Analysis
-
max time kernel
127s -
max time network
136s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
31-01-2022 00:41
Static task
static1
Behavioral task
behavioral1
Sample
5096ed81ec028361943f459672fbe36adb08d41fc51243596df1133588ab9f76.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
5096ed81ec028361943f459672fbe36adb08d41fc51243596df1133588ab9f76.exe
Resource
win10-en-20211208
General
-
Target
5096ed81ec028361943f459672fbe36adb08d41fc51243596df1133588ab9f76.exe
-
Size
79KB
-
MD5
0ff96f4dbfe8aa9c49b489218d862cd7
-
SHA1
b87ae231c0a79f865f6fe838b17b9263e114b1a8
-
SHA256
5096ed81ec028361943f459672fbe36adb08d41fc51243596df1133588ab9f76
-
SHA512
72d3f291b39c3cd74b3c638331b07a54ebebdb020fdf56b4ae5214e0b7a2934675d7379cbb77cfe87188676b5a686a4e27927798cdff737da38e73321b2c35c1
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 808 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 776 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
5096ed81ec028361943f459672fbe36adb08d41fc51243596df1133588ab9f76.exepid process 1520 5096ed81ec028361943f459672fbe36adb08d41fc51243596df1133588ab9f76.exe 1520 5096ed81ec028361943f459672fbe36adb08d41fc51243596df1133588ab9f76.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
5096ed81ec028361943f459672fbe36adb08d41fc51243596df1133588ab9f76.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 5096ed81ec028361943f459672fbe36adb08d41fc51243596df1133588ab9f76.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
5096ed81ec028361943f459672fbe36adb08d41fc51243596df1133588ab9f76.exedescription pid process Token: SeIncBasePriorityPrivilege 1520 5096ed81ec028361943f459672fbe36adb08d41fc51243596df1133588ab9f76.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
5096ed81ec028361943f459672fbe36adb08d41fc51243596df1133588ab9f76.execmd.exedescription pid process target process PID 1520 wrote to memory of 808 1520 5096ed81ec028361943f459672fbe36adb08d41fc51243596df1133588ab9f76.exe MediaCenter.exe PID 1520 wrote to memory of 808 1520 5096ed81ec028361943f459672fbe36adb08d41fc51243596df1133588ab9f76.exe MediaCenter.exe PID 1520 wrote to memory of 808 1520 5096ed81ec028361943f459672fbe36adb08d41fc51243596df1133588ab9f76.exe MediaCenter.exe PID 1520 wrote to memory of 808 1520 5096ed81ec028361943f459672fbe36adb08d41fc51243596df1133588ab9f76.exe MediaCenter.exe PID 1520 wrote to memory of 776 1520 5096ed81ec028361943f459672fbe36adb08d41fc51243596df1133588ab9f76.exe cmd.exe PID 1520 wrote to memory of 776 1520 5096ed81ec028361943f459672fbe36adb08d41fc51243596df1133588ab9f76.exe cmd.exe PID 1520 wrote to memory of 776 1520 5096ed81ec028361943f459672fbe36adb08d41fc51243596df1133588ab9f76.exe cmd.exe PID 1520 wrote to memory of 776 1520 5096ed81ec028361943f459672fbe36adb08d41fc51243596df1133588ab9f76.exe cmd.exe PID 776 wrote to memory of 1096 776 cmd.exe PING.EXE PID 776 wrote to memory of 1096 776 cmd.exe PING.EXE PID 776 wrote to memory of 1096 776 cmd.exe PING.EXE PID 776 wrote to memory of 1096 776 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\5096ed81ec028361943f459672fbe36adb08d41fc51243596df1133588ab9f76.exe"C:\Users\Admin\AppData\Local\Temp\5096ed81ec028361943f459672fbe36adb08d41fc51243596df1133588ab9f76.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1520 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:808 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\5096ed81ec028361943f459672fbe36adb08d41fc51243596df1133588ab9f76.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:776 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1096
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
44a95a2e61e3cc087857ad1abfaa18e0
SHA1b7ad5ed59b8600eee835e95eed5ca432bffb9f0e
SHA25635f92d768b25c37db57973811b89be8fb8b616971fcf7981c65ac3b1628324bc
SHA512f7b39d004ce693e0239507cd4dae034fa5b661e96ce7f3c75624cca48ea3df654d2d3a33351d5ed497e477097ae146d9ab712f4620c3943d823010d60b150a43
-
MD5
44a95a2e61e3cc087857ad1abfaa18e0
SHA1b7ad5ed59b8600eee835e95eed5ca432bffb9f0e
SHA25635f92d768b25c37db57973811b89be8fb8b616971fcf7981c65ac3b1628324bc
SHA512f7b39d004ce693e0239507cd4dae034fa5b661e96ce7f3c75624cca48ea3df654d2d3a33351d5ed497e477097ae146d9ab712f4620c3943d823010d60b150a43
-
MD5
44a95a2e61e3cc087857ad1abfaa18e0
SHA1b7ad5ed59b8600eee835e95eed5ca432bffb9f0e
SHA25635f92d768b25c37db57973811b89be8fb8b616971fcf7981c65ac3b1628324bc
SHA512f7b39d004ce693e0239507cd4dae034fa5b661e96ce7f3c75624cca48ea3df654d2d3a33351d5ed497e477097ae146d9ab712f4620c3943d823010d60b150a43