Analysis
-
max time kernel
136s -
max time network
146s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 04:03
Static task
static1
Behavioral task
behavioral1
Sample
161cd6818fd8a9018ebbddf1b54c4350509d0bb137dbc81953b8538a3d3a7876.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
161cd6818fd8a9018ebbddf1b54c4350509d0bb137dbc81953b8538a3d3a7876.exe
Resource
win10v2004-en-20220113
General
-
Target
161cd6818fd8a9018ebbddf1b54c4350509d0bb137dbc81953b8538a3d3a7876.exe
-
Size
216KB
-
MD5
73a7aeefbbc23700fb7ded3d229f957b
-
SHA1
4310dc9b1def848662d3d78aab4e962e29a5158a
-
SHA256
161cd6818fd8a9018ebbddf1b54c4350509d0bb137dbc81953b8538a3d3a7876
-
SHA512
20e69d195b295dc10dc99f84a1f9cb0e8f85d0101ff89d409f295db809e15e2616084bc14f1517d782560db3f013778f5cff9bb81ed89e6a7378f27b00ab5e26
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral1/memory/1500-58-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral1/memory/656-59-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 656 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 820 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
161cd6818fd8a9018ebbddf1b54c4350509d0bb137dbc81953b8538a3d3a7876.exepid process 1500 161cd6818fd8a9018ebbddf1b54c4350509d0bb137dbc81953b8538a3d3a7876.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
161cd6818fd8a9018ebbddf1b54c4350509d0bb137dbc81953b8538a3d3a7876.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 161cd6818fd8a9018ebbddf1b54c4350509d0bb137dbc81953b8538a3d3a7876.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
161cd6818fd8a9018ebbddf1b54c4350509d0bb137dbc81953b8538a3d3a7876.exedescription pid process Token: SeIncBasePriorityPrivilege 1500 161cd6818fd8a9018ebbddf1b54c4350509d0bb137dbc81953b8538a3d3a7876.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
161cd6818fd8a9018ebbddf1b54c4350509d0bb137dbc81953b8538a3d3a7876.execmd.exedescription pid process target process PID 1500 wrote to memory of 656 1500 161cd6818fd8a9018ebbddf1b54c4350509d0bb137dbc81953b8538a3d3a7876.exe MediaCenter.exe PID 1500 wrote to memory of 656 1500 161cd6818fd8a9018ebbddf1b54c4350509d0bb137dbc81953b8538a3d3a7876.exe MediaCenter.exe PID 1500 wrote to memory of 656 1500 161cd6818fd8a9018ebbddf1b54c4350509d0bb137dbc81953b8538a3d3a7876.exe MediaCenter.exe PID 1500 wrote to memory of 656 1500 161cd6818fd8a9018ebbddf1b54c4350509d0bb137dbc81953b8538a3d3a7876.exe MediaCenter.exe PID 1500 wrote to memory of 820 1500 161cd6818fd8a9018ebbddf1b54c4350509d0bb137dbc81953b8538a3d3a7876.exe cmd.exe PID 1500 wrote to memory of 820 1500 161cd6818fd8a9018ebbddf1b54c4350509d0bb137dbc81953b8538a3d3a7876.exe cmd.exe PID 1500 wrote to memory of 820 1500 161cd6818fd8a9018ebbddf1b54c4350509d0bb137dbc81953b8538a3d3a7876.exe cmd.exe PID 1500 wrote to memory of 820 1500 161cd6818fd8a9018ebbddf1b54c4350509d0bb137dbc81953b8538a3d3a7876.exe cmd.exe PID 820 wrote to memory of 1948 820 cmd.exe PING.EXE PID 820 wrote to memory of 1948 820 cmd.exe PING.EXE PID 820 wrote to memory of 1948 820 cmd.exe PING.EXE PID 820 wrote to memory of 1948 820 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\161cd6818fd8a9018ebbddf1b54c4350509d0bb137dbc81953b8538a3d3a7876.exe"C:\Users\Admin\AppData\Local\Temp\161cd6818fd8a9018ebbddf1b54c4350509d0bb137dbc81953b8538a3d3a7876.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1500 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:656 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\161cd6818fd8a9018ebbddf1b54c4350509d0bb137dbc81953b8538a3d3a7876.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:820 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1948
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
3517b1d4e51ce488a1b3d841be950c90
SHA19606b2aa74816b06fbdcf5928448502464c1f356
SHA25666aaf2d2b39e08e74e46cd40e6c3db225f7d72b6c1fed5e4ab8e319bbc994b2d
SHA512cb3274f9aaa1d1faceab0423e548c5116b4c742c742417c195d762d392aa7734d1d97a0758f6b79b841cc8de3bc00af080e88b6fb2495c145360c56dcaae1caa
-
MD5
3517b1d4e51ce488a1b3d841be950c90
SHA19606b2aa74816b06fbdcf5928448502464c1f356
SHA25666aaf2d2b39e08e74e46cd40e6c3db225f7d72b6c1fed5e4ab8e319bbc994b2d
SHA512cb3274f9aaa1d1faceab0423e548c5116b4c742c742417c195d762d392aa7734d1d97a0758f6b79b841cc8de3bc00af080e88b6fb2495c145360c56dcaae1caa