Analysis
-
max time kernel
121s -
max time network
121s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
30-01-2022 20:18
Static task
static1
Behavioral task
behavioral1
Sample
b719bca6ade9b83bbadd435e49f5a7c43e586b112ac3f342ca37daaa01ace9bb.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
b719bca6ade9b83bbadd435e49f5a7c43e586b112ac3f342ca37daaa01ace9bb.exe
Resource
win10-en-20211208
General
-
Target
b719bca6ade9b83bbadd435e49f5a7c43e586b112ac3f342ca37daaa01ace9bb.exe
-
Size
89KB
-
MD5
416e831d583665352fe16fe9232d36cf
-
SHA1
50e7b4d4f3ab5fa9c77c0286213e7980ed52f6f6
-
SHA256
b719bca6ade9b83bbadd435e49f5a7c43e586b112ac3f342ca37daaa01ace9bb
-
SHA512
49ce4109c6564507c44ff2b6881d560522900a2e564fce834e9a645d526d0853288ca5a4c348caf4570ef03eee2a26fee263de06a3f23f1979cb532f82399cc0
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1332 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1156 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
b719bca6ade9b83bbadd435e49f5a7c43e586b112ac3f342ca37daaa01ace9bb.exepid process 948 b719bca6ade9b83bbadd435e49f5a7c43e586b112ac3f342ca37daaa01ace9bb.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
b719bca6ade9b83bbadd435e49f5a7c43e586b112ac3f342ca37daaa01ace9bb.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" b719bca6ade9b83bbadd435e49f5a7c43e586b112ac3f342ca37daaa01ace9bb.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
b719bca6ade9b83bbadd435e49f5a7c43e586b112ac3f342ca37daaa01ace9bb.exedescription pid process Token: SeIncBasePriorityPrivilege 948 b719bca6ade9b83bbadd435e49f5a7c43e586b112ac3f342ca37daaa01ace9bb.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
b719bca6ade9b83bbadd435e49f5a7c43e586b112ac3f342ca37daaa01ace9bb.execmd.exedescription pid process target process PID 948 wrote to memory of 1332 948 b719bca6ade9b83bbadd435e49f5a7c43e586b112ac3f342ca37daaa01ace9bb.exe MediaCenter.exe PID 948 wrote to memory of 1332 948 b719bca6ade9b83bbadd435e49f5a7c43e586b112ac3f342ca37daaa01ace9bb.exe MediaCenter.exe PID 948 wrote to memory of 1332 948 b719bca6ade9b83bbadd435e49f5a7c43e586b112ac3f342ca37daaa01ace9bb.exe MediaCenter.exe PID 948 wrote to memory of 1332 948 b719bca6ade9b83bbadd435e49f5a7c43e586b112ac3f342ca37daaa01ace9bb.exe MediaCenter.exe PID 948 wrote to memory of 1156 948 b719bca6ade9b83bbadd435e49f5a7c43e586b112ac3f342ca37daaa01ace9bb.exe cmd.exe PID 948 wrote to memory of 1156 948 b719bca6ade9b83bbadd435e49f5a7c43e586b112ac3f342ca37daaa01ace9bb.exe cmd.exe PID 948 wrote to memory of 1156 948 b719bca6ade9b83bbadd435e49f5a7c43e586b112ac3f342ca37daaa01ace9bb.exe cmd.exe PID 948 wrote to memory of 1156 948 b719bca6ade9b83bbadd435e49f5a7c43e586b112ac3f342ca37daaa01ace9bb.exe cmd.exe PID 1156 wrote to memory of 1860 1156 cmd.exe PING.EXE PID 1156 wrote to memory of 1860 1156 cmd.exe PING.EXE PID 1156 wrote to memory of 1860 1156 cmd.exe PING.EXE PID 1156 wrote to memory of 1860 1156 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\b719bca6ade9b83bbadd435e49f5a7c43e586b112ac3f342ca37daaa01ace9bb.exe"C:\Users\Admin\AppData\Local\Temp\b719bca6ade9b83bbadd435e49f5a7c43e586b112ac3f342ca37daaa01ace9bb.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:948 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1332 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\b719bca6ade9b83bbadd435e49f5a7c43e586b112ac3f342ca37daaa01ace9bb.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1156 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1860
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
69c7e5b9ecfb43e48e4c5c9642e0e9fd
SHA14c414d05acc5ac8253326e2776ed69ff56a72330
SHA2564d151701d07cdb3a4df0318f1c2ab7e282d7e1c97b4dd7275ffad90cd777cb0c
SHA51288aaf5a17e173e5db86705d7f8c64c128e8d73865f4509d34f9fbfdc92efc0d7dc24b1cfa15992664870f70d45b4abbf8e648475dbb00464bb4ca25a982b28b6
-
MD5
69c7e5b9ecfb43e48e4c5c9642e0e9fd
SHA14c414d05acc5ac8253326e2776ed69ff56a72330
SHA2564d151701d07cdb3a4df0318f1c2ab7e282d7e1c97b4dd7275ffad90cd777cb0c
SHA51288aaf5a17e173e5db86705d7f8c64c128e8d73865f4509d34f9fbfdc92efc0d7dc24b1cfa15992664870f70d45b4abbf8e648475dbb00464bb4ca25a982b28b6