Analysis
-
max time kernel
153s -
max time network
166s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 03:49
Static task
static1
Behavioral task
behavioral1
Sample
16b5e4744412bb62eb55844b467ba274841e3036b08ea3babbee3ff6ce6793b5.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
16b5e4744412bb62eb55844b467ba274841e3036b08ea3babbee3ff6ce6793b5.exe
Resource
win10v2004-en-20220113
General
-
Target
16b5e4744412bb62eb55844b467ba274841e3036b08ea3babbee3ff6ce6793b5.exe
-
Size
101KB
-
MD5
52e1c43d43f3ee14b9297931f2475a5c
-
SHA1
17a493c61cd98bf273924282eb26044e479cac82
-
SHA256
16b5e4744412bb62eb55844b467ba274841e3036b08ea3babbee3ff6ce6793b5
-
SHA512
2ac63bffa7005af4e10bbdd63d1f2489bdbada816f145eda13a32e048dd77947a1ea83e115fc6da4956c7e00a550ce474c0ab5d0ebf68e5613e619cf84e45741
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1164 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1188 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
16b5e4744412bb62eb55844b467ba274841e3036b08ea3babbee3ff6ce6793b5.exepid process 1724 16b5e4744412bb62eb55844b467ba274841e3036b08ea3babbee3ff6ce6793b5.exe 1724 16b5e4744412bb62eb55844b467ba274841e3036b08ea3babbee3ff6ce6793b5.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
16b5e4744412bb62eb55844b467ba274841e3036b08ea3babbee3ff6ce6793b5.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 16b5e4744412bb62eb55844b467ba274841e3036b08ea3babbee3ff6ce6793b5.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
16b5e4744412bb62eb55844b467ba274841e3036b08ea3babbee3ff6ce6793b5.exedescription pid process Token: SeIncBasePriorityPrivilege 1724 16b5e4744412bb62eb55844b467ba274841e3036b08ea3babbee3ff6ce6793b5.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
16b5e4744412bb62eb55844b467ba274841e3036b08ea3babbee3ff6ce6793b5.execmd.exedescription pid process target process PID 1724 wrote to memory of 1164 1724 16b5e4744412bb62eb55844b467ba274841e3036b08ea3babbee3ff6ce6793b5.exe MediaCenter.exe PID 1724 wrote to memory of 1164 1724 16b5e4744412bb62eb55844b467ba274841e3036b08ea3babbee3ff6ce6793b5.exe MediaCenter.exe PID 1724 wrote to memory of 1164 1724 16b5e4744412bb62eb55844b467ba274841e3036b08ea3babbee3ff6ce6793b5.exe MediaCenter.exe PID 1724 wrote to memory of 1164 1724 16b5e4744412bb62eb55844b467ba274841e3036b08ea3babbee3ff6ce6793b5.exe MediaCenter.exe PID 1724 wrote to memory of 1188 1724 16b5e4744412bb62eb55844b467ba274841e3036b08ea3babbee3ff6ce6793b5.exe cmd.exe PID 1724 wrote to memory of 1188 1724 16b5e4744412bb62eb55844b467ba274841e3036b08ea3babbee3ff6ce6793b5.exe cmd.exe PID 1724 wrote to memory of 1188 1724 16b5e4744412bb62eb55844b467ba274841e3036b08ea3babbee3ff6ce6793b5.exe cmd.exe PID 1724 wrote to memory of 1188 1724 16b5e4744412bb62eb55844b467ba274841e3036b08ea3babbee3ff6ce6793b5.exe cmd.exe PID 1188 wrote to memory of 392 1188 cmd.exe PING.EXE PID 1188 wrote to memory of 392 1188 cmd.exe PING.EXE PID 1188 wrote to memory of 392 1188 cmd.exe PING.EXE PID 1188 wrote to memory of 392 1188 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\16b5e4744412bb62eb55844b467ba274841e3036b08ea3babbee3ff6ce6793b5.exe"C:\Users\Admin\AppData\Local\Temp\16b5e4744412bb62eb55844b467ba274841e3036b08ea3babbee3ff6ce6793b5.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1724 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1164 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\16b5e4744412bb62eb55844b467ba274841e3036b08ea3babbee3ff6ce6793b5.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1188 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:392
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
bf0403e751761a83fc88d3995397e4a1
SHA1bf1582aa9a444fb3640b4ea62015df7f4f7ca83f
SHA256360dc7c7fa6057df2933d6f198252e168f08f27fb82616dd96d019d09f53ba5f
SHA5128c06f2717e8f61d899ab4b3bb37eaf75573083b25e2fdb8467fa71bd10ee116fc011a14d540973ba04b0a33e488892f16a0254c910cfeda04459ab4ece4b5f29
-
MD5
bf0403e751761a83fc88d3995397e4a1
SHA1bf1582aa9a444fb3640b4ea62015df7f4f7ca83f
SHA256360dc7c7fa6057df2933d6f198252e168f08f27fb82616dd96d019d09f53ba5f
SHA5128c06f2717e8f61d899ab4b3bb37eaf75573083b25e2fdb8467fa71bd10ee116fc011a14d540973ba04b0a33e488892f16a0254c910cfeda04459ab4ece4b5f29
-
MD5
bf0403e751761a83fc88d3995397e4a1
SHA1bf1582aa9a444fb3640b4ea62015df7f4f7ca83f
SHA256360dc7c7fa6057df2933d6f198252e168f08f27fb82616dd96d019d09f53ba5f
SHA5128c06f2717e8f61d899ab4b3bb37eaf75573083b25e2fdb8467fa71bd10ee116fc011a14d540973ba04b0a33e488892f16a0254c910cfeda04459ab4ece4b5f29