Analysis
-
max time kernel
138s -
max time network
138s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
22-01-2022 01:35
Static task
static1
Behavioral task
behavioral1
Sample
ebe46601e7afaa00a58df26f01d668a07145b0c5a3c642f728db125c8be632fd.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
ebe46601e7afaa00a58df26f01d668a07145b0c5a3c642f728db125c8be632fd.exe
Resource
win10-en-20211208
General
-
Target
ebe46601e7afaa00a58df26f01d668a07145b0c5a3c642f728db125c8be632fd.exe
-
Size
89KB
-
MD5
91569c57fc342161c479603f3b527c1d
-
SHA1
14c7a1661620f46c2943fa1ad522631638569b37
-
SHA256
ebe46601e7afaa00a58df26f01d668a07145b0c5a3c642f728db125c8be632fd
-
SHA512
f34fa95e96e774ec90222b042549b2e72f0a792a6c6cad550ba48ac0ba1740b8a5f8f15bab9e9759ba4c5648b3aa759b35d6f1b726893d5130f17f7502eff1d5
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1760 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 440 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
ebe46601e7afaa00a58df26f01d668a07145b0c5a3c642f728db125c8be632fd.exepid process 1088 ebe46601e7afaa00a58df26f01d668a07145b0c5a3c642f728db125c8be632fd.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
ebe46601e7afaa00a58df26f01d668a07145b0c5a3c642f728db125c8be632fd.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" ebe46601e7afaa00a58df26f01d668a07145b0c5a3c642f728db125c8be632fd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
ebe46601e7afaa00a58df26f01d668a07145b0c5a3c642f728db125c8be632fd.exedescription pid process Token: SeIncBasePriorityPrivilege 1088 ebe46601e7afaa00a58df26f01d668a07145b0c5a3c642f728db125c8be632fd.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
ebe46601e7afaa00a58df26f01d668a07145b0c5a3c642f728db125c8be632fd.execmd.exedescription pid process target process PID 1088 wrote to memory of 1760 1088 ebe46601e7afaa00a58df26f01d668a07145b0c5a3c642f728db125c8be632fd.exe MediaCenter.exe PID 1088 wrote to memory of 1760 1088 ebe46601e7afaa00a58df26f01d668a07145b0c5a3c642f728db125c8be632fd.exe MediaCenter.exe PID 1088 wrote to memory of 1760 1088 ebe46601e7afaa00a58df26f01d668a07145b0c5a3c642f728db125c8be632fd.exe MediaCenter.exe PID 1088 wrote to memory of 1760 1088 ebe46601e7afaa00a58df26f01d668a07145b0c5a3c642f728db125c8be632fd.exe MediaCenter.exe PID 1088 wrote to memory of 440 1088 ebe46601e7afaa00a58df26f01d668a07145b0c5a3c642f728db125c8be632fd.exe cmd.exe PID 1088 wrote to memory of 440 1088 ebe46601e7afaa00a58df26f01d668a07145b0c5a3c642f728db125c8be632fd.exe cmd.exe PID 1088 wrote to memory of 440 1088 ebe46601e7afaa00a58df26f01d668a07145b0c5a3c642f728db125c8be632fd.exe cmd.exe PID 1088 wrote to memory of 440 1088 ebe46601e7afaa00a58df26f01d668a07145b0c5a3c642f728db125c8be632fd.exe cmd.exe PID 440 wrote to memory of 1144 440 cmd.exe PING.EXE PID 440 wrote to memory of 1144 440 cmd.exe PING.EXE PID 440 wrote to memory of 1144 440 cmd.exe PING.EXE PID 440 wrote to memory of 1144 440 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\ebe46601e7afaa00a58df26f01d668a07145b0c5a3c642f728db125c8be632fd.exe"C:\Users\Admin\AppData\Local\Temp\ebe46601e7afaa00a58df26f01d668a07145b0c5a3c642f728db125c8be632fd.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1088 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1760 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\ebe46601e7afaa00a58df26f01d668a07145b0c5a3c642f728db125c8be632fd.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:440 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1144
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
d857f2860b059614ac39f3eb18a3fbf0
SHA198e8f96e25f14d89a9c31897a1380921f16c15a6
SHA256d1bc3c4144f29caf20588c8842f7af157dea566d1c5332cf257d62e7a9b68f27
SHA512fac02250089219f849c748621783f667994115e454bdf89228f21f7428a0728a04933f1c7f25f11e23845547b5f7cb3b44600f0c4093844aba62d8f5a2b5f8be
-
MD5
d857f2860b059614ac39f3eb18a3fbf0
SHA198e8f96e25f14d89a9c31897a1380921f16c15a6
SHA256d1bc3c4144f29caf20588c8842f7af157dea566d1c5332cf257d62e7a9b68f27
SHA512fac02250089219f849c748621783f667994115e454bdf89228f21f7428a0728a04933f1c7f25f11e23845547b5f7cb3b44600f0c4093844aba62d8f5a2b5f8be