Analysis
-
max time kernel
126s -
max time network
136s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
30-01-2022 23:54
Static task
static1
Behavioral task
behavioral1
Sample
19c96e06c7e5f7c19611b44ff28293a1a73b32c1a7f57149c51974ee017d3daa.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
19c96e06c7e5f7c19611b44ff28293a1a73b32c1a7f57149c51974ee017d3daa.exe
Resource
win10-en-20211208
General
-
Target
19c96e06c7e5f7c19611b44ff28293a1a73b32c1a7f57149c51974ee017d3daa.exe
-
Size
79KB
-
MD5
3b70ab484857b6e96e62e239c937dea6
-
SHA1
fae910f1d2d2797beea25d0ec4f5ce9a3fad93d5
-
SHA256
19c96e06c7e5f7c19611b44ff28293a1a73b32c1a7f57149c51974ee017d3daa
-
SHA512
edfdb43ac7cf9c48a43cd8aa819d4b7331cc374667329bc52899ed3ffbe5be87934264dfdbdd3eed4ccc55fb49a39285efec2fc87ecc854496b31461fd6cae20
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1588 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2032 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
19c96e06c7e5f7c19611b44ff28293a1a73b32c1a7f57149c51974ee017d3daa.exepid process 744 19c96e06c7e5f7c19611b44ff28293a1a73b32c1a7f57149c51974ee017d3daa.exe 744 19c96e06c7e5f7c19611b44ff28293a1a73b32c1a7f57149c51974ee017d3daa.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
19c96e06c7e5f7c19611b44ff28293a1a73b32c1a7f57149c51974ee017d3daa.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 19c96e06c7e5f7c19611b44ff28293a1a73b32c1a7f57149c51974ee017d3daa.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
19c96e06c7e5f7c19611b44ff28293a1a73b32c1a7f57149c51974ee017d3daa.exedescription pid process Token: SeIncBasePriorityPrivilege 744 19c96e06c7e5f7c19611b44ff28293a1a73b32c1a7f57149c51974ee017d3daa.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
19c96e06c7e5f7c19611b44ff28293a1a73b32c1a7f57149c51974ee017d3daa.execmd.exedescription pid process target process PID 744 wrote to memory of 1588 744 19c96e06c7e5f7c19611b44ff28293a1a73b32c1a7f57149c51974ee017d3daa.exe MediaCenter.exe PID 744 wrote to memory of 1588 744 19c96e06c7e5f7c19611b44ff28293a1a73b32c1a7f57149c51974ee017d3daa.exe MediaCenter.exe PID 744 wrote to memory of 1588 744 19c96e06c7e5f7c19611b44ff28293a1a73b32c1a7f57149c51974ee017d3daa.exe MediaCenter.exe PID 744 wrote to memory of 1588 744 19c96e06c7e5f7c19611b44ff28293a1a73b32c1a7f57149c51974ee017d3daa.exe MediaCenter.exe PID 744 wrote to memory of 2032 744 19c96e06c7e5f7c19611b44ff28293a1a73b32c1a7f57149c51974ee017d3daa.exe cmd.exe PID 744 wrote to memory of 2032 744 19c96e06c7e5f7c19611b44ff28293a1a73b32c1a7f57149c51974ee017d3daa.exe cmd.exe PID 744 wrote to memory of 2032 744 19c96e06c7e5f7c19611b44ff28293a1a73b32c1a7f57149c51974ee017d3daa.exe cmd.exe PID 744 wrote to memory of 2032 744 19c96e06c7e5f7c19611b44ff28293a1a73b32c1a7f57149c51974ee017d3daa.exe cmd.exe PID 2032 wrote to memory of 1084 2032 cmd.exe PING.EXE PID 2032 wrote to memory of 1084 2032 cmd.exe PING.EXE PID 2032 wrote to memory of 1084 2032 cmd.exe PING.EXE PID 2032 wrote to memory of 1084 2032 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\19c96e06c7e5f7c19611b44ff28293a1a73b32c1a7f57149c51974ee017d3daa.exe"C:\Users\Admin\AppData\Local\Temp\19c96e06c7e5f7c19611b44ff28293a1a73b32c1a7f57149c51974ee017d3daa.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:744 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1588 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\19c96e06c7e5f7c19611b44ff28293a1a73b32c1a7f57149c51974ee017d3daa.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1084
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
b09bd8d86e6dce2acb7c3f2039be19ab
SHA13e5d4010a80615658274793a2470843fc77750ef
SHA2561a892c907af0464d76138e697ad49221e840565276fe0364b84397cce594d43a
SHA512bdaafd013fc5824aabc0908f093004328ef7b8980fd7ca4f773925f625fb090faa4b3ac232563c994fd1c1ced91d1dd198619fad455174d213a395abade2597d
-
MD5
b09bd8d86e6dce2acb7c3f2039be19ab
SHA13e5d4010a80615658274793a2470843fc77750ef
SHA2561a892c907af0464d76138e697ad49221e840565276fe0364b84397cce594d43a
SHA512bdaafd013fc5824aabc0908f093004328ef7b8980fd7ca4f773925f625fb090faa4b3ac232563c994fd1c1ced91d1dd198619fad455174d213a395abade2597d
-
MD5
b09bd8d86e6dce2acb7c3f2039be19ab
SHA13e5d4010a80615658274793a2470843fc77750ef
SHA2561a892c907af0464d76138e697ad49221e840565276fe0364b84397cce594d43a
SHA512bdaafd013fc5824aabc0908f093004328ef7b8980fd7ca4f773925f625fb090faa4b3ac232563c994fd1c1ced91d1dd198619fad455174d213a395abade2597d