Analysis
-
max time kernel
142s -
max time network
150s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 04:02
Static task
static1
Behavioral task
behavioral1
Sample
162bddbfa5a92bc37fd90783e9ea5d296c6fdb699a552cca5beecd88aad57c27.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
162bddbfa5a92bc37fd90783e9ea5d296c6fdb699a552cca5beecd88aad57c27.exe
Resource
win10v2004-en-20220112
General
-
Target
162bddbfa5a92bc37fd90783e9ea5d296c6fdb699a552cca5beecd88aad57c27.exe
-
Size
150KB
-
MD5
8d36c2e84a7be81028e31891317b3f68
-
SHA1
dcf12e97cc04a7bda2be0bcf04355e3a235f6f06
-
SHA256
162bddbfa5a92bc37fd90783e9ea5d296c6fdb699a552cca5beecd88aad57c27
-
SHA512
76bd0cd35b939e6cac7edab14aec09806e0fe68152cc57f34003513e7fb8b6086eea13932997f7cf889797ba0f1590383c95b2539984eef720d0acbda8509e14
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1612 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1912 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
162bddbfa5a92bc37fd90783e9ea5d296c6fdb699a552cca5beecd88aad57c27.exepid process 960 162bddbfa5a92bc37fd90783e9ea5d296c6fdb699a552cca5beecd88aad57c27.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
162bddbfa5a92bc37fd90783e9ea5d296c6fdb699a552cca5beecd88aad57c27.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 162bddbfa5a92bc37fd90783e9ea5d296c6fdb699a552cca5beecd88aad57c27.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
162bddbfa5a92bc37fd90783e9ea5d296c6fdb699a552cca5beecd88aad57c27.exedescription pid process Token: SeIncBasePriorityPrivilege 960 162bddbfa5a92bc37fd90783e9ea5d296c6fdb699a552cca5beecd88aad57c27.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
162bddbfa5a92bc37fd90783e9ea5d296c6fdb699a552cca5beecd88aad57c27.execmd.exedescription pid process target process PID 960 wrote to memory of 1612 960 162bddbfa5a92bc37fd90783e9ea5d296c6fdb699a552cca5beecd88aad57c27.exe MediaCenter.exe PID 960 wrote to memory of 1612 960 162bddbfa5a92bc37fd90783e9ea5d296c6fdb699a552cca5beecd88aad57c27.exe MediaCenter.exe PID 960 wrote to memory of 1612 960 162bddbfa5a92bc37fd90783e9ea5d296c6fdb699a552cca5beecd88aad57c27.exe MediaCenter.exe PID 960 wrote to memory of 1612 960 162bddbfa5a92bc37fd90783e9ea5d296c6fdb699a552cca5beecd88aad57c27.exe MediaCenter.exe PID 960 wrote to memory of 1912 960 162bddbfa5a92bc37fd90783e9ea5d296c6fdb699a552cca5beecd88aad57c27.exe cmd.exe PID 960 wrote to memory of 1912 960 162bddbfa5a92bc37fd90783e9ea5d296c6fdb699a552cca5beecd88aad57c27.exe cmd.exe PID 960 wrote to memory of 1912 960 162bddbfa5a92bc37fd90783e9ea5d296c6fdb699a552cca5beecd88aad57c27.exe cmd.exe PID 960 wrote to memory of 1912 960 162bddbfa5a92bc37fd90783e9ea5d296c6fdb699a552cca5beecd88aad57c27.exe cmd.exe PID 1912 wrote to memory of 1788 1912 cmd.exe PING.EXE PID 1912 wrote to memory of 1788 1912 cmd.exe PING.EXE PID 1912 wrote to memory of 1788 1912 cmd.exe PING.EXE PID 1912 wrote to memory of 1788 1912 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\162bddbfa5a92bc37fd90783e9ea5d296c6fdb699a552cca5beecd88aad57c27.exe"C:\Users\Admin\AppData\Local\Temp\162bddbfa5a92bc37fd90783e9ea5d296c6fdb699a552cca5beecd88aad57c27.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:960 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1612 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\162bddbfa5a92bc37fd90783e9ea5d296c6fdb699a552cca5beecd88aad57c27.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1912 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1788
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
583681b1743adf61468a81d1b236a13e
SHA189ac82797be75e3d96816ff7fb473a440824f2da
SHA25686037bcc758e28d736209d57239f7585ae24b6f3bf28afa2151fb6c1466b4a7e
SHA512d2dcac5a8b9dca1504ab49b51134a6b70030e6859a67b6a51a124e3c5a699ce5101df0084a4c2cd6cdc3f87451f4a171bd7be075ba31650f0cc011ed70ef1b17
-
MD5
583681b1743adf61468a81d1b236a13e
SHA189ac82797be75e3d96816ff7fb473a440824f2da
SHA25686037bcc758e28d736209d57239f7585ae24b6f3bf28afa2151fb6c1466b4a7e
SHA512d2dcac5a8b9dca1504ab49b51134a6b70030e6859a67b6a51a124e3c5a699ce5101df0084a4c2cd6cdc3f87451f4a171bd7be075ba31650f0cc011ed70ef1b17