Analysis
-
max time kernel
134s -
max time network
162s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 03:48
Static task
static1
Behavioral task
behavioral1
Sample
16c5e924953d24a0a349d8e12e4d52decea80b969f80c9dc2f15bab3ba1760a7.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
16c5e924953d24a0a349d8e12e4d52decea80b969f80c9dc2f15bab3ba1760a7.exe
Resource
win10v2004-en-20220113
General
-
Target
16c5e924953d24a0a349d8e12e4d52decea80b969f80c9dc2f15bab3ba1760a7.exe
-
Size
101KB
-
MD5
2d6315bcca9a7d1f63f8842831dd94a5
-
SHA1
13aa008fdd36edbc2482aa98e5674587802c42c8
-
SHA256
16c5e924953d24a0a349d8e12e4d52decea80b969f80c9dc2f15bab3ba1760a7
-
SHA512
05043ba651b3b1a2412d44e2ff2ab29e96fc5dd6bf734f8bf2f12025411a89d60a6873efd9590142dceddfe40dc3e37e5aba3a621dae4412ff267dad5fe08f07
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1672 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1300 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
16c5e924953d24a0a349d8e12e4d52decea80b969f80c9dc2f15bab3ba1760a7.exepid process 1316 16c5e924953d24a0a349d8e12e4d52decea80b969f80c9dc2f15bab3ba1760a7.exe 1316 16c5e924953d24a0a349d8e12e4d52decea80b969f80c9dc2f15bab3ba1760a7.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
16c5e924953d24a0a349d8e12e4d52decea80b969f80c9dc2f15bab3ba1760a7.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 16c5e924953d24a0a349d8e12e4d52decea80b969f80c9dc2f15bab3ba1760a7.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
16c5e924953d24a0a349d8e12e4d52decea80b969f80c9dc2f15bab3ba1760a7.exedescription pid process Token: SeIncBasePriorityPrivilege 1316 16c5e924953d24a0a349d8e12e4d52decea80b969f80c9dc2f15bab3ba1760a7.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
16c5e924953d24a0a349d8e12e4d52decea80b969f80c9dc2f15bab3ba1760a7.execmd.exedescription pid process target process PID 1316 wrote to memory of 1672 1316 16c5e924953d24a0a349d8e12e4d52decea80b969f80c9dc2f15bab3ba1760a7.exe MediaCenter.exe PID 1316 wrote to memory of 1672 1316 16c5e924953d24a0a349d8e12e4d52decea80b969f80c9dc2f15bab3ba1760a7.exe MediaCenter.exe PID 1316 wrote to memory of 1672 1316 16c5e924953d24a0a349d8e12e4d52decea80b969f80c9dc2f15bab3ba1760a7.exe MediaCenter.exe PID 1316 wrote to memory of 1672 1316 16c5e924953d24a0a349d8e12e4d52decea80b969f80c9dc2f15bab3ba1760a7.exe MediaCenter.exe PID 1316 wrote to memory of 1300 1316 16c5e924953d24a0a349d8e12e4d52decea80b969f80c9dc2f15bab3ba1760a7.exe cmd.exe PID 1316 wrote to memory of 1300 1316 16c5e924953d24a0a349d8e12e4d52decea80b969f80c9dc2f15bab3ba1760a7.exe cmd.exe PID 1316 wrote to memory of 1300 1316 16c5e924953d24a0a349d8e12e4d52decea80b969f80c9dc2f15bab3ba1760a7.exe cmd.exe PID 1316 wrote to memory of 1300 1316 16c5e924953d24a0a349d8e12e4d52decea80b969f80c9dc2f15bab3ba1760a7.exe cmd.exe PID 1300 wrote to memory of 1176 1300 cmd.exe PING.EXE PID 1300 wrote to memory of 1176 1300 cmd.exe PING.EXE PID 1300 wrote to memory of 1176 1300 cmd.exe PING.EXE PID 1300 wrote to memory of 1176 1300 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\16c5e924953d24a0a349d8e12e4d52decea80b969f80c9dc2f15bab3ba1760a7.exe"C:\Users\Admin\AppData\Local\Temp\16c5e924953d24a0a349d8e12e4d52decea80b969f80c9dc2f15bab3ba1760a7.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1316 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1672 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\16c5e924953d24a0a349d8e12e4d52decea80b969f80c9dc2f15bab3ba1760a7.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1300 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1176
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
d1012054d72877e45adda30e4dabe380
SHA12489134997b5d90e0fbbb8c55b99f4f533a93f25
SHA2561f4b663d7b49382d5c5641ba07e8db96a77b00264f091a4b5a37338d5064584c
SHA512ca9c6cc98142515c236f2aa9b20c153791114bd0cc18c43682d6d109a637dbbb3a3772ffde861c4feaeba12e15ba0548c687121460d0646a69ff24398ed6b73b
-
MD5
d1012054d72877e45adda30e4dabe380
SHA12489134997b5d90e0fbbb8c55b99f4f533a93f25
SHA2561f4b663d7b49382d5c5641ba07e8db96a77b00264f091a4b5a37338d5064584c
SHA512ca9c6cc98142515c236f2aa9b20c153791114bd0cc18c43682d6d109a637dbbb3a3772ffde861c4feaeba12e15ba0548c687121460d0646a69ff24398ed6b73b
-
MD5
d1012054d72877e45adda30e4dabe380
SHA12489134997b5d90e0fbbb8c55b99f4f533a93f25
SHA2561f4b663d7b49382d5c5641ba07e8db96a77b00264f091a4b5a37338d5064584c
SHA512ca9c6cc98142515c236f2aa9b20c153791114bd0cc18c43682d6d109a637dbbb3a3772ffde861c4feaeba12e15ba0548c687121460d0646a69ff24398ed6b73b