Analysis
-
max time kernel
119s -
max time network
136s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 04:04
Static task
static1
Behavioral task
behavioral1
Sample
1617a841dc629d779b4a70167508576855d8962dbb895147fedf223584597b4d.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
1617a841dc629d779b4a70167508576855d8962dbb895147fedf223584597b4d.exe
Resource
win10v2004-en-20220113
General
-
Target
1617a841dc629d779b4a70167508576855d8962dbb895147fedf223584597b4d.exe
-
Size
100KB
-
MD5
79983f7f5b5dbb3bf91717e17c87fbe5
-
SHA1
75e8a7fa3adc988f4ef95333a62ed11063c954dc
-
SHA256
1617a841dc629d779b4a70167508576855d8962dbb895147fedf223584597b4d
-
SHA512
98e6c0f8c236868f57d6426ec29c9b1032258ca41b99f2630457be2799c9cb0d2dfa39f4c3baeccfbb7eaa4d1717623fc2b1f1aa3f34bf4f6aed99ef1be443b9
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 332 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1136 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
1617a841dc629d779b4a70167508576855d8962dbb895147fedf223584597b4d.exepid process 1628 1617a841dc629d779b4a70167508576855d8962dbb895147fedf223584597b4d.exe 1628 1617a841dc629d779b4a70167508576855d8962dbb895147fedf223584597b4d.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
1617a841dc629d779b4a70167508576855d8962dbb895147fedf223584597b4d.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 1617a841dc629d779b4a70167508576855d8962dbb895147fedf223584597b4d.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
1617a841dc629d779b4a70167508576855d8962dbb895147fedf223584597b4d.exedescription pid process Token: SeIncBasePriorityPrivilege 1628 1617a841dc629d779b4a70167508576855d8962dbb895147fedf223584597b4d.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
1617a841dc629d779b4a70167508576855d8962dbb895147fedf223584597b4d.execmd.exedescription pid process target process PID 1628 wrote to memory of 332 1628 1617a841dc629d779b4a70167508576855d8962dbb895147fedf223584597b4d.exe MediaCenter.exe PID 1628 wrote to memory of 332 1628 1617a841dc629d779b4a70167508576855d8962dbb895147fedf223584597b4d.exe MediaCenter.exe PID 1628 wrote to memory of 332 1628 1617a841dc629d779b4a70167508576855d8962dbb895147fedf223584597b4d.exe MediaCenter.exe PID 1628 wrote to memory of 332 1628 1617a841dc629d779b4a70167508576855d8962dbb895147fedf223584597b4d.exe MediaCenter.exe PID 1628 wrote to memory of 1136 1628 1617a841dc629d779b4a70167508576855d8962dbb895147fedf223584597b4d.exe cmd.exe PID 1628 wrote to memory of 1136 1628 1617a841dc629d779b4a70167508576855d8962dbb895147fedf223584597b4d.exe cmd.exe PID 1628 wrote to memory of 1136 1628 1617a841dc629d779b4a70167508576855d8962dbb895147fedf223584597b4d.exe cmd.exe PID 1628 wrote to memory of 1136 1628 1617a841dc629d779b4a70167508576855d8962dbb895147fedf223584597b4d.exe cmd.exe PID 1136 wrote to memory of 2000 1136 cmd.exe PING.EXE PID 1136 wrote to memory of 2000 1136 cmd.exe PING.EXE PID 1136 wrote to memory of 2000 1136 cmd.exe PING.EXE PID 1136 wrote to memory of 2000 1136 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\1617a841dc629d779b4a70167508576855d8962dbb895147fedf223584597b4d.exe"C:\Users\Admin\AppData\Local\Temp\1617a841dc629d779b4a70167508576855d8962dbb895147fedf223584597b4d.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1628 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:332 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\1617a841dc629d779b4a70167508576855d8962dbb895147fedf223584597b4d.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1136 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:2000
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
c4818d3e5b81cc52668fa5668e5ed144
SHA1ef322aea506ffb2f8607ba29f23d68c6e15d7fc0
SHA256b2a44383b70b7b7faf9e71d1d684e18444b89415a2148015499cd0967750ea3f
SHA512fff3445fee8e520610735fa2e090bf7533ad6fb3ffa472968741568c9940c486120ce53e74f19048d308ac0db47d78e821d4ad98de1689ca9d1976dde343934f
-
MD5
c4818d3e5b81cc52668fa5668e5ed144
SHA1ef322aea506ffb2f8607ba29f23d68c6e15d7fc0
SHA256b2a44383b70b7b7faf9e71d1d684e18444b89415a2148015499cd0967750ea3f
SHA512fff3445fee8e520610735fa2e090bf7533ad6fb3ffa472968741568c9940c486120ce53e74f19048d308ac0db47d78e821d4ad98de1689ca9d1976dde343934f
-
MD5
c4818d3e5b81cc52668fa5668e5ed144
SHA1ef322aea506ffb2f8607ba29f23d68c6e15d7fc0
SHA256b2a44383b70b7b7faf9e71d1d684e18444b89415a2148015499cd0967750ea3f
SHA512fff3445fee8e520610735fa2e090bf7533ad6fb3ffa472968741568c9940c486120ce53e74f19048d308ac0db47d78e821d4ad98de1689ca9d1976dde343934f