Analysis
-
max time kernel
139s -
max time network
150s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
30-01-2022 17:43
Static task
static1
Behavioral task
behavioral1
Sample
c4172c6ac1e00bb82cce8ce000b3a199e5f65b0936bc5fb67f28e0d8fc34ded6.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
c4172c6ac1e00bb82cce8ce000b3a199e5f65b0936bc5fb67f28e0d8fc34ded6.exe
Resource
win10-en-20211208
General
-
Target
c4172c6ac1e00bb82cce8ce000b3a199e5f65b0936bc5fb67f28e0d8fc34ded6.exe
-
Size
89KB
-
MD5
69374e5bcb38a82ef60c97ec0569ded3
-
SHA1
2baffb0df06fea13ea97658e200fcecd1ee346eb
-
SHA256
c4172c6ac1e00bb82cce8ce000b3a199e5f65b0936bc5fb67f28e0d8fc34ded6
-
SHA512
fe9fc743285242fef57aabf78d0d391ec32120c815ebb6240b439cdc28cd4080c736ad8ce7d2affddaf6fd61f57bc949947d6c4b3111e383efca4f52397a3c23
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 592 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1116 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
c4172c6ac1e00bb82cce8ce000b3a199e5f65b0936bc5fb67f28e0d8fc34ded6.exepid process 1156 c4172c6ac1e00bb82cce8ce000b3a199e5f65b0936bc5fb67f28e0d8fc34ded6.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
c4172c6ac1e00bb82cce8ce000b3a199e5f65b0936bc5fb67f28e0d8fc34ded6.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" c4172c6ac1e00bb82cce8ce000b3a199e5f65b0936bc5fb67f28e0d8fc34ded6.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
c4172c6ac1e00bb82cce8ce000b3a199e5f65b0936bc5fb67f28e0d8fc34ded6.exedescription pid process Token: SeIncBasePriorityPrivilege 1156 c4172c6ac1e00bb82cce8ce000b3a199e5f65b0936bc5fb67f28e0d8fc34ded6.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
c4172c6ac1e00bb82cce8ce000b3a199e5f65b0936bc5fb67f28e0d8fc34ded6.execmd.exedescription pid process target process PID 1156 wrote to memory of 592 1156 c4172c6ac1e00bb82cce8ce000b3a199e5f65b0936bc5fb67f28e0d8fc34ded6.exe MediaCenter.exe PID 1156 wrote to memory of 592 1156 c4172c6ac1e00bb82cce8ce000b3a199e5f65b0936bc5fb67f28e0d8fc34ded6.exe MediaCenter.exe PID 1156 wrote to memory of 592 1156 c4172c6ac1e00bb82cce8ce000b3a199e5f65b0936bc5fb67f28e0d8fc34ded6.exe MediaCenter.exe PID 1156 wrote to memory of 592 1156 c4172c6ac1e00bb82cce8ce000b3a199e5f65b0936bc5fb67f28e0d8fc34ded6.exe MediaCenter.exe PID 1156 wrote to memory of 1116 1156 c4172c6ac1e00bb82cce8ce000b3a199e5f65b0936bc5fb67f28e0d8fc34ded6.exe cmd.exe PID 1156 wrote to memory of 1116 1156 c4172c6ac1e00bb82cce8ce000b3a199e5f65b0936bc5fb67f28e0d8fc34ded6.exe cmd.exe PID 1156 wrote to memory of 1116 1156 c4172c6ac1e00bb82cce8ce000b3a199e5f65b0936bc5fb67f28e0d8fc34ded6.exe cmd.exe PID 1156 wrote to memory of 1116 1156 c4172c6ac1e00bb82cce8ce000b3a199e5f65b0936bc5fb67f28e0d8fc34ded6.exe cmd.exe PID 1116 wrote to memory of 1184 1116 cmd.exe PING.EXE PID 1116 wrote to memory of 1184 1116 cmd.exe PING.EXE PID 1116 wrote to memory of 1184 1116 cmd.exe PING.EXE PID 1116 wrote to memory of 1184 1116 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\c4172c6ac1e00bb82cce8ce000b3a199e5f65b0936bc5fb67f28e0d8fc34ded6.exe"C:\Users\Admin\AppData\Local\Temp\c4172c6ac1e00bb82cce8ce000b3a199e5f65b0936bc5fb67f28e0d8fc34ded6.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1156 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:592 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\c4172c6ac1e00bb82cce8ce000b3a199e5f65b0936bc5fb67f28e0d8fc34ded6.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1116 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1184
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
7bcdb54bf367086ef311ed9afb533bb2
SHA1b46fcfccbe2e1c7838f33005c78dd36c5843b154
SHA256821946be3b32d08784b7838bb08b8b726c2ffa2806f9afba02b1f5361a8746c6
SHA5126904fb82608f7cadf35def16e95072b5ec2c28f8a160d25d6915ef1a8bd76bc791c6a530a869df5a1176262a818150c18293273c7406415be93f4ae3fda61c7f
-
MD5
7bcdb54bf367086ef311ed9afb533bb2
SHA1b46fcfccbe2e1c7838f33005c78dd36c5843b154
SHA256821946be3b32d08784b7838bb08b8b726c2ffa2806f9afba02b1f5361a8746c6
SHA5126904fb82608f7cadf35def16e95072b5ec2c28f8a160d25d6915ef1a8bd76bc791c6a530a869df5a1176262a818150c18293273c7406415be93f4ae3fda61c7f