Analysis
-
max time kernel
137s -
max time network
137s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
30-01-2022 18:34
Static task
static1
Behavioral task
behavioral1
Sample
834b4e2cb213740f4bde30273c12c4e6e1aeeb6d9f61f100bac0a68731d25681.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
834b4e2cb213740f4bde30273c12c4e6e1aeeb6d9f61f100bac0a68731d25681.exe
Resource
win10-en-20211208
General
-
Target
834b4e2cb213740f4bde30273c12c4e6e1aeeb6d9f61f100bac0a68731d25681.exe
-
Size
89KB
-
MD5
5a843bc0b9f4525b1ee512e1eba95641
-
SHA1
b74c828dc6f726c42e92e660294f9c549a244b7e
-
SHA256
834b4e2cb213740f4bde30273c12c4e6e1aeeb6d9f61f100bac0a68731d25681
-
SHA512
32e60201eb43a5e52b66564d10d904e4a847cd5ca13bf7321860ecae81bfba1e76863f3abfa1f02ee05dab4f0b78ec0640d85f6ba06dd52c7f60e1afab871696
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1620 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1844 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
834b4e2cb213740f4bde30273c12c4e6e1aeeb6d9f61f100bac0a68731d25681.exepid process 960 834b4e2cb213740f4bde30273c12c4e6e1aeeb6d9f61f100bac0a68731d25681.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
834b4e2cb213740f4bde30273c12c4e6e1aeeb6d9f61f100bac0a68731d25681.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 834b4e2cb213740f4bde30273c12c4e6e1aeeb6d9f61f100bac0a68731d25681.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
834b4e2cb213740f4bde30273c12c4e6e1aeeb6d9f61f100bac0a68731d25681.exedescription pid process Token: SeIncBasePriorityPrivilege 960 834b4e2cb213740f4bde30273c12c4e6e1aeeb6d9f61f100bac0a68731d25681.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
834b4e2cb213740f4bde30273c12c4e6e1aeeb6d9f61f100bac0a68731d25681.execmd.exedescription pid process target process PID 960 wrote to memory of 1620 960 834b4e2cb213740f4bde30273c12c4e6e1aeeb6d9f61f100bac0a68731d25681.exe MediaCenter.exe PID 960 wrote to memory of 1620 960 834b4e2cb213740f4bde30273c12c4e6e1aeeb6d9f61f100bac0a68731d25681.exe MediaCenter.exe PID 960 wrote to memory of 1620 960 834b4e2cb213740f4bde30273c12c4e6e1aeeb6d9f61f100bac0a68731d25681.exe MediaCenter.exe PID 960 wrote to memory of 1620 960 834b4e2cb213740f4bde30273c12c4e6e1aeeb6d9f61f100bac0a68731d25681.exe MediaCenter.exe PID 960 wrote to memory of 1844 960 834b4e2cb213740f4bde30273c12c4e6e1aeeb6d9f61f100bac0a68731d25681.exe cmd.exe PID 960 wrote to memory of 1844 960 834b4e2cb213740f4bde30273c12c4e6e1aeeb6d9f61f100bac0a68731d25681.exe cmd.exe PID 960 wrote to memory of 1844 960 834b4e2cb213740f4bde30273c12c4e6e1aeeb6d9f61f100bac0a68731d25681.exe cmd.exe PID 960 wrote to memory of 1844 960 834b4e2cb213740f4bde30273c12c4e6e1aeeb6d9f61f100bac0a68731d25681.exe cmd.exe PID 1844 wrote to memory of 1052 1844 cmd.exe PING.EXE PID 1844 wrote to memory of 1052 1844 cmd.exe PING.EXE PID 1844 wrote to memory of 1052 1844 cmd.exe PING.EXE PID 1844 wrote to memory of 1052 1844 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\834b4e2cb213740f4bde30273c12c4e6e1aeeb6d9f61f100bac0a68731d25681.exe"C:\Users\Admin\AppData\Local\Temp\834b4e2cb213740f4bde30273c12c4e6e1aeeb6d9f61f100bac0a68731d25681.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:960 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1620 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\834b4e2cb213740f4bde30273c12c4e6e1aeeb6d9f61f100bac0a68731d25681.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1844 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1052
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
304248d7ef7c406f23a65a62790a9d8c
SHA14c67c82bde2d8499108ddaafd6d3ccc9070000e5
SHA256b481a44a980743ea4fa32285530e126fd82a8269ee466ce97a4c3991c1781f55
SHA512e0eb9fcda0db5f3191c51adefde8b15d3c7046adcd986e8f53e0be728c5483562aa20e9799cc7c01d93e222fd1dd7852f26bf7ed9bdcfa448b70be0d2519fc57
-
MD5
304248d7ef7c406f23a65a62790a9d8c
SHA14c67c82bde2d8499108ddaafd6d3ccc9070000e5
SHA256b481a44a980743ea4fa32285530e126fd82a8269ee466ce97a4c3991c1781f55
SHA512e0eb9fcda0db5f3191c51adefde8b15d3c7046adcd986e8f53e0be728c5483562aa20e9799cc7c01d93e222fd1dd7852f26bf7ed9bdcfa448b70be0d2519fc57