Analysis
-
max time kernel
121s -
max time network
146s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 03:51
Static task
static1
Behavioral task
behavioral1
Sample
16a8da50e08d00aab46844a92b28ab6bd30a28bad55617dd95fdece5f4cb88af.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
16a8da50e08d00aab46844a92b28ab6bd30a28bad55617dd95fdece5f4cb88af.exe
Resource
win10v2004-en-20220112
General
-
Target
16a8da50e08d00aab46844a92b28ab6bd30a28bad55617dd95fdece5f4cb88af.exe
-
Size
101KB
-
MD5
b1d16fb35ceb9ab3dc94971a342dc22e
-
SHA1
e80879547e0eb856ba17413585fdd0ebac98a6b9
-
SHA256
16a8da50e08d00aab46844a92b28ab6bd30a28bad55617dd95fdece5f4cb88af
-
SHA512
5db70a7f0adda3e968b615f2101a7252459a92d8b35ebe37fdcd0f47a73bce9c0097b4fe913837caa0d6dd8bdf7b8c1cf1a65f530da71eb748f22bd3dd5c8613
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1128 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1480 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
16a8da50e08d00aab46844a92b28ab6bd30a28bad55617dd95fdece5f4cb88af.exepid process 812 16a8da50e08d00aab46844a92b28ab6bd30a28bad55617dd95fdece5f4cb88af.exe 812 16a8da50e08d00aab46844a92b28ab6bd30a28bad55617dd95fdece5f4cb88af.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
16a8da50e08d00aab46844a92b28ab6bd30a28bad55617dd95fdece5f4cb88af.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 16a8da50e08d00aab46844a92b28ab6bd30a28bad55617dd95fdece5f4cb88af.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
16a8da50e08d00aab46844a92b28ab6bd30a28bad55617dd95fdece5f4cb88af.exedescription pid process Token: SeIncBasePriorityPrivilege 812 16a8da50e08d00aab46844a92b28ab6bd30a28bad55617dd95fdece5f4cb88af.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
16a8da50e08d00aab46844a92b28ab6bd30a28bad55617dd95fdece5f4cb88af.execmd.exedescription pid process target process PID 812 wrote to memory of 1128 812 16a8da50e08d00aab46844a92b28ab6bd30a28bad55617dd95fdece5f4cb88af.exe MediaCenter.exe PID 812 wrote to memory of 1128 812 16a8da50e08d00aab46844a92b28ab6bd30a28bad55617dd95fdece5f4cb88af.exe MediaCenter.exe PID 812 wrote to memory of 1128 812 16a8da50e08d00aab46844a92b28ab6bd30a28bad55617dd95fdece5f4cb88af.exe MediaCenter.exe PID 812 wrote to memory of 1128 812 16a8da50e08d00aab46844a92b28ab6bd30a28bad55617dd95fdece5f4cb88af.exe MediaCenter.exe PID 812 wrote to memory of 1480 812 16a8da50e08d00aab46844a92b28ab6bd30a28bad55617dd95fdece5f4cb88af.exe cmd.exe PID 812 wrote to memory of 1480 812 16a8da50e08d00aab46844a92b28ab6bd30a28bad55617dd95fdece5f4cb88af.exe cmd.exe PID 812 wrote to memory of 1480 812 16a8da50e08d00aab46844a92b28ab6bd30a28bad55617dd95fdece5f4cb88af.exe cmd.exe PID 812 wrote to memory of 1480 812 16a8da50e08d00aab46844a92b28ab6bd30a28bad55617dd95fdece5f4cb88af.exe cmd.exe PID 1480 wrote to memory of 1332 1480 cmd.exe PING.EXE PID 1480 wrote to memory of 1332 1480 cmd.exe PING.EXE PID 1480 wrote to memory of 1332 1480 cmd.exe PING.EXE PID 1480 wrote to memory of 1332 1480 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\16a8da50e08d00aab46844a92b28ab6bd30a28bad55617dd95fdece5f4cb88af.exe"C:\Users\Admin\AppData\Local\Temp\16a8da50e08d00aab46844a92b28ab6bd30a28bad55617dd95fdece5f4cb88af.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:812 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1128 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\16a8da50e08d00aab46844a92b28ab6bd30a28bad55617dd95fdece5f4cb88af.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1480 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1332
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
288a3dd0cc6afccc52196ffea47bc589
SHA180347786d9e3caf3350a46d48323835c8f136d6e
SHA256caacebe5a8c5aac16cadfd139483ff74b666f2519180480f483c3199176dd62a
SHA512d73df1c6cd21fd2251b1dc806b54f47f89f732ae243ccffdcd4b1f7ac930dfef1b1700216f7156e98453a8456a655eeea28c8802992465038ea85c3d5c861b08
-
MD5
288a3dd0cc6afccc52196ffea47bc589
SHA180347786d9e3caf3350a46d48323835c8f136d6e
SHA256caacebe5a8c5aac16cadfd139483ff74b666f2519180480f483c3199176dd62a
SHA512d73df1c6cd21fd2251b1dc806b54f47f89f732ae243ccffdcd4b1f7ac930dfef1b1700216f7156e98453a8456a655eeea28c8802992465038ea85c3d5c861b08
-
MD5
288a3dd0cc6afccc52196ffea47bc589
SHA180347786d9e3caf3350a46d48323835c8f136d6e
SHA256caacebe5a8c5aac16cadfd139483ff74b666f2519180480f483c3199176dd62a
SHA512d73df1c6cd21fd2251b1dc806b54f47f89f732ae243ccffdcd4b1f7ac930dfef1b1700216f7156e98453a8456a655eeea28c8802992465038ea85c3d5c861b08