Analysis
-
max time kernel
159s -
max time network
120s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
30-01-2022 17:34
Static task
static1
Behavioral task
behavioral1
Sample
135945912fc0869cedea5f6e7df95304ec2fa786cfa89dd30eab49aebda1fb40.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
135945912fc0869cedea5f6e7df95304ec2fa786cfa89dd30eab49aebda1fb40.exe
Resource
win10-en-20211208
General
-
Target
135945912fc0869cedea5f6e7df95304ec2fa786cfa89dd30eab49aebda1fb40.exe
-
Size
89KB
-
MD5
6c3523020a2ba0b7045060707d8833ea
-
SHA1
0826d635a8e5cba27009a7c27735efd1337bbaf8
-
SHA256
135945912fc0869cedea5f6e7df95304ec2fa786cfa89dd30eab49aebda1fb40
-
SHA512
3e056b62c95636c83670a04babfd56f4380218b64b70b00755630cb7e9d81789039f8ea8f064ea1b684b1f66dbd141e0d46408fa6ce1c702c09378c5cdb19c0f
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 268 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1204 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
135945912fc0869cedea5f6e7df95304ec2fa786cfa89dd30eab49aebda1fb40.exepid process 1156 135945912fc0869cedea5f6e7df95304ec2fa786cfa89dd30eab49aebda1fb40.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
135945912fc0869cedea5f6e7df95304ec2fa786cfa89dd30eab49aebda1fb40.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 135945912fc0869cedea5f6e7df95304ec2fa786cfa89dd30eab49aebda1fb40.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
135945912fc0869cedea5f6e7df95304ec2fa786cfa89dd30eab49aebda1fb40.exedescription pid process Token: SeIncBasePriorityPrivilege 1156 135945912fc0869cedea5f6e7df95304ec2fa786cfa89dd30eab49aebda1fb40.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
135945912fc0869cedea5f6e7df95304ec2fa786cfa89dd30eab49aebda1fb40.execmd.exedescription pid process target process PID 1156 wrote to memory of 268 1156 135945912fc0869cedea5f6e7df95304ec2fa786cfa89dd30eab49aebda1fb40.exe MediaCenter.exe PID 1156 wrote to memory of 268 1156 135945912fc0869cedea5f6e7df95304ec2fa786cfa89dd30eab49aebda1fb40.exe MediaCenter.exe PID 1156 wrote to memory of 268 1156 135945912fc0869cedea5f6e7df95304ec2fa786cfa89dd30eab49aebda1fb40.exe MediaCenter.exe PID 1156 wrote to memory of 268 1156 135945912fc0869cedea5f6e7df95304ec2fa786cfa89dd30eab49aebda1fb40.exe MediaCenter.exe PID 1156 wrote to memory of 1204 1156 135945912fc0869cedea5f6e7df95304ec2fa786cfa89dd30eab49aebda1fb40.exe cmd.exe PID 1156 wrote to memory of 1204 1156 135945912fc0869cedea5f6e7df95304ec2fa786cfa89dd30eab49aebda1fb40.exe cmd.exe PID 1156 wrote to memory of 1204 1156 135945912fc0869cedea5f6e7df95304ec2fa786cfa89dd30eab49aebda1fb40.exe cmd.exe PID 1156 wrote to memory of 1204 1156 135945912fc0869cedea5f6e7df95304ec2fa786cfa89dd30eab49aebda1fb40.exe cmd.exe PID 1204 wrote to memory of 1488 1204 cmd.exe PING.EXE PID 1204 wrote to memory of 1488 1204 cmd.exe PING.EXE PID 1204 wrote to memory of 1488 1204 cmd.exe PING.EXE PID 1204 wrote to memory of 1488 1204 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\135945912fc0869cedea5f6e7df95304ec2fa786cfa89dd30eab49aebda1fb40.exe"C:\Users\Admin\AppData\Local\Temp\135945912fc0869cedea5f6e7df95304ec2fa786cfa89dd30eab49aebda1fb40.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1156 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:268 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\135945912fc0869cedea5f6e7df95304ec2fa786cfa89dd30eab49aebda1fb40.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1204 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1488
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
4008b82ed9793e87f0c754ac71ccb5b2
SHA1c82639e01bef660e9e69dbd86a95eda17574e2fb
SHA256fbd99d838ecc62139d5ad2115ac582be2d55774818e2963bf6d4daf529396950
SHA512b86b4aa859574c4c88253922157574ae43145e27a4a8c51a1ab5c1537ccf75f42325528aae0a232c897259d859663b6006adfb97bb785d67b991e1be3a8f8892
-
MD5
4008b82ed9793e87f0c754ac71ccb5b2
SHA1c82639e01bef660e9e69dbd86a95eda17574e2fb
SHA256fbd99d838ecc62139d5ad2115ac582be2d55774818e2963bf6d4daf529396950
SHA512b86b4aa859574c4c88253922157574ae43145e27a4a8c51a1ab5c1537ccf75f42325528aae0a232c897259d859663b6006adfb97bb785d67b991e1be3a8f8892