Analysis
-
max time kernel
140s -
max time network
160s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
30-01-2022 21:49
Static task
static1
Behavioral task
behavioral1
Sample
57375c715fe06101d88029f3f54ad8e1059d55e1e886aa151ff38a5cbfa868fc.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
57375c715fe06101d88029f3f54ad8e1059d55e1e886aa151ff38a5cbfa868fc.exe
Resource
win10-en-20211208
General
-
Target
57375c715fe06101d88029f3f54ad8e1059d55e1e886aa151ff38a5cbfa868fc.exe
-
Size
89KB
-
MD5
21ee6c85f431c2aa085b91ac0c86d27f
-
SHA1
c2b9b78952575e8b6d4a66e9f31b611f10adc5e6
-
SHA256
57375c715fe06101d88029f3f54ad8e1059d55e1e886aa151ff38a5cbfa868fc
-
SHA512
4afd9a4f2c7ea67242da5d188afc48bbb05278bc0a3ad313807575a7a88590a777e4fe1d6104c3c197728d31fe31e0a0f31a3b03daf22eaa87a1c3c707f5318e
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1916 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 828 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
57375c715fe06101d88029f3f54ad8e1059d55e1e886aa151ff38a5cbfa868fc.exepid process 1480 57375c715fe06101d88029f3f54ad8e1059d55e1e886aa151ff38a5cbfa868fc.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
57375c715fe06101d88029f3f54ad8e1059d55e1e886aa151ff38a5cbfa868fc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 57375c715fe06101d88029f3f54ad8e1059d55e1e886aa151ff38a5cbfa868fc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
57375c715fe06101d88029f3f54ad8e1059d55e1e886aa151ff38a5cbfa868fc.exedescription pid process Token: SeIncBasePriorityPrivilege 1480 57375c715fe06101d88029f3f54ad8e1059d55e1e886aa151ff38a5cbfa868fc.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
57375c715fe06101d88029f3f54ad8e1059d55e1e886aa151ff38a5cbfa868fc.execmd.exedescription pid process target process PID 1480 wrote to memory of 1916 1480 57375c715fe06101d88029f3f54ad8e1059d55e1e886aa151ff38a5cbfa868fc.exe MediaCenter.exe PID 1480 wrote to memory of 1916 1480 57375c715fe06101d88029f3f54ad8e1059d55e1e886aa151ff38a5cbfa868fc.exe MediaCenter.exe PID 1480 wrote to memory of 1916 1480 57375c715fe06101d88029f3f54ad8e1059d55e1e886aa151ff38a5cbfa868fc.exe MediaCenter.exe PID 1480 wrote to memory of 1916 1480 57375c715fe06101d88029f3f54ad8e1059d55e1e886aa151ff38a5cbfa868fc.exe MediaCenter.exe PID 1480 wrote to memory of 828 1480 57375c715fe06101d88029f3f54ad8e1059d55e1e886aa151ff38a5cbfa868fc.exe cmd.exe PID 1480 wrote to memory of 828 1480 57375c715fe06101d88029f3f54ad8e1059d55e1e886aa151ff38a5cbfa868fc.exe cmd.exe PID 1480 wrote to memory of 828 1480 57375c715fe06101d88029f3f54ad8e1059d55e1e886aa151ff38a5cbfa868fc.exe cmd.exe PID 1480 wrote to memory of 828 1480 57375c715fe06101d88029f3f54ad8e1059d55e1e886aa151ff38a5cbfa868fc.exe cmd.exe PID 828 wrote to memory of 1044 828 cmd.exe PING.EXE PID 828 wrote to memory of 1044 828 cmd.exe PING.EXE PID 828 wrote to memory of 1044 828 cmd.exe PING.EXE PID 828 wrote to memory of 1044 828 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\57375c715fe06101d88029f3f54ad8e1059d55e1e886aa151ff38a5cbfa868fc.exe"C:\Users\Admin\AppData\Local\Temp\57375c715fe06101d88029f3f54ad8e1059d55e1e886aa151ff38a5cbfa868fc.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1480 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1916 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\57375c715fe06101d88029f3f54ad8e1059d55e1e886aa151ff38a5cbfa868fc.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:828 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1044
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
0a528ea9901374f86b8cc86a654f1bf7
SHA1791e8ce2f07d7f80d2cb9dafd7270eacaf6fc90b
SHA256fa335340b978b0a1e93b33c3a1174a512b53ac1b1467e9cb11ec0f65c1c50beb
SHA51243a92f3c3e1bbc9dff37cc63077ada9ab307f65eded7ef6a7f4524967ce2066f76c1cb30abc0b1f495fdfc0b7fe275cae96552fe09619b73b2642f536eb2b122
-
MD5
0a528ea9901374f86b8cc86a654f1bf7
SHA1791e8ce2f07d7f80d2cb9dafd7270eacaf6fc90b
SHA256fa335340b978b0a1e93b33c3a1174a512b53ac1b1467e9cb11ec0f65c1c50beb
SHA51243a92f3c3e1bbc9dff37cc63077ada9ab307f65eded7ef6a7f4524967ce2066f76c1cb30abc0b1f495fdfc0b7fe275cae96552fe09619b73b2642f536eb2b122