Analysis
-
max time kernel
139s -
max time network
148s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
31-01-2022 00:54
Static task
static1
Behavioral task
behavioral1
Sample
415dc126af775a928a51c872a6513d6ac9f5dcd84e00734b409d58a5922de96e.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
415dc126af775a928a51c872a6513d6ac9f5dcd84e00734b409d58a5922de96e.exe
Resource
win10-en-20211208
General
-
Target
415dc126af775a928a51c872a6513d6ac9f5dcd84e00734b409d58a5922de96e.exe
-
Size
79KB
-
MD5
0b6a0ca44e47609910d978ffb1ee49c6
-
SHA1
e0fee9ccd0368f6f3acf0e9f2885dccd8f8b5359
-
SHA256
415dc126af775a928a51c872a6513d6ac9f5dcd84e00734b409d58a5922de96e
-
SHA512
3fd47a464cb2110d3d4127a09fc85d60ded77c9e385e290253e92051910b555b6b649e9c91069b776b6403d310a19277da4ec6d344a9622954cf1ed534bf758a
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 864 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2000 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
415dc126af775a928a51c872a6513d6ac9f5dcd84e00734b409d58a5922de96e.exepid process 1284 415dc126af775a928a51c872a6513d6ac9f5dcd84e00734b409d58a5922de96e.exe 1284 415dc126af775a928a51c872a6513d6ac9f5dcd84e00734b409d58a5922de96e.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
415dc126af775a928a51c872a6513d6ac9f5dcd84e00734b409d58a5922de96e.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 415dc126af775a928a51c872a6513d6ac9f5dcd84e00734b409d58a5922de96e.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
415dc126af775a928a51c872a6513d6ac9f5dcd84e00734b409d58a5922de96e.exedescription pid process Token: SeIncBasePriorityPrivilege 1284 415dc126af775a928a51c872a6513d6ac9f5dcd84e00734b409d58a5922de96e.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
415dc126af775a928a51c872a6513d6ac9f5dcd84e00734b409d58a5922de96e.execmd.exedescription pid process target process PID 1284 wrote to memory of 864 1284 415dc126af775a928a51c872a6513d6ac9f5dcd84e00734b409d58a5922de96e.exe MediaCenter.exe PID 1284 wrote to memory of 864 1284 415dc126af775a928a51c872a6513d6ac9f5dcd84e00734b409d58a5922de96e.exe MediaCenter.exe PID 1284 wrote to memory of 864 1284 415dc126af775a928a51c872a6513d6ac9f5dcd84e00734b409d58a5922de96e.exe MediaCenter.exe PID 1284 wrote to memory of 864 1284 415dc126af775a928a51c872a6513d6ac9f5dcd84e00734b409d58a5922de96e.exe MediaCenter.exe PID 1284 wrote to memory of 2000 1284 415dc126af775a928a51c872a6513d6ac9f5dcd84e00734b409d58a5922de96e.exe cmd.exe PID 1284 wrote to memory of 2000 1284 415dc126af775a928a51c872a6513d6ac9f5dcd84e00734b409d58a5922de96e.exe cmd.exe PID 1284 wrote to memory of 2000 1284 415dc126af775a928a51c872a6513d6ac9f5dcd84e00734b409d58a5922de96e.exe cmd.exe PID 1284 wrote to memory of 2000 1284 415dc126af775a928a51c872a6513d6ac9f5dcd84e00734b409d58a5922de96e.exe cmd.exe PID 2000 wrote to memory of 1984 2000 cmd.exe PING.EXE PID 2000 wrote to memory of 1984 2000 cmd.exe PING.EXE PID 2000 wrote to memory of 1984 2000 cmd.exe PING.EXE PID 2000 wrote to memory of 1984 2000 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\415dc126af775a928a51c872a6513d6ac9f5dcd84e00734b409d58a5922de96e.exe"C:\Users\Admin\AppData\Local\Temp\415dc126af775a928a51c872a6513d6ac9f5dcd84e00734b409d58a5922de96e.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1284 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:864 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\415dc126af775a928a51c872a6513d6ac9f5dcd84e00734b409d58a5922de96e.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1984
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
b6865743e3424d21a19e383c22e226c1
SHA16ab56152fa2ce88f424b78096886162d64cea9f3
SHA256fd67c3da71bff7bbbab8356a6133c5fdc03a0270b4aa0a7073167afcff9d64d8
SHA512bcfb6007940971298212b69c255a672438d937e3cb372b3af3ab4fbcbdb523bb8ddca382ec0a5a3a11a4376b69b6c95b4d5407937b3b556eace818b3ee7f3d4d
-
MD5
b6865743e3424d21a19e383c22e226c1
SHA16ab56152fa2ce88f424b78096886162d64cea9f3
SHA256fd67c3da71bff7bbbab8356a6133c5fdc03a0270b4aa0a7073167afcff9d64d8
SHA512bcfb6007940971298212b69c255a672438d937e3cb372b3af3ab4fbcbdb523bb8ddca382ec0a5a3a11a4376b69b6c95b4d5407937b3b556eace818b3ee7f3d4d
-
MD5
b6865743e3424d21a19e383c22e226c1
SHA16ab56152fa2ce88f424b78096886162d64cea9f3
SHA256fd67c3da71bff7bbbab8356a6133c5fdc03a0270b4aa0a7073167afcff9d64d8
SHA512bcfb6007940971298212b69c255a672438d937e3cb372b3af3ab4fbcbdb523bb8ddca382ec0a5a3a11a4376b69b6c95b4d5407937b3b556eace818b3ee7f3d4d