Analysis
-
max time kernel
121s -
max time network
132s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 03:49
Static task
static1
Behavioral task
behavioral1
Sample
16b5f31a57b09921d05c56f4c69ddda2eaf5b83c50e5bdf7ffc65bb043368d88.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
16b5f31a57b09921d05c56f4c69ddda2eaf5b83c50e5bdf7ffc65bb043368d88.exe
Resource
win10v2004-en-20220113
General
-
Target
16b5f31a57b09921d05c56f4c69ddda2eaf5b83c50e5bdf7ffc65bb043368d88.exe
-
Size
99KB
-
MD5
5b6ea751a75567561c335096266bca32
-
SHA1
513ecbe9d01061b48f4fc13ce96ed6f116cf433a
-
SHA256
16b5f31a57b09921d05c56f4c69ddda2eaf5b83c50e5bdf7ffc65bb043368d88
-
SHA512
04cde9fcc8f4a760d995b2d8a98586a27986110dc6e8cc3a0e5c522c30b39f1f84c3819d59843564d7bea552d8e71a03ef7970c8da543b86fc04b55c4400d2bd
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1744 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1440 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
16b5f31a57b09921d05c56f4c69ddda2eaf5b83c50e5bdf7ffc65bb043368d88.exepid process 1452 16b5f31a57b09921d05c56f4c69ddda2eaf5b83c50e5bdf7ffc65bb043368d88.exe 1452 16b5f31a57b09921d05c56f4c69ddda2eaf5b83c50e5bdf7ffc65bb043368d88.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
16b5f31a57b09921d05c56f4c69ddda2eaf5b83c50e5bdf7ffc65bb043368d88.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 16b5f31a57b09921d05c56f4c69ddda2eaf5b83c50e5bdf7ffc65bb043368d88.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
16b5f31a57b09921d05c56f4c69ddda2eaf5b83c50e5bdf7ffc65bb043368d88.exedescription pid process Token: SeIncBasePriorityPrivilege 1452 16b5f31a57b09921d05c56f4c69ddda2eaf5b83c50e5bdf7ffc65bb043368d88.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
16b5f31a57b09921d05c56f4c69ddda2eaf5b83c50e5bdf7ffc65bb043368d88.execmd.exedescription pid process target process PID 1452 wrote to memory of 1744 1452 16b5f31a57b09921d05c56f4c69ddda2eaf5b83c50e5bdf7ffc65bb043368d88.exe MediaCenter.exe PID 1452 wrote to memory of 1744 1452 16b5f31a57b09921d05c56f4c69ddda2eaf5b83c50e5bdf7ffc65bb043368d88.exe MediaCenter.exe PID 1452 wrote to memory of 1744 1452 16b5f31a57b09921d05c56f4c69ddda2eaf5b83c50e5bdf7ffc65bb043368d88.exe MediaCenter.exe PID 1452 wrote to memory of 1744 1452 16b5f31a57b09921d05c56f4c69ddda2eaf5b83c50e5bdf7ffc65bb043368d88.exe MediaCenter.exe PID 1452 wrote to memory of 1440 1452 16b5f31a57b09921d05c56f4c69ddda2eaf5b83c50e5bdf7ffc65bb043368d88.exe cmd.exe PID 1452 wrote to memory of 1440 1452 16b5f31a57b09921d05c56f4c69ddda2eaf5b83c50e5bdf7ffc65bb043368d88.exe cmd.exe PID 1452 wrote to memory of 1440 1452 16b5f31a57b09921d05c56f4c69ddda2eaf5b83c50e5bdf7ffc65bb043368d88.exe cmd.exe PID 1452 wrote to memory of 1440 1452 16b5f31a57b09921d05c56f4c69ddda2eaf5b83c50e5bdf7ffc65bb043368d88.exe cmd.exe PID 1440 wrote to memory of 1512 1440 cmd.exe PING.EXE PID 1440 wrote to memory of 1512 1440 cmd.exe PING.EXE PID 1440 wrote to memory of 1512 1440 cmd.exe PING.EXE PID 1440 wrote to memory of 1512 1440 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\16b5f31a57b09921d05c56f4c69ddda2eaf5b83c50e5bdf7ffc65bb043368d88.exe"C:\Users\Admin\AppData\Local\Temp\16b5f31a57b09921d05c56f4c69ddda2eaf5b83c50e5bdf7ffc65bb043368d88.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1452 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1744 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\16b5f31a57b09921d05c56f4c69ddda2eaf5b83c50e5bdf7ffc65bb043368d88.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1440 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1512
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
63be2e1ff1ca9ea680d659cec4f8185c
SHA184b3c23c55e97f5451811b98914c91b3d14d7fac
SHA256c665eee723f7691bcc24a910f269e5153d5d53d2a46e227144480bde65186878
SHA51218ed7fb856c30c65888352eb8a458020488c7a1916f2c2a15e56ccf176f1408e1f4b39411108409e19d8051596b5b799604340512410944fd8b4be14d2982aa8
-
MD5
63be2e1ff1ca9ea680d659cec4f8185c
SHA184b3c23c55e97f5451811b98914c91b3d14d7fac
SHA256c665eee723f7691bcc24a910f269e5153d5d53d2a46e227144480bde65186878
SHA51218ed7fb856c30c65888352eb8a458020488c7a1916f2c2a15e56ccf176f1408e1f4b39411108409e19d8051596b5b799604340512410944fd8b4be14d2982aa8
-
MD5
63be2e1ff1ca9ea680d659cec4f8185c
SHA184b3c23c55e97f5451811b98914c91b3d14d7fac
SHA256c665eee723f7691bcc24a910f269e5153d5d53d2a46e227144480bde65186878
SHA51218ed7fb856c30c65888352eb8a458020488c7a1916f2c2a15e56ccf176f1408e1f4b39411108409e19d8051596b5b799604340512410944fd8b4be14d2982aa8