Analysis
-
max time kernel
133s -
max time network
146s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 12:00
Static task
static1
Behavioral task
behavioral1
Sample
02c17916cd9dff090f849ce2bec2627b92217b036502ccdbfeeee53a617b7c71.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
02c17916cd9dff090f849ce2bec2627b92217b036502ccdbfeeee53a617b7c71.exe
Resource
win10v2004-en-20220112
General
-
Target
02c17916cd9dff090f849ce2bec2627b92217b036502ccdbfeeee53a617b7c71.exe
-
Size
150KB
-
MD5
5909d8f8e802991eeb3e0df2537166e2
-
SHA1
2cfe6f994e5f4267c0eed3085184f5dc8e3d923e
-
SHA256
02c17916cd9dff090f849ce2bec2627b92217b036502ccdbfeeee53a617b7c71
-
SHA512
b6e425da4d819609d03eea5aec75831e6d8dfb734b7c218c5ef8d11f0084ece0ba7b0dc81eae7067c2ddbeb3710886cec3b1e5282018ce2ecafd341985563a1c
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1664 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1224 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
02c17916cd9dff090f849ce2bec2627b92217b036502ccdbfeeee53a617b7c71.exepid process 1096 02c17916cd9dff090f849ce2bec2627b92217b036502ccdbfeeee53a617b7c71.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
02c17916cd9dff090f849ce2bec2627b92217b036502ccdbfeeee53a617b7c71.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 02c17916cd9dff090f849ce2bec2627b92217b036502ccdbfeeee53a617b7c71.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
02c17916cd9dff090f849ce2bec2627b92217b036502ccdbfeeee53a617b7c71.exedescription pid process Token: SeIncBasePriorityPrivilege 1096 02c17916cd9dff090f849ce2bec2627b92217b036502ccdbfeeee53a617b7c71.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
02c17916cd9dff090f849ce2bec2627b92217b036502ccdbfeeee53a617b7c71.execmd.exedescription pid process target process PID 1096 wrote to memory of 1664 1096 02c17916cd9dff090f849ce2bec2627b92217b036502ccdbfeeee53a617b7c71.exe MediaCenter.exe PID 1096 wrote to memory of 1664 1096 02c17916cd9dff090f849ce2bec2627b92217b036502ccdbfeeee53a617b7c71.exe MediaCenter.exe PID 1096 wrote to memory of 1664 1096 02c17916cd9dff090f849ce2bec2627b92217b036502ccdbfeeee53a617b7c71.exe MediaCenter.exe PID 1096 wrote to memory of 1664 1096 02c17916cd9dff090f849ce2bec2627b92217b036502ccdbfeeee53a617b7c71.exe MediaCenter.exe PID 1096 wrote to memory of 1224 1096 02c17916cd9dff090f849ce2bec2627b92217b036502ccdbfeeee53a617b7c71.exe cmd.exe PID 1096 wrote to memory of 1224 1096 02c17916cd9dff090f849ce2bec2627b92217b036502ccdbfeeee53a617b7c71.exe cmd.exe PID 1096 wrote to memory of 1224 1096 02c17916cd9dff090f849ce2bec2627b92217b036502ccdbfeeee53a617b7c71.exe cmd.exe PID 1096 wrote to memory of 1224 1096 02c17916cd9dff090f849ce2bec2627b92217b036502ccdbfeeee53a617b7c71.exe cmd.exe PID 1224 wrote to memory of 632 1224 cmd.exe PING.EXE PID 1224 wrote to memory of 632 1224 cmd.exe PING.EXE PID 1224 wrote to memory of 632 1224 cmd.exe PING.EXE PID 1224 wrote to memory of 632 1224 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\02c17916cd9dff090f849ce2bec2627b92217b036502ccdbfeeee53a617b7c71.exe"C:\Users\Admin\AppData\Local\Temp\02c17916cd9dff090f849ce2bec2627b92217b036502ccdbfeeee53a617b7c71.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1096 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1664 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\02c17916cd9dff090f849ce2bec2627b92217b036502ccdbfeeee53a617b7c71.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1224 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:632
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
1746e00212a518b4bfd63f4c0345ab96
SHA1aa5e1a9e790d738bed3d31e5e7387190a0dac13c
SHA2567ec1b07339da4efa49d7c37ee84d3411a242995dc70cbfa54b1b09e08c6e258f
SHA5127cd83ab6c6f60f0b6841ef820933f2a8a432cbedad7ddf477901dc990c626b1f107d5fba52fc7a9b968b300cb7a3afbf4ed3b09a5d449fa408dbc783a5ace7da
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
1746e00212a518b4bfd63f4c0345ab96
SHA1aa5e1a9e790d738bed3d31e5e7387190a0dac13c
SHA2567ec1b07339da4efa49d7c37ee84d3411a242995dc70cbfa54b1b09e08c6e258f
SHA5127cd83ab6c6f60f0b6841ef820933f2a8a432cbedad7ddf477901dc990c626b1f107d5fba52fc7a9b968b300cb7a3afbf4ed3b09a5d449fa408dbc783a5ace7da
-
memory/1096-54-0x0000000076491000-0x0000000076493000-memory.dmpFilesize
8KB