Analysis
-
max time kernel
124s -
max time network
125s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
21-01-2022 23:59
Static task
static1
Behavioral task
behavioral1
Sample
565b480e76c25f91d6762d5dcbfd4a9a2e8b6775ee50c9e2aa0682bdc1950594.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
565b480e76c25f91d6762d5dcbfd4a9a2e8b6775ee50c9e2aa0682bdc1950594.exe
Resource
win10-en-20211208
General
-
Target
565b480e76c25f91d6762d5dcbfd4a9a2e8b6775ee50c9e2aa0682bdc1950594.exe
-
Size
89KB
-
MD5
f5b9862f2d508c57b81fbaaad91030f4
-
SHA1
400b5d4cd225e35b9199b0da33cb7e5b4c729e5c
-
SHA256
565b480e76c25f91d6762d5dcbfd4a9a2e8b6775ee50c9e2aa0682bdc1950594
-
SHA512
f13bcf6118616c00501b2ccdd8c238241feb925b3a7ab46a5470e77f67f7080c0fbc813236dc97ef5b1f2da389d61502b7e0ee09b7a1fb0acf278a17f758d491
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 628 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1032 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
565b480e76c25f91d6762d5dcbfd4a9a2e8b6775ee50c9e2aa0682bdc1950594.exepid process 1624 565b480e76c25f91d6762d5dcbfd4a9a2e8b6775ee50c9e2aa0682bdc1950594.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
565b480e76c25f91d6762d5dcbfd4a9a2e8b6775ee50c9e2aa0682bdc1950594.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 565b480e76c25f91d6762d5dcbfd4a9a2e8b6775ee50c9e2aa0682bdc1950594.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
565b480e76c25f91d6762d5dcbfd4a9a2e8b6775ee50c9e2aa0682bdc1950594.exedescription pid process Token: SeIncBasePriorityPrivilege 1624 565b480e76c25f91d6762d5dcbfd4a9a2e8b6775ee50c9e2aa0682bdc1950594.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
565b480e76c25f91d6762d5dcbfd4a9a2e8b6775ee50c9e2aa0682bdc1950594.execmd.exedescription pid process target process PID 1624 wrote to memory of 628 1624 565b480e76c25f91d6762d5dcbfd4a9a2e8b6775ee50c9e2aa0682bdc1950594.exe MediaCenter.exe PID 1624 wrote to memory of 628 1624 565b480e76c25f91d6762d5dcbfd4a9a2e8b6775ee50c9e2aa0682bdc1950594.exe MediaCenter.exe PID 1624 wrote to memory of 628 1624 565b480e76c25f91d6762d5dcbfd4a9a2e8b6775ee50c9e2aa0682bdc1950594.exe MediaCenter.exe PID 1624 wrote to memory of 628 1624 565b480e76c25f91d6762d5dcbfd4a9a2e8b6775ee50c9e2aa0682bdc1950594.exe MediaCenter.exe PID 1624 wrote to memory of 1032 1624 565b480e76c25f91d6762d5dcbfd4a9a2e8b6775ee50c9e2aa0682bdc1950594.exe cmd.exe PID 1624 wrote to memory of 1032 1624 565b480e76c25f91d6762d5dcbfd4a9a2e8b6775ee50c9e2aa0682bdc1950594.exe cmd.exe PID 1624 wrote to memory of 1032 1624 565b480e76c25f91d6762d5dcbfd4a9a2e8b6775ee50c9e2aa0682bdc1950594.exe cmd.exe PID 1624 wrote to memory of 1032 1624 565b480e76c25f91d6762d5dcbfd4a9a2e8b6775ee50c9e2aa0682bdc1950594.exe cmd.exe PID 1032 wrote to memory of 1052 1032 cmd.exe PING.EXE PID 1032 wrote to memory of 1052 1032 cmd.exe PING.EXE PID 1032 wrote to memory of 1052 1032 cmd.exe PING.EXE PID 1032 wrote to memory of 1052 1032 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\565b480e76c25f91d6762d5dcbfd4a9a2e8b6775ee50c9e2aa0682bdc1950594.exe"C:\Users\Admin\AppData\Local\Temp\565b480e76c25f91d6762d5dcbfd4a9a2e8b6775ee50c9e2aa0682bdc1950594.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1624 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:628 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\565b480e76c25f91d6762d5dcbfd4a9a2e8b6775ee50c9e2aa0682bdc1950594.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1032 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1052
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
b54fbd35a006854cd8f94f63172baff7
SHA13740cd8853104bfa27e51f16e9fda108a4ce07f5
SHA256b7d0a4d7bf15952f4fecbf108098b62b0897d22052bcf5371c0cf7428b5537ba
SHA512f830d3ccc75be44308db57b6c3bc6cfbc6b244ab5bcc4060c0bf229ecb4cc8088117fc0c27cc5e831dcc5677a87a7214db61363a0e26959046a254f33ba4201c
-
MD5
b54fbd35a006854cd8f94f63172baff7
SHA13740cd8853104bfa27e51f16e9fda108a4ce07f5
SHA256b7d0a4d7bf15952f4fecbf108098b62b0897d22052bcf5371c0cf7428b5537ba
SHA512f830d3ccc75be44308db57b6c3bc6cfbc6b244ab5bcc4060c0bf229ecb4cc8088117fc0c27cc5e831dcc5677a87a7214db61363a0e26959046a254f33ba4201c