Analysis
-
max time kernel
143s -
max time network
171s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 03:53
Static task
static1
Behavioral task
behavioral1
Sample
16979cf87c480628f3de64b103c42f371fdc91dd2bae187652e257b9d928ad4b.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
16979cf87c480628f3de64b103c42f371fdc91dd2bae187652e257b9d928ad4b.exe
Resource
win10v2004-en-20220113
General
-
Target
16979cf87c480628f3de64b103c42f371fdc91dd2bae187652e257b9d928ad4b.exe
-
Size
150KB
-
MD5
5354bf6de593c4f112a939e84675b17b
-
SHA1
f76166b1b832f590cc505b1d7bfa1af5141b622c
-
SHA256
16979cf87c480628f3de64b103c42f371fdc91dd2bae187652e257b9d928ad4b
-
SHA512
9e0e92bc0f43976febc022353f760dc13652ecc1a21bd0b2507592bb5ff5ce62c2bfd9567f7f8ad6f616f0f844fc4538af2e860f71ebd5503ec7c3648803957c
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1636 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 336 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
16979cf87c480628f3de64b103c42f371fdc91dd2bae187652e257b9d928ad4b.exepid process 1648 16979cf87c480628f3de64b103c42f371fdc91dd2bae187652e257b9d928ad4b.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
16979cf87c480628f3de64b103c42f371fdc91dd2bae187652e257b9d928ad4b.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 16979cf87c480628f3de64b103c42f371fdc91dd2bae187652e257b9d928ad4b.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
16979cf87c480628f3de64b103c42f371fdc91dd2bae187652e257b9d928ad4b.exedescription pid process Token: SeIncBasePriorityPrivilege 1648 16979cf87c480628f3de64b103c42f371fdc91dd2bae187652e257b9d928ad4b.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
16979cf87c480628f3de64b103c42f371fdc91dd2bae187652e257b9d928ad4b.execmd.exedescription pid process target process PID 1648 wrote to memory of 1636 1648 16979cf87c480628f3de64b103c42f371fdc91dd2bae187652e257b9d928ad4b.exe MediaCenter.exe PID 1648 wrote to memory of 1636 1648 16979cf87c480628f3de64b103c42f371fdc91dd2bae187652e257b9d928ad4b.exe MediaCenter.exe PID 1648 wrote to memory of 1636 1648 16979cf87c480628f3de64b103c42f371fdc91dd2bae187652e257b9d928ad4b.exe MediaCenter.exe PID 1648 wrote to memory of 1636 1648 16979cf87c480628f3de64b103c42f371fdc91dd2bae187652e257b9d928ad4b.exe MediaCenter.exe PID 1648 wrote to memory of 336 1648 16979cf87c480628f3de64b103c42f371fdc91dd2bae187652e257b9d928ad4b.exe cmd.exe PID 1648 wrote to memory of 336 1648 16979cf87c480628f3de64b103c42f371fdc91dd2bae187652e257b9d928ad4b.exe cmd.exe PID 1648 wrote to memory of 336 1648 16979cf87c480628f3de64b103c42f371fdc91dd2bae187652e257b9d928ad4b.exe cmd.exe PID 1648 wrote to memory of 336 1648 16979cf87c480628f3de64b103c42f371fdc91dd2bae187652e257b9d928ad4b.exe cmd.exe PID 336 wrote to memory of 1484 336 cmd.exe PING.EXE PID 336 wrote to memory of 1484 336 cmd.exe PING.EXE PID 336 wrote to memory of 1484 336 cmd.exe PING.EXE PID 336 wrote to memory of 1484 336 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\16979cf87c480628f3de64b103c42f371fdc91dd2bae187652e257b9d928ad4b.exe"C:\Users\Admin\AppData\Local\Temp\16979cf87c480628f3de64b103c42f371fdc91dd2bae187652e257b9d928ad4b.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1648 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1636 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\16979cf87c480628f3de64b103c42f371fdc91dd2bae187652e257b9d928ad4b.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:336 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1484
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
7d466a2ab91e7e115853672cdca4988b
SHA101c494a223ab1f4d2f0c7f0cce0291c3a1498ea0
SHA256012db92481685a4d164dc3694933cd9d05f13b57437dccf9c4fe0a68697b3e90
SHA512a78ff2e39289a9468d6478971f6e3cf5c8f366d8a11c7ccd9c0b5cd448e3868ab86263f9defa4742e587175fd9558d0df74f4e38b467475254d50659c3aacef1
-
MD5
7d466a2ab91e7e115853672cdca4988b
SHA101c494a223ab1f4d2f0c7f0cce0291c3a1498ea0
SHA256012db92481685a4d164dc3694933cd9d05f13b57437dccf9c4fe0a68697b3e90
SHA512a78ff2e39289a9468d6478971f6e3cf5c8f366d8a11c7ccd9c0b5cd448e3868ab86263f9defa4742e587175fd9558d0df74f4e38b467475254d50659c3aacef1