Analysis
-
max time kernel
122s -
max time network
136s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
31-01-2022 01:07
Static task
static1
Behavioral task
behavioral1
Sample
47d544b11616e95f281b09cbb2df92b1baac7a1400b5c50505763ffe62dd7efb.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
47d544b11616e95f281b09cbb2df92b1baac7a1400b5c50505763ffe62dd7efb.exe
Resource
win10-en-20211208
General
-
Target
47d544b11616e95f281b09cbb2df92b1baac7a1400b5c50505763ffe62dd7efb.exe
-
Size
79KB
-
MD5
06ec79f67ad8ede9a3bd0810d88e3539
-
SHA1
6b93386ba19c23fc031308da9c245e4e745bbb3e
-
SHA256
47d544b11616e95f281b09cbb2df92b1baac7a1400b5c50505763ffe62dd7efb
-
SHA512
33ee39b830f1964c5f45fc9aff6d96f954ef06263ba4c58a6a19fdd0de1afea8aceac5b232ec1861349b3e899ab825617db3d38a10fd1558f59344c49e6b5650
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1668 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1068 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
47d544b11616e95f281b09cbb2df92b1baac7a1400b5c50505763ffe62dd7efb.exepid process 604 47d544b11616e95f281b09cbb2df92b1baac7a1400b5c50505763ffe62dd7efb.exe 604 47d544b11616e95f281b09cbb2df92b1baac7a1400b5c50505763ffe62dd7efb.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
47d544b11616e95f281b09cbb2df92b1baac7a1400b5c50505763ffe62dd7efb.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 47d544b11616e95f281b09cbb2df92b1baac7a1400b5c50505763ffe62dd7efb.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
47d544b11616e95f281b09cbb2df92b1baac7a1400b5c50505763ffe62dd7efb.exedescription pid process Token: SeIncBasePriorityPrivilege 604 47d544b11616e95f281b09cbb2df92b1baac7a1400b5c50505763ffe62dd7efb.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
47d544b11616e95f281b09cbb2df92b1baac7a1400b5c50505763ffe62dd7efb.execmd.exedescription pid process target process PID 604 wrote to memory of 1668 604 47d544b11616e95f281b09cbb2df92b1baac7a1400b5c50505763ffe62dd7efb.exe MediaCenter.exe PID 604 wrote to memory of 1668 604 47d544b11616e95f281b09cbb2df92b1baac7a1400b5c50505763ffe62dd7efb.exe MediaCenter.exe PID 604 wrote to memory of 1668 604 47d544b11616e95f281b09cbb2df92b1baac7a1400b5c50505763ffe62dd7efb.exe MediaCenter.exe PID 604 wrote to memory of 1668 604 47d544b11616e95f281b09cbb2df92b1baac7a1400b5c50505763ffe62dd7efb.exe MediaCenter.exe PID 604 wrote to memory of 1068 604 47d544b11616e95f281b09cbb2df92b1baac7a1400b5c50505763ffe62dd7efb.exe cmd.exe PID 604 wrote to memory of 1068 604 47d544b11616e95f281b09cbb2df92b1baac7a1400b5c50505763ffe62dd7efb.exe cmd.exe PID 604 wrote to memory of 1068 604 47d544b11616e95f281b09cbb2df92b1baac7a1400b5c50505763ffe62dd7efb.exe cmd.exe PID 604 wrote to memory of 1068 604 47d544b11616e95f281b09cbb2df92b1baac7a1400b5c50505763ffe62dd7efb.exe cmd.exe PID 1068 wrote to memory of 360 1068 cmd.exe PING.EXE PID 1068 wrote to memory of 360 1068 cmd.exe PING.EXE PID 1068 wrote to memory of 360 1068 cmd.exe PING.EXE PID 1068 wrote to memory of 360 1068 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\47d544b11616e95f281b09cbb2df92b1baac7a1400b5c50505763ffe62dd7efb.exe"C:\Users\Admin\AppData\Local\Temp\47d544b11616e95f281b09cbb2df92b1baac7a1400b5c50505763ffe62dd7efb.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:604 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1668 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\47d544b11616e95f281b09cbb2df92b1baac7a1400b5c50505763ffe62dd7efb.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1068 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:360
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
81d559e7dea47aab50eb1f89005401cf
SHA13ab1946f90d385c7cf61a29021fc5732e3035e45
SHA2562deb7e1974b1c6a7f3798fc116445971c01ce08337f07ce91238c0badcbed2d8
SHA512c557a50ae33659b844e0ab666aa98565c3d0ba4f1f892c83d0b936f398499c8c540f7d9645e135b68aa4cc83dc50569440117c1529629c19ccc939d933aa83c8
-
MD5
81d559e7dea47aab50eb1f89005401cf
SHA13ab1946f90d385c7cf61a29021fc5732e3035e45
SHA2562deb7e1974b1c6a7f3798fc116445971c01ce08337f07ce91238c0badcbed2d8
SHA512c557a50ae33659b844e0ab666aa98565c3d0ba4f1f892c83d0b936f398499c8c540f7d9645e135b68aa4cc83dc50569440117c1529629c19ccc939d933aa83c8
-
MD5
81d559e7dea47aab50eb1f89005401cf
SHA13ab1946f90d385c7cf61a29021fc5732e3035e45
SHA2562deb7e1974b1c6a7f3798fc116445971c01ce08337f07ce91238c0badcbed2d8
SHA512c557a50ae33659b844e0ab666aa98565c3d0ba4f1f892c83d0b936f398499c8c540f7d9645e135b68aa4cc83dc50569440117c1529629c19ccc939d933aa83c8