Analysis
-
max time kernel
139s -
max time network
139s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
30-01-2022 13:19
Static task
static1
Behavioral task
behavioral1
Sample
fd77f52378bc09a2b93c2a78af45925c8b9db53c5c6a5a378c3f4a54008d0802.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
fd77f52378bc09a2b93c2a78af45925c8b9db53c5c6a5a378c3f4a54008d0802.exe
Resource
win10-en-20211208
General
-
Target
fd77f52378bc09a2b93c2a78af45925c8b9db53c5c6a5a378c3f4a54008d0802.exe
-
Size
89KB
-
MD5
8b52cd1df70ef315bce38223ac7f4ec3
-
SHA1
d687cb101346c2f1f480dc4932fe8b6fe94c0e5c
-
SHA256
fd77f52378bc09a2b93c2a78af45925c8b9db53c5c6a5a378c3f4a54008d0802
-
SHA512
f6f7ca374421f52dc1ac800c21ecdbd6d1677fdc9cecb2b2cb3708f5f71d1377dae8ab468c438492492aea1a6fe144b620e91e701126111f3a1c88902383e8bb
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 880 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1080 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
fd77f52378bc09a2b93c2a78af45925c8b9db53c5c6a5a378c3f4a54008d0802.exepid process 1492 fd77f52378bc09a2b93c2a78af45925c8b9db53c5c6a5a378c3f4a54008d0802.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
fd77f52378bc09a2b93c2a78af45925c8b9db53c5c6a5a378c3f4a54008d0802.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" fd77f52378bc09a2b93c2a78af45925c8b9db53c5c6a5a378c3f4a54008d0802.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
fd77f52378bc09a2b93c2a78af45925c8b9db53c5c6a5a378c3f4a54008d0802.exedescription pid process Token: SeIncBasePriorityPrivilege 1492 fd77f52378bc09a2b93c2a78af45925c8b9db53c5c6a5a378c3f4a54008d0802.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
fd77f52378bc09a2b93c2a78af45925c8b9db53c5c6a5a378c3f4a54008d0802.execmd.exedescription pid process target process PID 1492 wrote to memory of 880 1492 fd77f52378bc09a2b93c2a78af45925c8b9db53c5c6a5a378c3f4a54008d0802.exe MediaCenter.exe PID 1492 wrote to memory of 880 1492 fd77f52378bc09a2b93c2a78af45925c8b9db53c5c6a5a378c3f4a54008d0802.exe MediaCenter.exe PID 1492 wrote to memory of 880 1492 fd77f52378bc09a2b93c2a78af45925c8b9db53c5c6a5a378c3f4a54008d0802.exe MediaCenter.exe PID 1492 wrote to memory of 880 1492 fd77f52378bc09a2b93c2a78af45925c8b9db53c5c6a5a378c3f4a54008d0802.exe MediaCenter.exe PID 1492 wrote to memory of 1080 1492 fd77f52378bc09a2b93c2a78af45925c8b9db53c5c6a5a378c3f4a54008d0802.exe cmd.exe PID 1492 wrote to memory of 1080 1492 fd77f52378bc09a2b93c2a78af45925c8b9db53c5c6a5a378c3f4a54008d0802.exe cmd.exe PID 1492 wrote to memory of 1080 1492 fd77f52378bc09a2b93c2a78af45925c8b9db53c5c6a5a378c3f4a54008d0802.exe cmd.exe PID 1492 wrote to memory of 1080 1492 fd77f52378bc09a2b93c2a78af45925c8b9db53c5c6a5a378c3f4a54008d0802.exe cmd.exe PID 1080 wrote to memory of 1744 1080 cmd.exe PING.EXE PID 1080 wrote to memory of 1744 1080 cmd.exe PING.EXE PID 1080 wrote to memory of 1744 1080 cmd.exe PING.EXE PID 1080 wrote to memory of 1744 1080 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\fd77f52378bc09a2b93c2a78af45925c8b9db53c5c6a5a378c3f4a54008d0802.exe"C:\Users\Admin\AppData\Local\Temp\fd77f52378bc09a2b93c2a78af45925c8b9db53c5c6a5a378c3f4a54008d0802.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1492 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:880 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\fd77f52378bc09a2b93c2a78af45925c8b9db53c5c6a5a378c3f4a54008d0802.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1080 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1744
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
5836bf70004545c341c15494eb65a8b2
SHA1ac072aff550cdbaa26a3aab9f49402475dc84e68
SHA25609851f5845762bf93ce8390ff3b7decedabb3442740f10b6b4daf7d6babf8669
SHA512654f6636f4d5bc425c24c2efb3ab08385f51acdc69b54019f3700e1dbacdd4a3ecdab0ac649a2aafffa642554c290fb68b700d63f9379db63125b76c77f5ef77
-
MD5
5836bf70004545c341c15494eb65a8b2
SHA1ac072aff550cdbaa26a3aab9f49402475dc84e68
SHA25609851f5845762bf93ce8390ff3b7decedabb3442740f10b6b4daf7d6babf8669
SHA512654f6636f4d5bc425c24c2efb3ab08385f51acdc69b54019f3700e1dbacdd4a3ecdab0ac649a2aafffa642554c290fb68b700d63f9379db63125b76c77f5ef77