Analysis
-
max time kernel
117s -
max time network
160s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
30-01-2022 22:51
Static task
static1
Behavioral task
behavioral1
Sample
d2a627abb4e73e3e0b479e4da45c10751992f5c438aa10b18a7a94e2481e1828.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
d2a627abb4e73e3e0b479e4da45c10751992f5c438aa10b18a7a94e2481e1828.exe
Resource
win10-en-20211208
General
-
Target
d2a627abb4e73e3e0b479e4da45c10751992f5c438aa10b18a7a94e2481e1828.exe
-
Size
79KB
-
MD5
aca2756917024c859d1f13ca1cdcb843
-
SHA1
eb95ecbf4e382aba4fd02862dfcb69a2a839324d
-
SHA256
d2a627abb4e73e3e0b479e4da45c10751992f5c438aa10b18a7a94e2481e1828
-
SHA512
d2437eb2a47fb2671a16be8e0cd74f6aa77b7548eccd768b9f0b16b19e080eb462d73ddf967d0da0735bf5b2e8a2819185092efc1c789fd18116cb615f081dda
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1636 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1152 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
d2a627abb4e73e3e0b479e4da45c10751992f5c438aa10b18a7a94e2481e1828.exepid process 956 d2a627abb4e73e3e0b479e4da45c10751992f5c438aa10b18a7a94e2481e1828.exe 956 d2a627abb4e73e3e0b479e4da45c10751992f5c438aa10b18a7a94e2481e1828.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
d2a627abb4e73e3e0b479e4da45c10751992f5c438aa10b18a7a94e2481e1828.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" d2a627abb4e73e3e0b479e4da45c10751992f5c438aa10b18a7a94e2481e1828.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
d2a627abb4e73e3e0b479e4da45c10751992f5c438aa10b18a7a94e2481e1828.exedescription pid process Token: SeIncBasePriorityPrivilege 956 d2a627abb4e73e3e0b479e4da45c10751992f5c438aa10b18a7a94e2481e1828.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
d2a627abb4e73e3e0b479e4da45c10751992f5c438aa10b18a7a94e2481e1828.execmd.exedescription pid process target process PID 956 wrote to memory of 1636 956 d2a627abb4e73e3e0b479e4da45c10751992f5c438aa10b18a7a94e2481e1828.exe MediaCenter.exe PID 956 wrote to memory of 1636 956 d2a627abb4e73e3e0b479e4da45c10751992f5c438aa10b18a7a94e2481e1828.exe MediaCenter.exe PID 956 wrote to memory of 1636 956 d2a627abb4e73e3e0b479e4da45c10751992f5c438aa10b18a7a94e2481e1828.exe MediaCenter.exe PID 956 wrote to memory of 1636 956 d2a627abb4e73e3e0b479e4da45c10751992f5c438aa10b18a7a94e2481e1828.exe MediaCenter.exe PID 956 wrote to memory of 1152 956 d2a627abb4e73e3e0b479e4da45c10751992f5c438aa10b18a7a94e2481e1828.exe cmd.exe PID 956 wrote to memory of 1152 956 d2a627abb4e73e3e0b479e4da45c10751992f5c438aa10b18a7a94e2481e1828.exe cmd.exe PID 956 wrote to memory of 1152 956 d2a627abb4e73e3e0b479e4da45c10751992f5c438aa10b18a7a94e2481e1828.exe cmd.exe PID 956 wrote to memory of 1152 956 d2a627abb4e73e3e0b479e4da45c10751992f5c438aa10b18a7a94e2481e1828.exe cmd.exe PID 1152 wrote to memory of 1516 1152 cmd.exe PING.EXE PID 1152 wrote to memory of 1516 1152 cmd.exe PING.EXE PID 1152 wrote to memory of 1516 1152 cmd.exe PING.EXE PID 1152 wrote to memory of 1516 1152 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\d2a627abb4e73e3e0b479e4da45c10751992f5c438aa10b18a7a94e2481e1828.exe"C:\Users\Admin\AppData\Local\Temp\d2a627abb4e73e3e0b479e4da45c10751992f5c438aa10b18a7a94e2481e1828.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:956 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1636 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\d2a627abb4e73e3e0b479e4da45c10751992f5c438aa10b18a7a94e2481e1828.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1152 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1516
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
c4174d775dd100719e34e09f4aa2bad7
SHA16539e967546bc53efe0667b0f58639cbaf9c0f94
SHA256269445f0773e701a303321bd7fee48e8af7d9524862275f12e098954cae4c784
SHA512bfea1c6d7586d9ec9f67ffe0b0fed68d943dd22c54140286e5d50c770250fd04b32e9d1faaa7acb803e7137eadd34ca0d6be4b16a2ed5da2936569fed0918910
-
MD5
c4174d775dd100719e34e09f4aa2bad7
SHA16539e967546bc53efe0667b0f58639cbaf9c0f94
SHA256269445f0773e701a303321bd7fee48e8af7d9524862275f12e098954cae4c784
SHA512bfea1c6d7586d9ec9f67ffe0b0fed68d943dd22c54140286e5d50c770250fd04b32e9d1faaa7acb803e7137eadd34ca0d6be4b16a2ed5da2936569fed0918910
-
MD5
c4174d775dd100719e34e09f4aa2bad7
SHA16539e967546bc53efe0667b0f58639cbaf9c0f94
SHA256269445f0773e701a303321bd7fee48e8af7d9524862275f12e098954cae4c784
SHA512bfea1c6d7586d9ec9f67ffe0b0fed68d943dd22c54140286e5d50c770250fd04b32e9d1faaa7acb803e7137eadd34ca0d6be4b16a2ed5da2936569fed0918910