Analysis
-
max time kernel
136s -
max time network
136s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
22-01-2022 01:28
Static task
static1
Behavioral task
behavioral1
Sample
e0d72e192f2548724d1f700184d2a6704422596b343d1e142655f99cb09ab7f9.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
e0d72e192f2548724d1f700184d2a6704422596b343d1e142655f99cb09ab7f9.exe
Resource
win10-en-20211208
General
-
Target
e0d72e192f2548724d1f700184d2a6704422596b343d1e142655f99cb09ab7f9.exe
-
Size
89KB
-
MD5
96fab28f1539f3909a255436bc269062
-
SHA1
318b7e2141b31faaa946610723b5fbed76f75114
-
SHA256
e0d72e192f2548724d1f700184d2a6704422596b343d1e142655f99cb09ab7f9
-
SHA512
f30a3be419a8f7250dac5a19f12b4a76375c7375661a10ce64f652a7324bbf12ba1622b9b5d17542b43c130a4c76123bf2f5b758f0e117f917ad2697745c61af
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 308 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 452 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
e0d72e192f2548724d1f700184d2a6704422596b343d1e142655f99cb09ab7f9.exepid process 976 e0d72e192f2548724d1f700184d2a6704422596b343d1e142655f99cb09ab7f9.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
e0d72e192f2548724d1f700184d2a6704422596b343d1e142655f99cb09ab7f9.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" e0d72e192f2548724d1f700184d2a6704422596b343d1e142655f99cb09ab7f9.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
e0d72e192f2548724d1f700184d2a6704422596b343d1e142655f99cb09ab7f9.exedescription pid process Token: SeIncBasePriorityPrivilege 976 e0d72e192f2548724d1f700184d2a6704422596b343d1e142655f99cb09ab7f9.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
e0d72e192f2548724d1f700184d2a6704422596b343d1e142655f99cb09ab7f9.execmd.exedescription pid process target process PID 976 wrote to memory of 308 976 e0d72e192f2548724d1f700184d2a6704422596b343d1e142655f99cb09ab7f9.exe MediaCenter.exe PID 976 wrote to memory of 308 976 e0d72e192f2548724d1f700184d2a6704422596b343d1e142655f99cb09ab7f9.exe MediaCenter.exe PID 976 wrote to memory of 308 976 e0d72e192f2548724d1f700184d2a6704422596b343d1e142655f99cb09ab7f9.exe MediaCenter.exe PID 976 wrote to memory of 308 976 e0d72e192f2548724d1f700184d2a6704422596b343d1e142655f99cb09ab7f9.exe MediaCenter.exe PID 976 wrote to memory of 452 976 e0d72e192f2548724d1f700184d2a6704422596b343d1e142655f99cb09ab7f9.exe cmd.exe PID 976 wrote to memory of 452 976 e0d72e192f2548724d1f700184d2a6704422596b343d1e142655f99cb09ab7f9.exe cmd.exe PID 976 wrote to memory of 452 976 e0d72e192f2548724d1f700184d2a6704422596b343d1e142655f99cb09ab7f9.exe cmd.exe PID 976 wrote to memory of 452 976 e0d72e192f2548724d1f700184d2a6704422596b343d1e142655f99cb09ab7f9.exe cmd.exe PID 452 wrote to memory of 1084 452 cmd.exe PING.EXE PID 452 wrote to memory of 1084 452 cmd.exe PING.EXE PID 452 wrote to memory of 1084 452 cmd.exe PING.EXE PID 452 wrote to memory of 1084 452 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\e0d72e192f2548724d1f700184d2a6704422596b343d1e142655f99cb09ab7f9.exe"C:\Users\Admin\AppData\Local\Temp\e0d72e192f2548724d1f700184d2a6704422596b343d1e142655f99cb09ab7f9.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:976 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:308 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\e0d72e192f2548724d1f700184d2a6704422596b343d1e142655f99cb09ab7f9.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:452 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1084
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
11895095f17d9832d0aa8702f1f3f4bc
SHA16ecb756735dc034482f556b9ae177e8956598380
SHA256f9680b3fe5c785774cb3351c9eef58ef4f0a0a863fe6839f76e22313418970a5
SHA512cd448ad0c24e010ecbd1306836c538e3b10d5377a82643d7b9cb40cf83e81b5dd7519bf6452cf4114f1220d1ef62ce12d5e2d730b9302f4154bd074a24c5f4a2
-
MD5
11895095f17d9832d0aa8702f1f3f4bc
SHA16ecb756735dc034482f556b9ae177e8956598380
SHA256f9680b3fe5c785774cb3351c9eef58ef4f0a0a863fe6839f76e22313418970a5
SHA512cd448ad0c24e010ecbd1306836c538e3b10d5377a82643d7b9cb40cf83e81b5dd7519bf6452cf4114f1220d1ef62ce12d5e2d730b9302f4154bd074a24c5f4a2