Analysis
-
max time kernel
123s -
max time network
146s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
30-01-2022 22:48
Static task
static1
Behavioral task
behavioral1
Sample
aae00d6fbdae1f415927ca95f3451032b3cab7384a5aab5b087ebd8601942d80.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
aae00d6fbdae1f415927ca95f3451032b3cab7384a5aab5b087ebd8601942d80.exe
Resource
win10-en-20211208
General
-
Target
aae00d6fbdae1f415927ca95f3451032b3cab7384a5aab5b087ebd8601942d80.exe
-
Size
79KB
-
MD5
b7e3f853e98ea9db74bf3429803f7a4b
-
SHA1
9076608ecf15dbd0fdff609c51842e38479dc55e
-
SHA256
aae00d6fbdae1f415927ca95f3451032b3cab7384a5aab5b087ebd8601942d80
-
SHA512
9b76ebef8b6eaec4464393f811b5715987b3530b2f119f7bef017a5f9896a6407417185bf54c21813f6e87dc5905cb39ba9adb533de64c08462a16e2c8207fe6
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 960 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1124 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
aae00d6fbdae1f415927ca95f3451032b3cab7384a5aab5b087ebd8601942d80.exepid process 844 aae00d6fbdae1f415927ca95f3451032b3cab7384a5aab5b087ebd8601942d80.exe 844 aae00d6fbdae1f415927ca95f3451032b3cab7384a5aab5b087ebd8601942d80.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
aae00d6fbdae1f415927ca95f3451032b3cab7384a5aab5b087ebd8601942d80.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" aae00d6fbdae1f415927ca95f3451032b3cab7384a5aab5b087ebd8601942d80.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
aae00d6fbdae1f415927ca95f3451032b3cab7384a5aab5b087ebd8601942d80.exedescription pid process Token: SeIncBasePriorityPrivilege 844 aae00d6fbdae1f415927ca95f3451032b3cab7384a5aab5b087ebd8601942d80.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
aae00d6fbdae1f415927ca95f3451032b3cab7384a5aab5b087ebd8601942d80.execmd.exedescription pid process target process PID 844 wrote to memory of 960 844 aae00d6fbdae1f415927ca95f3451032b3cab7384a5aab5b087ebd8601942d80.exe MediaCenter.exe PID 844 wrote to memory of 960 844 aae00d6fbdae1f415927ca95f3451032b3cab7384a5aab5b087ebd8601942d80.exe MediaCenter.exe PID 844 wrote to memory of 960 844 aae00d6fbdae1f415927ca95f3451032b3cab7384a5aab5b087ebd8601942d80.exe MediaCenter.exe PID 844 wrote to memory of 960 844 aae00d6fbdae1f415927ca95f3451032b3cab7384a5aab5b087ebd8601942d80.exe MediaCenter.exe PID 844 wrote to memory of 1124 844 aae00d6fbdae1f415927ca95f3451032b3cab7384a5aab5b087ebd8601942d80.exe cmd.exe PID 844 wrote to memory of 1124 844 aae00d6fbdae1f415927ca95f3451032b3cab7384a5aab5b087ebd8601942d80.exe cmd.exe PID 844 wrote to memory of 1124 844 aae00d6fbdae1f415927ca95f3451032b3cab7384a5aab5b087ebd8601942d80.exe cmd.exe PID 844 wrote to memory of 1124 844 aae00d6fbdae1f415927ca95f3451032b3cab7384a5aab5b087ebd8601942d80.exe cmd.exe PID 1124 wrote to memory of 660 1124 cmd.exe PING.EXE PID 1124 wrote to memory of 660 1124 cmd.exe PING.EXE PID 1124 wrote to memory of 660 1124 cmd.exe PING.EXE PID 1124 wrote to memory of 660 1124 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\aae00d6fbdae1f415927ca95f3451032b3cab7384a5aab5b087ebd8601942d80.exe"C:\Users\Admin\AppData\Local\Temp\aae00d6fbdae1f415927ca95f3451032b3cab7384a5aab5b087ebd8601942d80.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:844 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:960 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\aae00d6fbdae1f415927ca95f3451032b3cab7384a5aab5b087ebd8601942d80.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1124 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:660
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
32dc32e50f5af8d4c588c988876980c2
SHA127487e88e6a47ec66ffab35d629f73f6aa80b178
SHA2560cf3fe3d1515e5f54bdf8f1467cf7878e923d9dd87e680df6ad895f2effe0579
SHA512a940058f7bd77e1cd5dc27d39d86f117170a37c3cd4576dcd1ddff8a58e8c72e9522ce33df490af16a374c360e727ed5876484b8b2220c3546ffca1484630a8e
-
MD5
32dc32e50f5af8d4c588c988876980c2
SHA127487e88e6a47ec66ffab35d629f73f6aa80b178
SHA2560cf3fe3d1515e5f54bdf8f1467cf7878e923d9dd87e680df6ad895f2effe0579
SHA512a940058f7bd77e1cd5dc27d39d86f117170a37c3cd4576dcd1ddff8a58e8c72e9522ce33df490af16a374c360e727ed5876484b8b2220c3546ffca1484630a8e
-
MD5
32dc32e50f5af8d4c588c988876980c2
SHA127487e88e6a47ec66ffab35d629f73f6aa80b178
SHA2560cf3fe3d1515e5f54bdf8f1467cf7878e923d9dd87e680df6ad895f2effe0579
SHA512a940058f7bd77e1cd5dc27d39d86f117170a37c3cd4576dcd1ddff8a58e8c72e9522ce33df490af16a374c360e727ed5876484b8b2220c3546ffca1484630a8e