Analysis
-
max time kernel
125s -
max time network
139s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
30-01-2022 22:49
Static task
static1
Behavioral task
behavioral1
Sample
518707434ba01c53a40928e45f1ce8ddef92b4b6c910fd46bac8528020100b5c.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
518707434ba01c53a40928e45f1ce8ddef92b4b6c910fd46bac8528020100b5c.exe
Resource
win10-en-20211208
General
-
Target
518707434ba01c53a40928e45f1ce8ddef92b4b6c910fd46bac8528020100b5c.exe
-
Size
79KB
-
MD5
b38c4766ec0c5fb9b9e70af0b7414e78
-
SHA1
dd28c979bfa39a9aae496930f3604852fabf1505
-
SHA256
518707434ba01c53a40928e45f1ce8ddef92b4b6c910fd46bac8528020100b5c
-
SHA512
57ce3838b16bdcddc07e5bf37a71a7f1a86c7ac3ad83fc1bbebc848a912bbf634afb932fb179a2ddcdca97df1aa0f6ef29b23cfd92a3feac559393613c95e111
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1916 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 836 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
518707434ba01c53a40928e45f1ce8ddef92b4b6c910fd46bac8528020100b5c.exepid process 1796 518707434ba01c53a40928e45f1ce8ddef92b4b6c910fd46bac8528020100b5c.exe 1796 518707434ba01c53a40928e45f1ce8ddef92b4b6c910fd46bac8528020100b5c.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
518707434ba01c53a40928e45f1ce8ddef92b4b6c910fd46bac8528020100b5c.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 518707434ba01c53a40928e45f1ce8ddef92b4b6c910fd46bac8528020100b5c.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
518707434ba01c53a40928e45f1ce8ddef92b4b6c910fd46bac8528020100b5c.exedescription pid process Token: SeIncBasePriorityPrivilege 1796 518707434ba01c53a40928e45f1ce8ddef92b4b6c910fd46bac8528020100b5c.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
518707434ba01c53a40928e45f1ce8ddef92b4b6c910fd46bac8528020100b5c.execmd.exedescription pid process target process PID 1796 wrote to memory of 1916 1796 518707434ba01c53a40928e45f1ce8ddef92b4b6c910fd46bac8528020100b5c.exe MediaCenter.exe PID 1796 wrote to memory of 1916 1796 518707434ba01c53a40928e45f1ce8ddef92b4b6c910fd46bac8528020100b5c.exe MediaCenter.exe PID 1796 wrote to memory of 1916 1796 518707434ba01c53a40928e45f1ce8ddef92b4b6c910fd46bac8528020100b5c.exe MediaCenter.exe PID 1796 wrote to memory of 1916 1796 518707434ba01c53a40928e45f1ce8ddef92b4b6c910fd46bac8528020100b5c.exe MediaCenter.exe PID 1796 wrote to memory of 836 1796 518707434ba01c53a40928e45f1ce8ddef92b4b6c910fd46bac8528020100b5c.exe cmd.exe PID 1796 wrote to memory of 836 1796 518707434ba01c53a40928e45f1ce8ddef92b4b6c910fd46bac8528020100b5c.exe cmd.exe PID 1796 wrote to memory of 836 1796 518707434ba01c53a40928e45f1ce8ddef92b4b6c910fd46bac8528020100b5c.exe cmd.exe PID 1796 wrote to memory of 836 1796 518707434ba01c53a40928e45f1ce8ddef92b4b6c910fd46bac8528020100b5c.exe cmd.exe PID 836 wrote to memory of 2012 836 cmd.exe PING.EXE PID 836 wrote to memory of 2012 836 cmd.exe PING.EXE PID 836 wrote to memory of 2012 836 cmd.exe PING.EXE PID 836 wrote to memory of 2012 836 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\518707434ba01c53a40928e45f1ce8ddef92b4b6c910fd46bac8528020100b5c.exe"C:\Users\Admin\AppData\Local\Temp\518707434ba01c53a40928e45f1ce8ddef92b4b6c910fd46bac8528020100b5c.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1796 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1916 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\518707434ba01c53a40928e45f1ce8ddef92b4b6c910fd46bac8528020100b5c.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:836 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:2012
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
38b9de06c7a5484e2f7a48b470c64047
SHA18deedc0293e334fdeb6d46081f46d658174f80cc
SHA25663a52c14c20ede2576d220a8643d902c690cd92550dce4b6a43016c973a1bc21
SHA51279675ef9a9dc3631a1ba25467604690b24a196fef2a01c06e824cee9266b3528e357a08809f8ab86c7a5bceeff8992f95afa4be642923e52f3042bdd1ced1597
-
MD5
38b9de06c7a5484e2f7a48b470c64047
SHA18deedc0293e334fdeb6d46081f46d658174f80cc
SHA25663a52c14c20ede2576d220a8643d902c690cd92550dce4b6a43016c973a1bc21
SHA51279675ef9a9dc3631a1ba25467604690b24a196fef2a01c06e824cee9266b3528e357a08809f8ab86c7a5bceeff8992f95afa4be642923e52f3042bdd1ced1597
-
MD5
38b9de06c7a5484e2f7a48b470c64047
SHA18deedc0293e334fdeb6d46081f46d658174f80cc
SHA25663a52c14c20ede2576d220a8643d902c690cd92550dce4b6a43016c973a1bc21
SHA51279675ef9a9dc3631a1ba25467604690b24a196fef2a01c06e824cee9266b3528e357a08809f8ab86c7a5bceeff8992f95afa4be642923e52f3042bdd1ced1597