Analysis
-
max time kernel
142s -
max time network
168s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
30-01-2022 20:47
Static task
static1
Behavioral task
behavioral1
Sample
9a2a8d85677aba13c8b287580601052c9156f7d37a8e8b9d9ba4c6453f048537.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
9a2a8d85677aba13c8b287580601052c9156f7d37a8e8b9d9ba4c6453f048537.exe
Resource
win10-en-20211208
General
-
Target
9a2a8d85677aba13c8b287580601052c9156f7d37a8e8b9d9ba4c6453f048537.exe
-
Size
320KB
-
MD5
372aa07662fb5779c8bf16d46fb58acb
-
SHA1
5b5bce07b669039db3b8738538fad9cd898a9807
-
SHA256
9a2a8d85677aba13c8b287580601052c9156f7d37a8e8b9d9ba4c6453f048537
-
SHA512
f958ce972fdaaa26da8ca810813146157ac8c4550fef2a79dfd4c2ae7a527108bb6bf5660bc3528bc6db53d6086d59dc87c542527288674faedbed6980a9dca8
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1052 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1828 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
9a2a8d85677aba13c8b287580601052c9156f7d37a8e8b9d9ba4c6453f048537.exepid process 808 9a2a8d85677aba13c8b287580601052c9156f7d37a8e8b9d9ba4c6453f048537.exe 808 9a2a8d85677aba13c8b287580601052c9156f7d37a8e8b9d9ba4c6453f048537.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
9a2a8d85677aba13c8b287580601052c9156f7d37a8e8b9d9ba4c6453f048537.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 9a2a8d85677aba13c8b287580601052c9156f7d37a8e8b9d9ba4c6453f048537.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
9a2a8d85677aba13c8b287580601052c9156f7d37a8e8b9d9ba4c6453f048537.exedescription pid process Token: SeIncBasePriorityPrivilege 808 9a2a8d85677aba13c8b287580601052c9156f7d37a8e8b9d9ba4c6453f048537.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
9a2a8d85677aba13c8b287580601052c9156f7d37a8e8b9d9ba4c6453f048537.execmd.exedescription pid process target process PID 808 wrote to memory of 1052 808 9a2a8d85677aba13c8b287580601052c9156f7d37a8e8b9d9ba4c6453f048537.exe MediaCenter.exe PID 808 wrote to memory of 1052 808 9a2a8d85677aba13c8b287580601052c9156f7d37a8e8b9d9ba4c6453f048537.exe MediaCenter.exe PID 808 wrote to memory of 1052 808 9a2a8d85677aba13c8b287580601052c9156f7d37a8e8b9d9ba4c6453f048537.exe MediaCenter.exe PID 808 wrote to memory of 1052 808 9a2a8d85677aba13c8b287580601052c9156f7d37a8e8b9d9ba4c6453f048537.exe MediaCenter.exe PID 808 wrote to memory of 1828 808 9a2a8d85677aba13c8b287580601052c9156f7d37a8e8b9d9ba4c6453f048537.exe cmd.exe PID 808 wrote to memory of 1828 808 9a2a8d85677aba13c8b287580601052c9156f7d37a8e8b9d9ba4c6453f048537.exe cmd.exe PID 808 wrote to memory of 1828 808 9a2a8d85677aba13c8b287580601052c9156f7d37a8e8b9d9ba4c6453f048537.exe cmd.exe PID 808 wrote to memory of 1828 808 9a2a8d85677aba13c8b287580601052c9156f7d37a8e8b9d9ba4c6453f048537.exe cmd.exe PID 1828 wrote to memory of 1112 1828 cmd.exe PING.EXE PID 1828 wrote to memory of 1112 1828 cmd.exe PING.EXE PID 1828 wrote to memory of 1112 1828 cmd.exe PING.EXE PID 1828 wrote to memory of 1112 1828 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\9a2a8d85677aba13c8b287580601052c9156f7d37a8e8b9d9ba4c6453f048537.exe"C:\Users\Admin\AppData\Local\Temp\9a2a8d85677aba13c8b287580601052c9156f7d37a8e8b9d9ba4c6453f048537.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:808 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1052 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\9a2a8d85677aba13c8b287580601052c9156f7d37a8e8b9d9ba4c6453f048537.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1828 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1112
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
122fc3b416452bf8d02703c67706fdce
SHA143b711e87610cd04a56db74013f88084a1cab532
SHA25635ef4ce303f6651d95b7b8e37e4bc0a1ccd1c411783acbbf4e1c7d172d10103a
SHA512bfa3003e1e45199235bece7fbe8578f1b399c36b118c7247610aa561f0e0ee408451f57b7134a7a7c9e29a22433c7ac584a55e901476fc3f860054f1ba3ab35d
-
MD5
122fc3b416452bf8d02703c67706fdce
SHA143b711e87610cd04a56db74013f88084a1cab532
SHA25635ef4ce303f6651d95b7b8e37e4bc0a1ccd1c411783acbbf4e1c7d172d10103a
SHA512bfa3003e1e45199235bece7fbe8578f1b399c36b118c7247610aa561f0e0ee408451f57b7134a7a7c9e29a22433c7ac584a55e901476fc3f860054f1ba3ab35d
-
MD5
122fc3b416452bf8d02703c67706fdce
SHA143b711e87610cd04a56db74013f88084a1cab532
SHA25635ef4ce303f6651d95b7b8e37e4bc0a1ccd1c411783acbbf4e1c7d172d10103a
SHA512bfa3003e1e45199235bece7fbe8578f1b399c36b118c7247610aa561f0e0ee408451f57b7134a7a7c9e29a22433c7ac584a55e901476fc3f860054f1ba3ab35d