Analysis
-
max time kernel
146s -
max time network
146s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
30-01-2022 17:34
Static task
static1
Behavioral task
behavioral1
Sample
4818013e444d17aa9f9986dbb43aa41cd0ded6f6919f2583cf041d1a222cc89c.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
4818013e444d17aa9f9986dbb43aa41cd0ded6f6919f2583cf041d1a222cc89c.exe
Resource
win10-en-20211208
General
-
Target
4818013e444d17aa9f9986dbb43aa41cd0ded6f6919f2583cf041d1a222cc89c.exe
-
Size
89KB
-
MD5
6c4d61fedd83970cf48ef7fdd2a9871b
-
SHA1
59c5f8a16d78805b6e0b9cb543f0ff977fea014f
-
SHA256
4818013e444d17aa9f9986dbb43aa41cd0ded6f6919f2583cf041d1a222cc89c
-
SHA512
2353d1c3732be5f9fdcc978a0be95ac84ce2c85510c0b6aab33dba966e257fbba435842d9ab55f9f6e20270d32a77190c6f822755b8e712436455a4fb6c590f7
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1916 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1032 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
4818013e444d17aa9f9986dbb43aa41cd0ded6f6919f2583cf041d1a222cc89c.exepid process 1480 4818013e444d17aa9f9986dbb43aa41cd0ded6f6919f2583cf041d1a222cc89c.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
4818013e444d17aa9f9986dbb43aa41cd0ded6f6919f2583cf041d1a222cc89c.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 4818013e444d17aa9f9986dbb43aa41cd0ded6f6919f2583cf041d1a222cc89c.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
4818013e444d17aa9f9986dbb43aa41cd0ded6f6919f2583cf041d1a222cc89c.exedescription pid process Token: SeIncBasePriorityPrivilege 1480 4818013e444d17aa9f9986dbb43aa41cd0ded6f6919f2583cf041d1a222cc89c.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
4818013e444d17aa9f9986dbb43aa41cd0ded6f6919f2583cf041d1a222cc89c.execmd.exedescription pid process target process PID 1480 wrote to memory of 1916 1480 4818013e444d17aa9f9986dbb43aa41cd0ded6f6919f2583cf041d1a222cc89c.exe MediaCenter.exe PID 1480 wrote to memory of 1916 1480 4818013e444d17aa9f9986dbb43aa41cd0ded6f6919f2583cf041d1a222cc89c.exe MediaCenter.exe PID 1480 wrote to memory of 1916 1480 4818013e444d17aa9f9986dbb43aa41cd0ded6f6919f2583cf041d1a222cc89c.exe MediaCenter.exe PID 1480 wrote to memory of 1916 1480 4818013e444d17aa9f9986dbb43aa41cd0ded6f6919f2583cf041d1a222cc89c.exe MediaCenter.exe PID 1480 wrote to memory of 1032 1480 4818013e444d17aa9f9986dbb43aa41cd0ded6f6919f2583cf041d1a222cc89c.exe cmd.exe PID 1480 wrote to memory of 1032 1480 4818013e444d17aa9f9986dbb43aa41cd0ded6f6919f2583cf041d1a222cc89c.exe cmd.exe PID 1480 wrote to memory of 1032 1480 4818013e444d17aa9f9986dbb43aa41cd0ded6f6919f2583cf041d1a222cc89c.exe cmd.exe PID 1480 wrote to memory of 1032 1480 4818013e444d17aa9f9986dbb43aa41cd0ded6f6919f2583cf041d1a222cc89c.exe cmd.exe PID 1032 wrote to memory of 1052 1032 cmd.exe PING.EXE PID 1032 wrote to memory of 1052 1032 cmd.exe PING.EXE PID 1032 wrote to memory of 1052 1032 cmd.exe PING.EXE PID 1032 wrote to memory of 1052 1032 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\4818013e444d17aa9f9986dbb43aa41cd0ded6f6919f2583cf041d1a222cc89c.exe"C:\Users\Admin\AppData\Local\Temp\4818013e444d17aa9f9986dbb43aa41cd0ded6f6919f2583cf041d1a222cc89c.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1480 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1916 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\4818013e444d17aa9f9986dbb43aa41cd0ded6f6919f2583cf041d1a222cc89c.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1032 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1052
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
f60123b8daafe4ccc250ca8a03f8a4a2
SHA1792d17e3e8c1af90ae4c926007bb6a309fe6401b
SHA256712f360664227bb25a6c4015011050bf6dee6bd40684e95a8e997af5395762fe
SHA512cc19a68d6bfc426c41bafc917a931e32c62052fed665fb631d88d32506289d71ee8427a13715e4a237996f06f855c20cc279e08132931d252cde4c7f606d4927
-
MD5
f60123b8daafe4ccc250ca8a03f8a4a2
SHA1792d17e3e8c1af90ae4c926007bb6a309fe6401b
SHA256712f360664227bb25a6c4015011050bf6dee6bd40684e95a8e997af5395762fe
SHA512cc19a68d6bfc426c41bafc917a931e32c62052fed665fb631d88d32506289d71ee8427a13715e4a237996f06f855c20cc279e08132931d252cde4c7f606d4927