Analysis
-
max time kernel
149s -
max time network
170s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
30-01-2022 22:50
Static task
static1
Behavioral task
behavioral1
Sample
690d93dc31bd580bac73371ac8ed27286b5684a5d8f62ffdcdba81bb47891463.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
690d93dc31bd580bac73371ac8ed27286b5684a5d8f62ffdcdba81bb47891463.exe
Resource
win10-en-20211208
General
-
Target
690d93dc31bd580bac73371ac8ed27286b5684a5d8f62ffdcdba81bb47891463.exe
-
Size
79KB
-
MD5
aeed29398ceb645213cf639a9f80367c
-
SHA1
39951d5594d314aace6191e491c8dbaa2c2d69b3
-
SHA256
690d93dc31bd580bac73371ac8ed27286b5684a5d8f62ffdcdba81bb47891463
-
SHA512
32ab9527e1795a002c223c3b74d2aaaac822579cf3b251be46fb46ead25f9fd45a25010f6775592fa961a12486faf2d7a029e0ea3d72d3a51bd5de9ce8c39ebc
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 304 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1312 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
690d93dc31bd580bac73371ac8ed27286b5684a5d8f62ffdcdba81bb47891463.exepid process 1772 690d93dc31bd580bac73371ac8ed27286b5684a5d8f62ffdcdba81bb47891463.exe 1772 690d93dc31bd580bac73371ac8ed27286b5684a5d8f62ffdcdba81bb47891463.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
690d93dc31bd580bac73371ac8ed27286b5684a5d8f62ffdcdba81bb47891463.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 690d93dc31bd580bac73371ac8ed27286b5684a5d8f62ffdcdba81bb47891463.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
690d93dc31bd580bac73371ac8ed27286b5684a5d8f62ffdcdba81bb47891463.exedescription pid process Token: SeIncBasePriorityPrivilege 1772 690d93dc31bd580bac73371ac8ed27286b5684a5d8f62ffdcdba81bb47891463.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
690d93dc31bd580bac73371ac8ed27286b5684a5d8f62ffdcdba81bb47891463.execmd.exedescription pid process target process PID 1772 wrote to memory of 304 1772 690d93dc31bd580bac73371ac8ed27286b5684a5d8f62ffdcdba81bb47891463.exe MediaCenter.exe PID 1772 wrote to memory of 304 1772 690d93dc31bd580bac73371ac8ed27286b5684a5d8f62ffdcdba81bb47891463.exe MediaCenter.exe PID 1772 wrote to memory of 304 1772 690d93dc31bd580bac73371ac8ed27286b5684a5d8f62ffdcdba81bb47891463.exe MediaCenter.exe PID 1772 wrote to memory of 304 1772 690d93dc31bd580bac73371ac8ed27286b5684a5d8f62ffdcdba81bb47891463.exe MediaCenter.exe PID 1772 wrote to memory of 1312 1772 690d93dc31bd580bac73371ac8ed27286b5684a5d8f62ffdcdba81bb47891463.exe cmd.exe PID 1772 wrote to memory of 1312 1772 690d93dc31bd580bac73371ac8ed27286b5684a5d8f62ffdcdba81bb47891463.exe cmd.exe PID 1772 wrote to memory of 1312 1772 690d93dc31bd580bac73371ac8ed27286b5684a5d8f62ffdcdba81bb47891463.exe cmd.exe PID 1772 wrote to memory of 1312 1772 690d93dc31bd580bac73371ac8ed27286b5684a5d8f62ffdcdba81bb47891463.exe cmd.exe PID 1312 wrote to memory of 1080 1312 cmd.exe PING.EXE PID 1312 wrote to memory of 1080 1312 cmd.exe PING.EXE PID 1312 wrote to memory of 1080 1312 cmd.exe PING.EXE PID 1312 wrote to memory of 1080 1312 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\690d93dc31bd580bac73371ac8ed27286b5684a5d8f62ffdcdba81bb47891463.exe"C:\Users\Admin\AppData\Local\Temp\690d93dc31bd580bac73371ac8ed27286b5684a5d8f62ffdcdba81bb47891463.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1772 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:304 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\690d93dc31bd580bac73371ac8ed27286b5684a5d8f62ffdcdba81bb47891463.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1312 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1080
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
458bf6b1442ea6b778d0fed239efff42
SHA1963c28ba4633a4cf2f645abd33ca5a628d690963
SHA2563c2930e84d8cda118cc35ed101b92997bee3dbbfe6bdcb488278aa5b64c6e9a1
SHA512148f26fcdff6aa457cf216b8e2548b3ad8a39e5ee4e1be37514c3a4e4fa97c4149db9a5e92c1214296b4bb3dcd1dd17cb7915e62dd70edad6dccdfc0afb2d627
-
MD5
458bf6b1442ea6b778d0fed239efff42
SHA1963c28ba4633a4cf2f645abd33ca5a628d690963
SHA2563c2930e84d8cda118cc35ed101b92997bee3dbbfe6bdcb488278aa5b64c6e9a1
SHA512148f26fcdff6aa457cf216b8e2548b3ad8a39e5ee4e1be37514c3a4e4fa97c4149db9a5e92c1214296b4bb3dcd1dd17cb7915e62dd70edad6dccdfc0afb2d627
-
MD5
458bf6b1442ea6b778d0fed239efff42
SHA1963c28ba4633a4cf2f645abd33ca5a628d690963
SHA2563c2930e84d8cda118cc35ed101b92997bee3dbbfe6bdcb488278aa5b64c6e9a1
SHA512148f26fcdff6aa457cf216b8e2548b3ad8a39e5ee4e1be37514c3a4e4fa97c4149db9a5e92c1214296b4bb3dcd1dd17cb7915e62dd70edad6dccdfc0afb2d627