Analysis
-
max time kernel
135s -
max time network
153s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
30-01-2022 19:40
Static task
static1
Behavioral task
behavioral1
Sample
8a955b35c86e3bfc05ca6654723179d766ad6960ecb8e768abd1f56c24102d78.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
8a955b35c86e3bfc05ca6654723179d766ad6960ecb8e768abd1f56c24102d78.exe
Resource
win10-en-20211208
General
-
Target
8a955b35c86e3bfc05ca6654723179d766ad6960ecb8e768abd1f56c24102d78.exe
-
Size
89KB
-
MD5
492c59bddbcbe7cbd2f932655181fb08
-
SHA1
93229172020b93a506549d505148b5c9e80d643b
-
SHA256
8a955b35c86e3bfc05ca6654723179d766ad6960ecb8e768abd1f56c24102d78
-
SHA512
03591f35373f1a42fd2db8bd6da119e1cb06118820ee4113f23458b6efad30580427688b3af43657b51b74b7411c72245188a6e77cbc72b6a6782c73d94a50e3
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1664 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 816 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
8a955b35c86e3bfc05ca6654723179d766ad6960ecb8e768abd1f56c24102d78.exepid process 952 8a955b35c86e3bfc05ca6654723179d766ad6960ecb8e768abd1f56c24102d78.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
8a955b35c86e3bfc05ca6654723179d766ad6960ecb8e768abd1f56c24102d78.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 8a955b35c86e3bfc05ca6654723179d766ad6960ecb8e768abd1f56c24102d78.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
8a955b35c86e3bfc05ca6654723179d766ad6960ecb8e768abd1f56c24102d78.exedescription pid process Token: SeIncBasePriorityPrivilege 952 8a955b35c86e3bfc05ca6654723179d766ad6960ecb8e768abd1f56c24102d78.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
8a955b35c86e3bfc05ca6654723179d766ad6960ecb8e768abd1f56c24102d78.execmd.exedescription pid process target process PID 952 wrote to memory of 1664 952 8a955b35c86e3bfc05ca6654723179d766ad6960ecb8e768abd1f56c24102d78.exe MediaCenter.exe PID 952 wrote to memory of 1664 952 8a955b35c86e3bfc05ca6654723179d766ad6960ecb8e768abd1f56c24102d78.exe MediaCenter.exe PID 952 wrote to memory of 1664 952 8a955b35c86e3bfc05ca6654723179d766ad6960ecb8e768abd1f56c24102d78.exe MediaCenter.exe PID 952 wrote to memory of 1664 952 8a955b35c86e3bfc05ca6654723179d766ad6960ecb8e768abd1f56c24102d78.exe MediaCenter.exe PID 952 wrote to memory of 816 952 8a955b35c86e3bfc05ca6654723179d766ad6960ecb8e768abd1f56c24102d78.exe cmd.exe PID 952 wrote to memory of 816 952 8a955b35c86e3bfc05ca6654723179d766ad6960ecb8e768abd1f56c24102d78.exe cmd.exe PID 952 wrote to memory of 816 952 8a955b35c86e3bfc05ca6654723179d766ad6960ecb8e768abd1f56c24102d78.exe cmd.exe PID 952 wrote to memory of 816 952 8a955b35c86e3bfc05ca6654723179d766ad6960ecb8e768abd1f56c24102d78.exe cmd.exe PID 816 wrote to memory of 1780 816 cmd.exe PING.EXE PID 816 wrote to memory of 1780 816 cmd.exe PING.EXE PID 816 wrote to memory of 1780 816 cmd.exe PING.EXE PID 816 wrote to memory of 1780 816 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\8a955b35c86e3bfc05ca6654723179d766ad6960ecb8e768abd1f56c24102d78.exe"C:\Users\Admin\AppData\Local\Temp\8a955b35c86e3bfc05ca6654723179d766ad6960ecb8e768abd1f56c24102d78.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:952 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1664 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\8a955b35c86e3bfc05ca6654723179d766ad6960ecb8e768abd1f56c24102d78.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:816 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1780
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
22143f7a5ca40b51a81c02e4e509ac78
SHA1ccb368839d359b632c45bf8a16b47fda503df4fd
SHA25654aa321d7db6b27a1859f9e31a8af2b1c7514f978a3de1640db448c5bdfddf9b
SHA51231fc0088792884ecab95d9021b0162fcc57e9e168ea504196fb4dd7651d4c9c61ce75a2103f69826147dea7786cd4210bda5874511d99fcc86873747203e9dc1
-
MD5
22143f7a5ca40b51a81c02e4e509ac78
SHA1ccb368839d359b632c45bf8a16b47fda503df4fd
SHA25654aa321d7db6b27a1859f9e31a8af2b1c7514f978a3de1640db448c5bdfddf9b
SHA51231fc0088792884ecab95d9021b0162fcc57e9e168ea504196fb4dd7651d4c9c61ce75a2103f69826147dea7786cd4210bda5874511d99fcc86873747203e9dc1