Analysis
-
max time kernel
140s -
max time network
139s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
30-01-2022 20:13
Static task
static1
Behavioral task
behavioral1
Sample
34539aa85fcdbd8169a9648c63b7cbc74f4bc0ca7881fd2e03ef7fe1281d0c1c.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
34539aa85fcdbd8169a9648c63b7cbc74f4bc0ca7881fd2e03ef7fe1281d0c1c.exe
Resource
win10-en-20211208
General
-
Target
34539aa85fcdbd8169a9648c63b7cbc74f4bc0ca7881fd2e03ef7fe1281d0c1c.exe
-
Size
89KB
-
MD5
4297e98e6d7ea326dee3d13e53aa8d70
-
SHA1
58048d8322e3648d6a3ece2ec9038d438c687710
-
SHA256
34539aa85fcdbd8169a9648c63b7cbc74f4bc0ca7881fd2e03ef7fe1281d0c1c
-
SHA512
4d312269a502d664e82683d9cc54dc9a5cc080223af8bd3c3c17981008dcbc2a53499a30d69a55dc0dbe2e86d6877b8c04e701bacfe0df1d95c83799952aa130
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1648 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1056 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
34539aa85fcdbd8169a9648c63b7cbc74f4bc0ca7881fd2e03ef7fe1281d0c1c.exepid process 984 34539aa85fcdbd8169a9648c63b7cbc74f4bc0ca7881fd2e03ef7fe1281d0c1c.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
34539aa85fcdbd8169a9648c63b7cbc74f4bc0ca7881fd2e03ef7fe1281d0c1c.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 34539aa85fcdbd8169a9648c63b7cbc74f4bc0ca7881fd2e03ef7fe1281d0c1c.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
34539aa85fcdbd8169a9648c63b7cbc74f4bc0ca7881fd2e03ef7fe1281d0c1c.exedescription pid process Token: SeIncBasePriorityPrivilege 984 34539aa85fcdbd8169a9648c63b7cbc74f4bc0ca7881fd2e03ef7fe1281d0c1c.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
34539aa85fcdbd8169a9648c63b7cbc74f4bc0ca7881fd2e03ef7fe1281d0c1c.execmd.exedescription pid process target process PID 984 wrote to memory of 1648 984 34539aa85fcdbd8169a9648c63b7cbc74f4bc0ca7881fd2e03ef7fe1281d0c1c.exe MediaCenter.exe PID 984 wrote to memory of 1648 984 34539aa85fcdbd8169a9648c63b7cbc74f4bc0ca7881fd2e03ef7fe1281d0c1c.exe MediaCenter.exe PID 984 wrote to memory of 1648 984 34539aa85fcdbd8169a9648c63b7cbc74f4bc0ca7881fd2e03ef7fe1281d0c1c.exe MediaCenter.exe PID 984 wrote to memory of 1648 984 34539aa85fcdbd8169a9648c63b7cbc74f4bc0ca7881fd2e03ef7fe1281d0c1c.exe MediaCenter.exe PID 984 wrote to memory of 1056 984 34539aa85fcdbd8169a9648c63b7cbc74f4bc0ca7881fd2e03ef7fe1281d0c1c.exe cmd.exe PID 984 wrote to memory of 1056 984 34539aa85fcdbd8169a9648c63b7cbc74f4bc0ca7881fd2e03ef7fe1281d0c1c.exe cmd.exe PID 984 wrote to memory of 1056 984 34539aa85fcdbd8169a9648c63b7cbc74f4bc0ca7881fd2e03ef7fe1281d0c1c.exe cmd.exe PID 984 wrote to memory of 1056 984 34539aa85fcdbd8169a9648c63b7cbc74f4bc0ca7881fd2e03ef7fe1281d0c1c.exe cmd.exe PID 1056 wrote to memory of 240 1056 cmd.exe PING.EXE PID 1056 wrote to memory of 240 1056 cmd.exe PING.EXE PID 1056 wrote to memory of 240 1056 cmd.exe PING.EXE PID 1056 wrote to memory of 240 1056 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\34539aa85fcdbd8169a9648c63b7cbc74f4bc0ca7881fd2e03ef7fe1281d0c1c.exe"C:\Users\Admin\AppData\Local\Temp\34539aa85fcdbd8169a9648c63b7cbc74f4bc0ca7881fd2e03ef7fe1281d0c1c.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:984 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1648 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\34539aa85fcdbd8169a9648c63b7cbc74f4bc0ca7881fd2e03ef7fe1281d0c1c.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1056 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:240
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
14666966312cb8a6f44b05b9edc20184
SHA1894a0da875558da98f5486cba68c26f35e7bcffd
SHA2566890949da7b8500382c7c4c6b09cf449a4b5e69e74657d64925b8b8966bfb5ee
SHA51264c72ca03b7efd8de2b7f2b238805008b3aea71c743fd235b3428c1202e9011d13328607dbf512e4dc607413f6186a2f636bbff8dff9214ffd28194c333899d9
-
MD5
14666966312cb8a6f44b05b9edc20184
SHA1894a0da875558da98f5486cba68c26f35e7bcffd
SHA2566890949da7b8500382c7c4c6b09cf449a4b5e69e74657d64925b8b8966bfb5ee
SHA51264c72ca03b7efd8de2b7f2b238805008b3aea71c743fd235b3428c1202e9011d13328607dbf512e4dc607413f6186a2f636bbff8dff9214ffd28194c333899d9