Analysis
-
max time kernel
146s -
max time network
146s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
31-01-2022 00:10
Static task
static1
Behavioral task
behavioral1
Sample
c6088899bcb77e5d642999ebb0f440e28b795007735023b38d4965c0ae02a05e.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
c6088899bcb77e5d642999ebb0f440e28b795007735023b38d4965c0ae02a05e.exe
Resource
win10-en-20211208
General
-
Target
c6088899bcb77e5d642999ebb0f440e28b795007735023b38d4965c0ae02a05e.exe
-
Size
89KB
-
MD5
2ca3f59590a5aeab648f292bf19f4a5e
-
SHA1
bf3cb57d73c580f710388c9d574de074bbca5d7a
-
SHA256
c6088899bcb77e5d642999ebb0f440e28b795007735023b38d4965c0ae02a05e
-
SHA512
c0ce4574fd307e9f2069fc2f390a935fc1dc1f4a0c0f2711ad69ae14da07bb037c6d4d51917f36a012e428e544b760776265a0ead6adb67fee7c1496f4c25ca2
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1740 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1780 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
c6088899bcb77e5d642999ebb0f440e28b795007735023b38d4965c0ae02a05e.exepid process 1288 c6088899bcb77e5d642999ebb0f440e28b795007735023b38d4965c0ae02a05e.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
c6088899bcb77e5d642999ebb0f440e28b795007735023b38d4965c0ae02a05e.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" c6088899bcb77e5d642999ebb0f440e28b795007735023b38d4965c0ae02a05e.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
c6088899bcb77e5d642999ebb0f440e28b795007735023b38d4965c0ae02a05e.exedescription pid process Token: SeIncBasePriorityPrivilege 1288 c6088899bcb77e5d642999ebb0f440e28b795007735023b38d4965c0ae02a05e.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
c6088899bcb77e5d642999ebb0f440e28b795007735023b38d4965c0ae02a05e.execmd.exedescription pid process target process PID 1288 wrote to memory of 1740 1288 c6088899bcb77e5d642999ebb0f440e28b795007735023b38d4965c0ae02a05e.exe MediaCenter.exe PID 1288 wrote to memory of 1740 1288 c6088899bcb77e5d642999ebb0f440e28b795007735023b38d4965c0ae02a05e.exe MediaCenter.exe PID 1288 wrote to memory of 1740 1288 c6088899bcb77e5d642999ebb0f440e28b795007735023b38d4965c0ae02a05e.exe MediaCenter.exe PID 1288 wrote to memory of 1740 1288 c6088899bcb77e5d642999ebb0f440e28b795007735023b38d4965c0ae02a05e.exe MediaCenter.exe PID 1288 wrote to memory of 1780 1288 c6088899bcb77e5d642999ebb0f440e28b795007735023b38d4965c0ae02a05e.exe cmd.exe PID 1288 wrote to memory of 1780 1288 c6088899bcb77e5d642999ebb0f440e28b795007735023b38d4965c0ae02a05e.exe cmd.exe PID 1288 wrote to memory of 1780 1288 c6088899bcb77e5d642999ebb0f440e28b795007735023b38d4965c0ae02a05e.exe cmd.exe PID 1288 wrote to memory of 1780 1288 c6088899bcb77e5d642999ebb0f440e28b795007735023b38d4965c0ae02a05e.exe cmd.exe PID 1780 wrote to memory of 432 1780 cmd.exe PING.EXE PID 1780 wrote to memory of 432 1780 cmd.exe PING.EXE PID 1780 wrote to memory of 432 1780 cmd.exe PING.EXE PID 1780 wrote to memory of 432 1780 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\c6088899bcb77e5d642999ebb0f440e28b795007735023b38d4965c0ae02a05e.exe"C:\Users\Admin\AppData\Local\Temp\c6088899bcb77e5d642999ebb0f440e28b795007735023b38d4965c0ae02a05e.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1288 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1740 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\c6088899bcb77e5d642999ebb0f440e28b795007735023b38d4965c0ae02a05e.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1780 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:432
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
a499eb744b45d78d47473ebf8c2dbc5e
SHA1e6fc18f914bd96bf86d722aa9f950fb352115553
SHA256d6a2ae333c9a86b33ce4a4aae2c595dab23e2eecdf3c41b0d001c2ad4d66d7aa
SHA5122b10887cd51ead136163de0b1714efeb533d4f6e825ebb47a57d23ec2fcc8ff2a643b1661eeb5d0c4f71cd1e59c1554ad95a78c56288acf3d9b91c2d5c1c31de
-
MD5
a499eb744b45d78d47473ebf8c2dbc5e
SHA1e6fc18f914bd96bf86d722aa9f950fb352115553
SHA256d6a2ae333c9a86b33ce4a4aae2c595dab23e2eecdf3c41b0d001c2ad4d66d7aa
SHA5122b10887cd51ead136163de0b1714efeb533d4f6e825ebb47a57d23ec2fcc8ff2a643b1661eeb5d0c4f71cd1e59c1554ad95a78c56288acf3d9b91c2d5c1c31de