Analysis
-
max time kernel
136s -
max time network
152s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
30-01-2022 18:14
Static task
static1
Behavioral task
behavioral1
Sample
ad382c5acb55890cb0f62880897b5b25455d8f0d30bf2985bdc2ac04f6f85ce6.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
ad382c5acb55890cb0f62880897b5b25455d8f0d30bf2985bdc2ac04f6f85ce6.exe
Resource
win10-en-20211208
General
-
Target
ad382c5acb55890cb0f62880897b5b25455d8f0d30bf2985bdc2ac04f6f85ce6.exe
-
Size
89KB
-
MD5
5ff5916c9f7c593d1d589c97c571b45a
-
SHA1
9d65a6cd35f8aacdf0965a3c4c1e609fefd97157
-
SHA256
ad382c5acb55890cb0f62880897b5b25455d8f0d30bf2985bdc2ac04f6f85ce6
-
SHA512
c59be83ada047f3742ee87900516d5f66863a16139b6f39cfc266b62b763b8a9defabff2120ad880b43d6efb6de804b2d417fd0d29a92a64157dc1e7034f4633
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 288 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1988 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
ad382c5acb55890cb0f62880897b5b25455d8f0d30bf2985bdc2ac04f6f85ce6.exepid process 744 ad382c5acb55890cb0f62880897b5b25455d8f0d30bf2985bdc2ac04f6f85ce6.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
ad382c5acb55890cb0f62880897b5b25455d8f0d30bf2985bdc2ac04f6f85ce6.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" ad382c5acb55890cb0f62880897b5b25455d8f0d30bf2985bdc2ac04f6f85ce6.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
ad382c5acb55890cb0f62880897b5b25455d8f0d30bf2985bdc2ac04f6f85ce6.exedescription pid process Token: SeIncBasePriorityPrivilege 744 ad382c5acb55890cb0f62880897b5b25455d8f0d30bf2985bdc2ac04f6f85ce6.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
ad382c5acb55890cb0f62880897b5b25455d8f0d30bf2985bdc2ac04f6f85ce6.execmd.exedescription pid process target process PID 744 wrote to memory of 288 744 ad382c5acb55890cb0f62880897b5b25455d8f0d30bf2985bdc2ac04f6f85ce6.exe MediaCenter.exe PID 744 wrote to memory of 288 744 ad382c5acb55890cb0f62880897b5b25455d8f0d30bf2985bdc2ac04f6f85ce6.exe MediaCenter.exe PID 744 wrote to memory of 288 744 ad382c5acb55890cb0f62880897b5b25455d8f0d30bf2985bdc2ac04f6f85ce6.exe MediaCenter.exe PID 744 wrote to memory of 288 744 ad382c5acb55890cb0f62880897b5b25455d8f0d30bf2985bdc2ac04f6f85ce6.exe MediaCenter.exe PID 744 wrote to memory of 1988 744 ad382c5acb55890cb0f62880897b5b25455d8f0d30bf2985bdc2ac04f6f85ce6.exe cmd.exe PID 744 wrote to memory of 1988 744 ad382c5acb55890cb0f62880897b5b25455d8f0d30bf2985bdc2ac04f6f85ce6.exe cmd.exe PID 744 wrote to memory of 1988 744 ad382c5acb55890cb0f62880897b5b25455d8f0d30bf2985bdc2ac04f6f85ce6.exe cmd.exe PID 744 wrote to memory of 1988 744 ad382c5acb55890cb0f62880897b5b25455d8f0d30bf2985bdc2ac04f6f85ce6.exe cmd.exe PID 1988 wrote to memory of 1460 1988 cmd.exe PING.EXE PID 1988 wrote to memory of 1460 1988 cmd.exe PING.EXE PID 1988 wrote to memory of 1460 1988 cmd.exe PING.EXE PID 1988 wrote to memory of 1460 1988 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\ad382c5acb55890cb0f62880897b5b25455d8f0d30bf2985bdc2ac04f6f85ce6.exe"C:\Users\Admin\AppData\Local\Temp\ad382c5acb55890cb0f62880897b5b25455d8f0d30bf2985bdc2ac04f6f85ce6.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:744 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:288 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\ad382c5acb55890cb0f62880897b5b25455d8f0d30bf2985bdc2ac04f6f85ce6.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1988 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1460
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
39462a837a1648d8f3e70451c6d5fa2d
SHA11061568bba44df01e9d0e0921b2c76296c164ec4
SHA2565e1e46ba3f11cb2f941723dd197d2c7547b2307139864db065f94862d548b834
SHA5129fb24f2c1ba0d515339e6f78b4c1ee6f4db5bf7ae43b0765aa1e77261c0f81c43414c15bafbb3d043f8aa8cf317c2caf81f7d12d34a1c25789f07ab7f9169a34
-
MD5
39462a837a1648d8f3e70451c6d5fa2d
SHA11061568bba44df01e9d0e0921b2c76296c164ec4
SHA2565e1e46ba3f11cb2f941723dd197d2c7547b2307139864db065f94862d548b834
SHA5129fb24f2c1ba0d515339e6f78b4c1ee6f4db5bf7ae43b0765aa1e77261c0f81c43414c15bafbb3d043f8aa8cf317c2caf81f7d12d34a1c25789f07ab7f9169a34