740 16c7591c5621e529a0e1d8e31dc1f27c951e61fb49191b28dd425bcb3e30f06d.exe MediaCenter.exe PID 1740 wrote to memory of 1608 1740 16c7591c5621e529a0e1d8e31dc1f27c951e61fb49191b28dd425bcb3e30f06d.exe MediaCenter.exe PID 1740 wrote to memory of 1608 1740 16c7591c5621e529a0e1d8e31dc1f27c951e61fb49191b28dd425bcb3e30f06d.exe MediaCenter.exe PID 1740 wrote to memory of 812 1740 16c7591c5621e529a0e1d8e31dc1f27c951e61fb49191b28dd425bcb3e30f06d.exe cmd.exe PID 1740 wrote to memory of 812 1740 16c7591c5621e529a0e1d8e31dc1f27c951e61fb49191b28dd425bcb3e30f06d.exe cmd.exe PID 1740 wrote to memory of 812 1740 16c7591c5621e529a0e1d8e31dc1f27c951e61fb49191b28dd425bcb3e30f06d.exe cmd.exe PID 1740 wrote to memory of 812 1740 16c7591c5621e529a0e1d8e31dc1f27c951e61fb49191b28dd425bcb3e30f06d.exe cmd.exe PID 812 wrote to memory of 1964 812 cmd.exe PING.EXE PID 812 wrote to memory of 1964 812 cmd.exe PING.EXE PID 812 wrote to memory of 1964 812 cmd.exe PING.EXE PID 812 wrote to memory of 1964 812 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\16c7591c5621e529a0e1d8e31dc1f27c951e61fb49191b28dd425bcb3e30f06d.exe"C:\Users\Admin\AppData\Local\Temp\16c7591c5621e529a0e1d8e31dc1f27c951e61fb49191b28dd425bcb3e30f06d.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1740 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1608 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\16c7591c5621e529a0e1d8e31dc1f27c951e61fb49191b28dd425bcb3e30f06d.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:812 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1964
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
4c6f73557094f9b833e4da62ec6ddb58
SHA1deb2f121e4fa61c2091d3fac66a4cd53695e55df
SHA25635766470e12b50a342023b13d52bdabfbf2bbcfdc9697404fc9e1e74fd65c9c1
SHA512956e807a3f2cda424952b3722145f5d207b53616314023caeb3cb1cb9a577dc61385b23181c390fa6b90c61021d4d3f14a6ed9718098b742236111fbe98a8f1c
-
MD5
4c6f73557094f9b833e4da62ec6ddb58
SHA1deb2f121e4fa61c2091d3fac66a4cd53695e55df
SHA25635766470e12b50a342023b13d52bdabfbf2bbcfdc9697404fc9e1e74fd65c9c1
SHA512956e807a3f2cda424952b3722145f5d207b53616314023caeb3cb1cb9a577dc61385b23181c390fa6b90c61021d4d3f14a6ed9718098b742236111fbe98a8f1c