Analysis
-
max time kernel
134s -
max time network
142s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 04:02
Static task
static1
Behavioral task
behavioral1
Sample
163fcc980faf6b34b2ed39667d2c6ad575b6615d6ec7554186ce064a10cbdfc4.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
163fcc980faf6b34b2ed39667d2c6ad575b6615d6ec7554186ce064a10cbdfc4.exe
Resource
win10v2004-en-20220113
General
-
Target
163fcc980faf6b34b2ed39667d2c6ad575b6615d6ec7554186ce064a10cbdfc4.exe
-
Size
216KB
-
MD5
9caf419778f4105545dfcc8b181bbf8e
-
SHA1
4052e9517a1a2065fc9c9ada6e59750f84fc22a6
-
SHA256
163fcc980faf6b34b2ed39667d2c6ad575b6615d6ec7554186ce064a10cbdfc4
-
SHA512
2fc48dbafe1e4519de372afdbd90d3d814667946a9a73b82880af1149812c54c41deecbf6277973de9ac520fea2d34ff08038b7b770a3dfd10e6a45b77c4ddfb
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral1/memory/1416-57-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral1/memory/1888-58-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1888 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1460 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
163fcc980faf6b34b2ed39667d2c6ad575b6615d6ec7554186ce064a10cbdfc4.exepid process 1416 163fcc980faf6b34b2ed39667d2c6ad575b6615d6ec7554186ce064a10cbdfc4.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
163fcc980faf6b34b2ed39667d2c6ad575b6615d6ec7554186ce064a10cbdfc4.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 163fcc980faf6b34b2ed39667d2c6ad575b6615d6ec7554186ce064a10cbdfc4.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
163fcc980faf6b34b2ed39667d2c6ad575b6615d6ec7554186ce064a10cbdfc4.exedescription pid process Token: SeIncBasePriorityPrivilege 1416 163fcc980faf6b34b2ed39667d2c6ad575b6615d6ec7554186ce064a10cbdfc4.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
163fcc980faf6b34b2ed39667d2c6ad575b6615d6ec7554186ce064a10cbdfc4.execmd.exedescription pid process target process PID 1416 wrote to memory of 1888 1416 163fcc980faf6b34b2ed39667d2c6ad575b6615d6ec7554186ce064a10cbdfc4.exe MediaCenter.exe PID 1416 wrote to memory of 1888 1416 163fcc980faf6b34b2ed39667d2c6ad575b6615d6ec7554186ce064a10cbdfc4.exe MediaCenter.exe PID 1416 wrote to memory of 1888 1416 163fcc980faf6b34b2ed39667d2c6ad575b6615d6ec7554186ce064a10cbdfc4.exe MediaCenter.exe PID 1416 wrote to memory of 1888 1416 163fcc980faf6b34b2ed39667d2c6ad575b6615d6ec7554186ce064a10cbdfc4.exe MediaCenter.exe PID 1416 wrote to memory of 1460 1416 163fcc980faf6b34b2ed39667d2c6ad575b6615d6ec7554186ce064a10cbdfc4.exe cmd.exe PID 1416 wrote to memory of 1460 1416 163fcc980faf6b34b2ed39667d2c6ad575b6615d6ec7554186ce064a10cbdfc4.exe cmd.exe PID 1416 wrote to memory of 1460 1416 163fcc980faf6b34b2ed39667d2c6ad575b6615d6ec7554186ce064a10cbdfc4.exe cmd.exe PID 1416 wrote to memory of 1460 1416 163fcc980faf6b34b2ed39667d2c6ad575b6615d6ec7554186ce064a10cbdfc4.exe cmd.exe PID 1460 wrote to memory of 1108 1460 cmd.exe PING.EXE PID 1460 wrote to memory of 1108 1460 cmd.exe PING.EXE PID 1460 wrote to memory of 1108 1460 cmd.exe PING.EXE PID 1460 wrote to memory of 1108 1460 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\163fcc980faf6b34b2ed39667d2c6ad575b6615d6ec7554186ce064a10cbdfc4.exe"C:\Users\Admin\AppData\Local\Temp\163fcc980faf6b34b2ed39667d2c6ad575b6615d6ec7554186ce064a10cbdfc4.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1416 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1888 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\163fcc980faf6b34b2ed39667d2c6ad575b6615d6ec7554186ce064a10cbdfc4.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1460 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1108
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
06dccca06b2bb3f536a6e7fc04374eec
SHA1a6b8f13dff75860d8090274c91040e9b1b065bbc
SHA256cf8ea2344ebbc606a2fe8f98e47b07ec52627445421d1d9fd2e18d5c643489e7
SHA51203a2348d7d2e9bbb5e59e80f3186f208587c3378baf05debf6c1803e241f19476a53521cf74456fc0c81f3b12f097bd860f1a5d4d719c39feb55881beb05ab24
-
MD5
06dccca06b2bb3f536a6e7fc04374eec
SHA1a6b8f13dff75860d8090274c91040e9b1b065bbc
SHA256cf8ea2344ebbc606a2fe8f98e47b07ec52627445421d1d9fd2e18d5c643489e7
SHA51203a2348d7d2e9bbb5e59e80f3186f208587c3378baf05debf6c1803e241f19476a53521cf74456fc0c81f3b12f097bd860f1a5d4d719c39feb55881beb05ab24