Analysis
-
max time kernel
133s -
max time network
132s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
22-01-2022 01:28
Static task
static1
Behavioral task
behavioral1
Sample
b48dff9eb8b13b208541e454f04ad30dd0fbef9b9982e7194e80dadbc682c8fe.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
b48dff9eb8b13b208541e454f04ad30dd0fbef9b9982e7194e80dadbc682c8fe.exe
Resource
win10-en-20211208
General
-
Target
b48dff9eb8b13b208541e454f04ad30dd0fbef9b9982e7194e80dadbc682c8fe.exe
-
Size
89KB
-
MD5
97479fa13d9b96da33cdb49749fc2baf
-
SHA1
8a89a1cc1d9f7a1891e9523b80c21ac530554e66
-
SHA256
b48dff9eb8b13b208541e454f04ad30dd0fbef9b9982e7194e80dadbc682c8fe
-
SHA512
d6dd18a629e5f974132c80e83d3e033fb7fdbca026d101fa3dca9fb8270acc2efcbd9a360ee393fca42ea3e28d365165d523cb02b2d01a3ad05fec06667a8567
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1036 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 432 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
b48dff9eb8b13b208541e454f04ad30dd0fbef9b9982e7194e80dadbc682c8fe.exepid process 960 b48dff9eb8b13b208541e454f04ad30dd0fbef9b9982e7194e80dadbc682c8fe.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
b48dff9eb8b13b208541e454f04ad30dd0fbef9b9982e7194e80dadbc682c8fe.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" b48dff9eb8b13b208541e454f04ad30dd0fbef9b9982e7194e80dadbc682c8fe.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
b48dff9eb8b13b208541e454f04ad30dd0fbef9b9982e7194e80dadbc682c8fe.exedescription pid process Token: SeIncBasePriorityPrivilege 960 b48dff9eb8b13b208541e454f04ad30dd0fbef9b9982e7194e80dadbc682c8fe.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
b48dff9eb8b13b208541e454f04ad30dd0fbef9b9982e7194e80dadbc682c8fe.execmd.exedescription pid process target process PID 960 wrote to memory of 1036 960 b48dff9eb8b13b208541e454f04ad30dd0fbef9b9982e7194e80dadbc682c8fe.exe MediaCenter.exe PID 960 wrote to memory of 1036 960 b48dff9eb8b13b208541e454f04ad30dd0fbef9b9982e7194e80dadbc682c8fe.exe MediaCenter.exe PID 960 wrote to memory of 1036 960 b48dff9eb8b13b208541e454f04ad30dd0fbef9b9982e7194e80dadbc682c8fe.exe MediaCenter.exe PID 960 wrote to memory of 1036 960 b48dff9eb8b13b208541e454f04ad30dd0fbef9b9982e7194e80dadbc682c8fe.exe MediaCenter.exe PID 960 wrote to memory of 432 960 b48dff9eb8b13b208541e454f04ad30dd0fbef9b9982e7194e80dadbc682c8fe.exe cmd.exe PID 960 wrote to memory of 432 960 b48dff9eb8b13b208541e454f04ad30dd0fbef9b9982e7194e80dadbc682c8fe.exe cmd.exe PID 960 wrote to memory of 432 960 b48dff9eb8b13b208541e454f04ad30dd0fbef9b9982e7194e80dadbc682c8fe.exe cmd.exe PID 960 wrote to memory of 432 960 b48dff9eb8b13b208541e454f04ad30dd0fbef9b9982e7194e80dadbc682c8fe.exe cmd.exe PID 432 wrote to memory of 2024 432 cmd.exe PING.EXE PID 432 wrote to memory of 2024 432 cmd.exe PING.EXE PID 432 wrote to memory of 2024 432 cmd.exe PING.EXE PID 432 wrote to memory of 2024 432 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\b48dff9eb8b13b208541e454f04ad30dd0fbef9b9982e7194e80dadbc682c8fe.exe"C:\Users\Admin\AppData\Local\Temp\b48dff9eb8b13b208541e454f04ad30dd0fbef9b9982e7194e80dadbc682c8fe.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:960 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1036 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\b48dff9eb8b13b208541e454f04ad30dd0fbef9b9982e7194e80dadbc682c8fe.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:432 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:2024
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
2691097a3e28cfb46d23bcbb17e19f3b
SHA1a41aa9ed9ca02a7db43afb9db0266d7b41960c2e
SHA25692027158700d82f6c765d2de0df58c71f148467d58712156949dd68608274c9d
SHA512c8471b966a3812db28629cb99db447d2c1225d240c3ff84d508c2bffb55ab9c46a09e26884157bea833a1930a0042ce5c02a83356816bbd4ea7acd87098f3e1a
-
MD5
2691097a3e28cfb46d23bcbb17e19f3b
SHA1a41aa9ed9ca02a7db43afb9db0266d7b41960c2e
SHA25692027158700d82f6c765d2de0df58c71f148467d58712156949dd68608274c9d
SHA512c8471b966a3812db28629cb99db447d2c1225d240c3ff84d508c2bffb55ab9c46a09e26884157bea833a1930a0042ce5c02a83356816bbd4ea7acd87098f3e1a