Analysis
-
max time kernel
122s -
max time network
122s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
22-01-2022 00:01
Static task
static1
Behavioral task
behavioral1
Sample
5237b0fdd9522d8e5ea6de336d4cc24daeb5823454f9b5d42d16a4656ef8f114.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
5237b0fdd9522d8e5ea6de336d4cc24daeb5823454f9b5d42d16a4656ef8f114.exe
Resource
win10-en-20211208
General
-
Target
5237b0fdd9522d8e5ea6de336d4cc24daeb5823454f9b5d42d16a4656ef8f114.exe
-
Size
89KB
-
MD5
f2d59757a9795531796df91097d5fa2b
-
SHA1
42c647d83abe1e5438b8176b9e90db08282a8bbb
-
SHA256
5237b0fdd9522d8e5ea6de336d4cc24daeb5823454f9b5d42d16a4656ef8f114
-
SHA512
5d8b65b4654bfbcf4b507c376a762d2182a5394e0e4f7474bdc490eff74710f260486e469a9952ebce9300f28c879531411c28f6fcb96cf9d5e08646beae9a67
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 964 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 480 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
5237b0fdd9522d8e5ea6de336d4cc24daeb5823454f9b5d42d16a4656ef8f114.exepid process 1536 5237b0fdd9522d8e5ea6de336d4cc24daeb5823454f9b5d42d16a4656ef8f114.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
5237b0fdd9522d8e5ea6de336d4cc24daeb5823454f9b5d42d16a4656ef8f114.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 5237b0fdd9522d8e5ea6de336d4cc24daeb5823454f9b5d42d16a4656ef8f114.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
5237b0fdd9522d8e5ea6de336d4cc24daeb5823454f9b5d42d16a4656ef8f114.exedescription pid process Token: SeIncBasePriorityPrivilege 1536 5237b0fdd9522d8e5ea6de336d4cc24daeb5823454f9b5d42d16a4656ef8f114.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
5237b0fdd9522d8e5ea6de336d4cc24daeb5823454f9b5d42d16a4656ef8f114.execmd.exedescription pid process target process PID 1536 wrote to memory of 964 1536 5237b0fdd9522d8e5ea6de336d4cc24daeb5823454f9b5d42d16a4656ef8f114.exe MediaCenter.exe PID 1536 wrote to memory of 964 1536 5237b0fdd9522d8e5ea6de336d4cc24daeb5823454f9b5d42d16a4656ef8f114.exe MediaCenter.exe PID 1536 wrote to memory of 964 1536 5237b0fdd9522d8e5ea6de336d4cc24daeb5823454f9b5d42d16a4656ef8f114.exe MediaCenter.exe PID 1536 wrote to memory of 964 1536 5237b0fdd9522d8e5ea6de336d4cc24daeb5823454f9b5d42d16a4656ef8f114.exe MediaCenter.exe PID 1536 wrote to memory of 480 1536 5237b0fdd9522d8e5ea6de336d4cc24daeb5823454f9b5d42d16a4656ef8f114.exe cmd.exe PID 1536 wrote to memory of 480 1536 5237b0fdd9522d8e5ea6de336d4cc24daeb5823454f9b5d42d16a4656ef8f114.exe cmd.exe PID 1536 wrote to memory of 480 1536 5237b0fdd9522d8e5ea6de336d4cc24daeb5823454f9b5d42d16a4656ef8f114.exe cmd.exe PID 1536 wrote to memory of 480 1536 5237b0fdd9522d8e5ea6de336d4cc24daeb5823454f9b5d42d16a4656ef8f114.exe cmd.exe PID 480 wrote to memory of 1324 480 cmd.exe PING.EXE PID 480 wrote to memory of 1324 480 cmd.exe PING.EXE PID 480 wrote to memory of 1324 480 cmd.exe PING.EXE PID 480 wrote to memory of 1324 480 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\5237b0fdd9522d8e5ea6de336d4cc24daeb5823454f9b5d42d16a4656ef8f114.exe"C:\Users\Admin\AppData\Local\Temp\5237b0fdd9522d8e5ea6de336d4cc24daeb5823454f9b5d42d16a4656ef8f114.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1536 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:964 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\5237b0fdd9522d8e5ea6de336d4cc24daeb5823454f9b5d42d16a4656ef8f114.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:480 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1324
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
54e43f4f663d9bab9e62f8104ea3b420
SHA16d91a66cc923c72dda7a4fc32c2ab568ed1deadf
SHA2564088ed91efc3d86a7140906f80e6b9e5ec755ec7224f2b0bb52490a382627af6
SHA512688c9edbd88dbe60da18f62e1e20ac234d894d1be7817bb2edb441632a61c308647f5d232af28e8593d4c6e05d993f9fad8ac2e73e6e8d07e6328f4afba75c9c
-
MD5
54e43f4f663d9bab9e62f8104ea3b420
SHA16d91a66cc923c72dda7a4fc32c2ab568ed1deadf
SHA2564088ed91efc3d86a7140906f80e6b9e5ec755ec7224f2b0bb52490a382627af6
SHA512688c9edbd88dbe60da18f62e1e20ac234d894d1be7817bb2edb441632a61c308647f5d232af28e8593d4c6e05d993f9fad8ac2e73e6e8d07e6328f4afba75c9c