Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
30-01-2022 14:29
Static task
static1
Behavioral task
behavioral1
Sample
dcd0cd6c316c5963180a7d6d61a271560591a92257c481397af3563853732e03.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
dcd0cd6c316c5963180a7d6d61a271560591a92257c481397af3563853732e03.exe
Resource
win10-en-20211208
General
-
Target
dcd0cd6c316c5963180a7d6d61a271560591a92257c481397af3563853732e03.exe
-
Size
89KB
-
MD5
77a25486d425825986d2c6306a61f637
-
SHA1
b01caf62c20ef1f2dae0257dee8bae8c4b01bde0
-
SHA256
dcd0cd6c316c5963180a7d6d61a271560591a92257c481397af3563853732e03
-
SHA512
6eabb344549701a886d72ef6121de85c2f1683804eee7404ac72afdb6c9f8189a9b25feb4d230eb7e8e524ecd2b3b7b354ec493cc924973be96c7482f34932ab
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1632 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1796 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
dcd0cd6c316c5963180a7d6d61a271560591a92257c481397af3563853732e03.exepid process 1272 dcd0cd6c316c5963180a7d6d61a271560591a92257c481397af3563853732e03.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
dcd0cd6c316c5963180a7d6d61a271560591a92257c481397af3563853732e03.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" dcd0cd6c316c5963180a7d6d61a271560591a92257c481397af3563853732e03.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
dcd0cd6c316c5963180a7d6d61a271560591a92257c481397af3563853732e03.exedescription pid process Token: SeIncBasePriorityPrivilege 1272 dcd0cd6c316c5963180a7d6d61a271560591a92257c481397af3563853732e03.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
dcd0cd6c316c5963180a7d6d61a271560591a92257c481397af3563853732e03.execmd.exedescription pid process target process PID 1272 wrote to memory of 1632 1272 dcd0cd6c316c5963180a7d6d61a271560591a92257c481397af3563853732e03.exe MediaCenter.exe PID 1272 wrote to memory of 1632 1272 dcd0cd6c316c5963180a7d6d61a271560591a92257c481397af3563853732e03.exe MediaCenter.exe PID 1272 wrote to memory of 1632 1272 dcd0cd6c316c5963180a7d6d61a271560591a92257c481397af3563853732e03.exe MediaCenter.exe PID 1272 wrote to memory of 1632 1272 dcd0cd6c316c5963180a7d6d61a271560591a92257c481397af3563853732e03.exe MediaCenter.exe PID 1272 wrote to memory of 1796 1272 dcd0cd6c316c5963180a7d6d61a271560591a92257c481397af3563853732e03.exe cmd.exe PID 1272 wrote to memory of 1796 1272 dcd0cd6c316c5963180a7d6d61a271560591a92257c481397af3563853732e03.exe cmd.exe PID 1272 wrote to memory of 1796 1272 dcd0cd6c316c5963180a7d6d61a271560591a92257c481397af3563853732e03.exe cmd.exe PID 1272 wrote to memory of 1796 1272 dcd0cd6c316c5963180a7d6d61a271560591a92257c481397af3563853732e03.exe cmd.exe PID 1796 wrote to memory of 964 1796 cmd.exe PING.EXE PID 1796 wrote to memory of 964 1796 cmd.exe PING.EXE PID 1796 wrote to memory of 964 1796 cmd.exe PING.EXE PID 1796 wrote to memory of 964 1796 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\dcd0cd6c316c5963180a7d6d61a271560591a92257c481397af3563853732e03.exe"C:\Users\Admin\AppData\Local\Temp\dcd0cd6c316c5963180a7d6d61a271560591a92257c481397af3563853732e03.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1272 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1632 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\dcd0cd6c316c5963180a7d6d61a271560591a92257c481397af3563853732e03.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1796 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:964
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
255dacc20cf4785b208ddf98233afbce
SHA1d61e60eee9be2508c5bb1d98e9fc8dd1ad8ff184
SHA2560b5f089f45aa5bff4ab0b4a7e1d57ec68248f3d4bdb423ff58f0809d0d52420c
SHA5125fea4804514146fb77610323804b747012dc4752b906abf8bbdaac90cda1b5f3ee501a8777e9fc7929cd61ccbd79f0fb1b89145df8451032e1012b74fd521a50
-
MD5
255dacc20cf4785b208ddf98233afbce
SHA1d61e60eee9be2508c5bb1d98e9fc8dd1ad8ff184
SHA2560b5f089f45aa5bff4ab0b4a7e1d57ec68248f3d4bdb423ff58f0809d0d52420c
SHA5125fea4804514146fb77610323804b747012dc4752b906abf8bbdaac90cda1b5f3ee501a8777e9fc7929cd61ccbd79f0fb1b89145df8451032e1012b74fd521a50