Analysis
-
max time kernel
135s -
max time network
153s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
30-01-2022 18:49
Static task
static1
Behavioral task
behavioral1
Sample
7db237e3a169dd27b3dfb17387f680d84f34a273b6cb3607d23847ca3fe76755.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
7db237e3a169dd27b3dfb17387f680d84f34a273b6cb3607d23847ca3fe76755.exe
Resource
win10-en-20211208
General
-
Target
7db237e3a169dd27b3dfb17387f680d84f34a273b6cb3607d23847ca3fe76755.exe
-
Size
89KB
-
MD5
567a33e09af45123678042e620f31769
-
SHA1
8b18f58434111d96fd9139bdb05530b5f70239c1
-
SHA256
7db237e3a169dd27b3dfb17387f680d84f34a273b6cb3607d23847ca3fe76755
-
SHA512
180160ff1bca472d0805faba09dae05e7675bf59d10efa95ecb188936821adda60bb319e6e42d14d947998c2ef776e0abe4559c320bc1537bbc1b5e8c0332bec
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1304 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1860 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
7db237e3a169dd27b3dfb17387f680d84f34a273b6cb3607d23847ca3fe76755.exepid process 964 7db237e3a169dd27b3dfb17387f680d84f34a273b6cb3607d23847ca3fe76755.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
7db237e3a169dd27b3dfb17387f680d84f34a273b6cb3607d23847ca3fe76755.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 7db237e3a169dd27b3dfb17387f680d84f34a273b6cb3607d23847ca3fe76755.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
7db237e3a169dd27b3dfb17387f680d84f34a273b6cb3607d23847ca3fe76755.exedescription pid process Token: SeIncBasePriorityPrivilege 964 7db237e3a169dd27b3dfb17387f680d84f34a273b6cb3607d23847ca3fe76755.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
7db237e3a169dd27b3dfb17387f680d84f34a273b6cb3607d23847ca3fe76755.execmd.exedescription pid process target process PID 964 wrote to memory of 1304 964 7db237e3a169dd27b3dfb17387f680d84f34a273b6cb3607d23847ca3fe76755.exe MediaCenter.exe PID 964 wrote to memory of 1304 964 7db237e3a169dd27b3dfb17387f680d84f34a273b6cb3607d23847ca3fe76755.exe MediaCenter.exe PID 964 wrote to memory of 1304 964 7db237e3a169dd27b3dfb17387f680d84f34a273b6cb3607d23847ca3fe76755.exe MediaCenter.exe PID 964 wrote to memory of 1304 964 7db237e3a169dd27b3dfb17387f680d84f34a273b6cb3607d23847ca3fe76755.exe MediaCenter.exe PID 964 wrote to memory of 1860 964 7db237e3a169dd27b3dfb17387f680d84f34a273b6cb3607d23847ca3fe76755.exe cmd.exe PID 964 wrote to memory of 1860 964 7db237e3a169dd27b3dfb17387f680d84f34a273b6cb3607d23847ca3fe76755.exe cmd.exe PID 964 wrote to memory of 1860 964 7db237e3a169dd27b3dfb17387f680d84f34a273b6cb3607d23847ca3fe76755.exe cmd.exe PID 964 wrote to memory of 1860 964 7db237e3a169dd27b3dfb17387f680d84f34a273b6cb3607d23847ca3fe76755.exe cmd.exe PID 1860 wrote to memory of 1820 1860 cmd.exe PING.EXE PID 1860 wrote to memory of 1820 1860 cmd.exe PING.EXE PID 1860 wrote to memory of 1820 1860 cmd.exe PING.EXE PID 1860 wrote to memory of 1820 1860 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\7db237e3a169dd27b3dfb17387f680d84f34a273b6cb3607d23847ca3fe76755.exe"C:\Users\Admin\AppData\Local\Temp\7db237e3a169dd27b3dfb17387f680d84f34a273b6cb3607d23847ca3fe76755.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:964 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1304 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\7db237e3a169dd27b3dfb17387f680d84f34a273b6cb3607d23847ca3fe76755.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1860 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1820
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
7199e5b08cf4e29194793313945d07f5
SHA196b459cbff7be31b20ee6934ef5c9ea84f7946bb
SHA256b35b4d7bdab2feba538977a72814dff7add22dfcb5a4d7a8054e90e883258a4a
SHA51262a8f2a1af7ea94678170a8e62218dfca425a71cebb0524af762f423ddd3b21fef58720c9a664531f1d44c8f38cfed7aba76486ad014113ba515e67746558365
-
MD5
7199e5b08cf4e29194793313945d07f5
SHA196b459cbff7be31b20ee6934ef5c9ea84f7946bb
SHA256b35b4d7bdab2feba538977a72814dff7add22dfcb5a4d7a8054e90e883258a4a
SHA51262a8f2a1af7ea94678170a8e62218dfca425a71cebb0524af762f423ddd3b21fef58720c9a664531f1d44c8f38cfed7aba76486ad014113ba515e67746558365