Analysis
-
max time kernel
145s -
max time network
147s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
30-01-2022 22:47
Static task
static1
Behavioral task
behavioral1
Sample
7196802e1634b56f2dda7f5c63bd4698f9084e832630ec4c2cefa8884fe023a8.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
7196802e1634b56f2dda7f5c63bd4698f9084e832630ec4c2cefa8884fe023a8.exe
Resource
win10-en-20211208
General
-
Target
7196802e1634b56f2dda7f5c63bd4698f9084e832630ec4c2cefa8884fe023a8.exe
-
Size
79KB
-
MD5
bb57362757182b928d66d4963104ffe8
-
SHA1
1973a05e8f4cdc69fcfd4cbadf80587ea701d0e4
-
SHA256
7196802e1634b56f2dda7f5c63bd4698f9084e832630ec4c2cefa8884fe023a8
-
SHA512
d5b58deaaa121789ad0452aa7da2f6810ed7035e9b51cfbc11bfae13d6f1eca2255b99ba0a902c4129455cb446e0d438d0abd56ca4e24f891ae492d0570e2a5f
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1212 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1780 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
7196802e1634b56f2dda7f5c63bd4698f9084e832630ec4c2cefa8884fe023a8.exepid process 1636 7196802e1634b56f2dda7f5c63bd4698f9084e832630ec4c2cefa8884fe023a8.exe 1636 7196802e1634b56f2dda7f5c63bd4698f9084e832630ec4c2cefa8884fe023a8.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
7196802e1634b56f2dda7f5c63bd4698f9084e832630ec4c2cefa8884fe023a8.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 7196802e1634b56f2dda7f5c63bd4698f9084e832630ec4c2cefa8884fe023a8.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
7196802e1634b56f2dda7f5c63bd4698f9084e832630ec4c2cefa8884fe023a8.exedescription pid process Token: SeIncBasePriorityPrivilege 1636 7196802e1634b56f2dda7f5c63bd4698f9084e832630ec4c2cefa8884fe023a8.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
7196802e1634b56f2dda7f5c63bd4698f9084e832630ec4c2cefa8884fe023a8.execmd.exedescription pid process target process PID 1636 wrote to memory of 1212 1636 7196802e1634b56f2dda7f5c63bd4698f9084e832630ec4c2cefa8884fe023a8.exe MediaCenter.exe PID 1636 wrote to memory of 1212 1636 7196802e1634b56f2dda7f5c63bd4698f9084e832630ec4c2cefa8884fe023a8.exe MediaCenter.exe PID 1636 wrote to memory of 1212 1636 7196802e1634b56f2dda7f5c63bd4698f9084e832630ec4c2cefa8884fe023a8.exe MediaCenter.exe PID 1636 wrote to memory of 1212 1636 7196802e1634b56f2dda7f5c63bd4698f9084e832630ec4c2cefa8884fe023a8.exe MediaCenter.exe PID 1636 wrote to memory of 1780 1636 7196802e1634b56f2dda7f5c63bd4698f9084e832630ec4c2cefa8884fe023a8.exe cmd.exe PID 1636 wrote to memory of 1780 1636 7196802e1634b56f2dda7f5c63bd4698f9084e832630ec4c2cefa8884fe023a8.exe cmd.exe PID 1636 wrote to memory of 1780 1636 7196802e1634b56f2dda7f5c63bd4698f9084e832630ec4c2cefa8884fe023a8.exe cmd.exe PID 1636 wrote to memory of 1780 1636 7196802e1634b56f2dda7f5c63bd4698f9084e832630ec4c2cefa8884fe023a8.exe cmd.exe PID 1780 wrote to memory of 1280 1780 cmd.exe PING.EXE PID 1780 wrote to memory of 1280 1780 cmd.exe PING.EXE PID 1780 wrote to memory of 1280 1780 cmd.exe PING.EXE PID 1780 wrote to memory of 1280 1780 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\7196802e1634b56f2dda7f5c63bd4698f9084e832630ec4c2cefa8884fe023a8.exe"C:\Users\Admin\AppData\Local\Temp\7196802e1634b56f2dda7f5c63bd4698f9084e832630ec4c2cefa8884fe023a8.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1212 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\7196802e1634b56f2dda7f5c63bd4698f9084e832630ec4c2cefa8884fe023a8.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1780 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1280
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
d386829900ae7526dc4bc592cebb3f56
SHA193cbe0cbeefa0e6eaf63e271f6e74d9775714af6
SHA256da511c5595ae752e59616c8060565f5d9bb8f91e4dbb954014abb77287de6cdb
SHA51237c1a023d7fa447082b8bee95b1eae346cf2a5a34720efbca0500e792265aaef992e1610716c31c2de5a0769ffbce0bf14cafad0c92a7ae856cc75be221e605d
-
MD5
d386829900ae7526dc4bc592cebb3f56
SHA193cbe0cbeefa0e6eaf63e271f6e74d9775714af6
SHA256da511c5595ae752e59616c8060565f5d9bb8f91e4dbb954014abb77287de6cdb
SHA51237c1a023d7fa447082b8bee95b1eae346cf2a5a34720efbca0500e792265aaef992e1610716c31c2de5a0769ffbce0bf14cafad0c92a7ae856cc75be221e605d
-
MD5
d386829900ae7526dc4bc592cebb3f56
SHA193cbe0cbeefa0e6eaf63e271f6e74d9775714af6
SHA256da511c5595ae752e59616c8060565f5d9bb8f91e4dbb954014abb77287de6cdb
SHA51237c1a023d7fa447082b8bee95b1eae346cf2a5a34720efbca0500e792265aaef992e1610716c31c2de5a0769ffbce0bf14cafad0c92a7ae856cc75be221e605d