Analysis
-
max time kernel
133s -
max time network
147s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 03:49
Static task
static1
Behavioral task
behavioral1
Sample
16b8c2d1ef1b3419c475712f6eb3c0f5eb65b79d79932e78ed3229f71f3e4ef0.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
16b8c2d1ef1b3419c475712f6eb3c0f5eb65b79d79932e78ed3229f71f3e4ef0.exe
Resource
win10v2004-en-20220112
General
-
Target
16b8c2d1ef1b3419c475712f6eb3c0f5eb65b79d79932e78ed3229f71f3e4ef0.exe
-
Size
99KB
-
MD5
f4d18e0e1552182baaaaa032e247bf68
-
SHA1
61bc650c3db23543518eff5fd3548013f3445035
-
SHA256
16b8c2d1ef1b3419c475712f6eb3c0f5eb65b79d79932e78ed3229f71f3e4ef0
-
SHA512
8bde9d27fe31068ac763610f80ff038a2f48859b56a96c2b3ae94ee51bcfa8c63279744e386c436ab4ba69b9007b97e73a2576750df6c1d4aa05cae5de067883
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 460 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1176 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
16b8c2d1ef1b3419c475712f6eb3c0f5eb65b79d79932e78ed3229f71f3e4ef0.exepid process 1100 16b8c2d1ef1b3419c475712f6eb3c0f5eb65b79d79932e78ed3229f71f3e4ef0.exe 1100 16b8c2d1ef1b3419c475712f6eb3c0f5eb65b79d79932e78ed3229f71f3e4ef0.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
16b8c2d1ef1b3419c475712f6eb3c0f5eb65b79d79932e78ed3229f71f3e4ef0.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 16b8c2d1ef1b3419c475712f6eb3c0f5eb65b79d79932e78ed3229f71f3e4ef0.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
16b8c2d1ef1b3419c475712f6eb3c0f5eb65b79d79932e78ed3229f71f3e4ef0.exedescription pid process Token: SeIncBasePriorityPrivilege 1100 16b8c2d1ef1b3419c475712f6eb3c0f5eb65b79d79932e78ed3229f71f3e4ef0.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
16b8c2d1ef1b3419c475712f6eb3c0f5eb65b79d79932e78ed3229f71f3e4ef0.execmd.exedescription pid process target process PID 1100 wrote to memory of 460 1100 16b8c2d1ef1b3419c475712f6eb3c0f5eb65b79d79932e78ed3229f71f3e4ef0.exe MediaCenter.exe PID 1100 wrote to memory of 460 1100 16b8c2d1ef1b3419c475712f6eb3c0f5eb65b79d79932e78ed3229f71f3e4ef0.exe MediaCenter.exe PID 1100 wrote to memory of 460 1100 16b8c2d1ef1b3419c475712f6eb3c0f5eb65b79d79932e78ed3229f71f3e4ef0.exe MediaCenter.exe PID 1100 wrote to memory of 460 1100 16b8c2d1ef1b3419c475712f6eb3c0f5eb65b79d79932e78ed3229f71f3e4ef0.exe MediaCenter.exe PID 1100 wrote to memory of 1176 1100 16b8c2d1ef1b3419c475712f6eb3c0f5eb65b79d79932e78ed3229f71f3e4ef0.exe cmd.exe PID 1100 wrote to memory of 1176 1100 16b8c2d1ef1b3419c475712f6eb3c0f5eb65b79d79932e78ed3229f71f3e4ef0.exe cmd.exe PID 1100 wrote to memory of 1176 1100 16b8c2d1ef1b3419c475712f6eb3c0f5eb65b79d79932e78ed3229f71f3e4ef0.exe cmd.exe PID 1100 wrote to memory of 1176 1100 16b8c2d1ef1b3419c475712f6eb3c0f5eb65b79d79932e78ed3229f71f3e4ef0.exe cmd.exe PID 1176 wrote to memory of 1196 1176 cmd.exe PING.EXE PID 1176 wrote to memory of 1196 1176 cmd.exe PING.EXE PID 1176 wrote to memory of 1196 1176 cmd.exe PING.EXE PID 1176 wrote to memory of 1196 1176 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\16b8c2d1ef1b3419c475712f6eb3c0f5eb65b79d79932e78ed3229f71f3e4ef0.exe"C:\Users\Admin\AppData\Local\Temp\16b8c2d1ef1b3419c475712f6eb3c0f5eb65b79d79932e78ed3229f71f3e4ef0.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1100 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:460 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\16b8c2d1ef1b3419c475712f6eb3c0f5eb65b79d79932e78ed3229f71f3e4ef0.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1176 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1196
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
9c0bf86ec0ed353b512d2005a8cbc6b1
SHA15de8cca8b61f50b1644267095cb8633e8b88d21a
SHA2562ea64e0877dd0417019cc74bbca0ce956e92e4df13a5aeec3727201f93284ff8
SHA512b1317d56c05a07fc74ba575fd050176b9df31893689ad46ae425b3df75ffeeb2e24a5c83ccb6840762df62094ed6bffdd0af6f871c7d1e040c82757c93a175db
-
MD5
9c0bf86ec0ed353b512d2005a8cbc6b1
SHA15de8cca8b61f50b1644267095cb8633e8b88d21a
SHA2562ea64e0877dd0417019cc74bbca0ce956e92e4df13a5aeec3727201f93284ff8
SHA512b1317d56c05a07fc74ba575fd050176b9df31893689ad46ae425b3df75ffeeb2e24a5c83ccb6840762df62094ed6bffdd0af6f871c7d1e040c82757c93a175db
-
MD5
9c0bf86ec0ed353b512d2005a8cbc6b1
SHA15de8cca8b61f50b1644267095cb8633e8b88d21a
SHA2562ea64e0877dd0417019cc74bbca0ce956e92e4df13a5aeec3727201f93284ff8
SHA512b1317d56c05a07fc74ba575fd050176b9df31893689ad46ae425b3df75ffeeb2e24a5c83ccb6840762df62094ed6bffdd0af6f871c7d1e040c82757c93a175db