Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
30-01-2022 18:02
Static task
static1
Behavioral task
behavioral1
Sample
14bab3a5cf879883e3c61b31ba722519360eac9ba68016ecacc9ae611e898d38.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
14bab3a5cf879883e3c61b31ba722519360eac9ba68016ecacc9ae611e898d38.exe
Resource
win10-en-20211208
General
-
Target
14bab3a5cf879883e3c61b31ba722519360eac9ba68016ecacc9ae611e898d38.exe
-
Size
89KB
-
MD5
63ae83244a8d7ca1eef4e834eb0eb07f
-
SHA1
36f79f828ce802cc2ed8dd37cae5247362fb11ea
-
SHA256
14bab3a5cf879883e3c61b31ba722519360eac9ba68016ecacc9ae611e898d38
-
SHA512
8a5ac6c6a16e703aaa56a982ce0d5afcb17ebf818c0faddae8bba4e5818f976fa6db15c6e5d49144c73fac3fab75bd5e3f991fb8fe624abffb266db30f6ebf82
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1664 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 428 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
14bab3a5cf879883e3c61b31ba722519360eac9ba68016ecacc9ae611e898d38.exepid process 744 14bab3a5cf879883e3c61b31ba722519360eac9ba68016ecacc9ae611e898d38.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
14bab3a5cf879883e3c61b31ba722519360eac9ba68016ecacc9ae611e898d38.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 14bab3a5cf879883e3c61b31ba722519360eac9ba68016ecacc9ae611e898d38.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
14bab3a5cf879883e3c61b31ba722519360eac9ba68016ecacc9ae611e898d38.exedescription pid process Token: SeIncBasePriorityPrivilege 744 14bab3a5cf879883e3c61b31ba722519360eac9ba68016ecacc9ae611e898d38.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
14bab3a5cf879883e3c61b31ba722519360eac9ba68016ecacc9ae611e898d38.execmd.exedescription pid process target process PID 744 wrote to memory of 1664 744 14bab3a5cf879883e3c61b31ba722519360eac9ba68016ecacc9ae611e898d38.exe MediaCenter.exe PID 744 wrote to memory of 1664 744 14bab3a5cf879883e3c61b31ba722519360eac9ba68016ecacc9ae611e898d38.exe MediaCenter.exe PID 744 wrote to memory of 1664 744 14bab3a5cf879883e3c61b31ba722519360eac9ba68016ecacc9ae611e898d38.exe MediaCenter.exe PID 744 wrote to memory of 1664 744 14bab3a5cf879883e3c61b31ba722519360eac9ba68016ecacc9ae611e898d38.exe MediaCenter.exe PID 744 wrote to memory of 428 744 14bab3a5cf879883e3c61b31ba722519360eac9ba68016ecacc9ae611e898d38.exe cmd.exe PID 744 wrote to memory of 428 744 14bab3a5cf879883e3c61b31ba722519360eac9ba68016ecacc9ae611e898d38.exe cmd.exe PID 744 wrote to memory of 428 744 14bab3a5cf879883e3c61b31ba722519360eac9ba68016ecacc9ae611e898d38.exe cmd.exe PID 744 wrote to memory of 428 744 14bab3a5cf879883e3c61b31ba722519360eac9ba68016ecacc9ae611e898d38.exe cmd.exe PID 428 wrote to memory of 896 428 cmd.exe PING.EXE PID 428 wrote to memory of 896 428 cmd.exe PING.EXE PID 428 wrote to memory of 896 428 cmd.exe PING.EXE PID 428 wrote to memory of 896 428 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\14bab3a5cf879883e3c61b31ba722519360eac9ba68016ecacc9ae611e898d38.exe"C:\Users\Admin\AppData\Local\Temp\14bab3a5cf879883e3c61b31ba722519360eac9ba68016ecacc9ae611e898d38.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:744 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1664 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\14bab3a5cf879883e3c61b31ba722519360eac9ba68016ecacc9ae611e898d38.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:428 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:896
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
5549705832c803aa6429670c960086ce
SHA1cd57417cbc83309f98102396936184abe5d3229c
SHA2568908a98fb7b1cf0eab11dffa7ae486ddfcfebb223812e16d30b2c7fc780f1bbc
SHA5129c50c8eb73e5039f81d21efa5ce90c302d88ee50b17c2c50d3a77242c59ff9f8db3794b2ff10c3b5821f1b263f1fbea5ad99f68e57071a146b56b6629093200e
-
MD5
5549705832c803aa6429670c960086ce
SHA1cd57417cbc83309f98102396936184abe5d3229c
SHA2568908a98fb7b1cf0eab11dffa7ae486ddfcfebb223812e16d30b2c7fc780f1bbc
SHA5129c50c8eb73e5039f81d21efa5ce90c302d88ee50b17c2c50d3a77242c59ff9f8db3794b2ff10c3b5821f1b263f1fbea5ad99f68e57071a146b56b6629093200e