Analysis
-
max time kernel
118s -
max time network
127s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 03:28
Static task
static1
Behavioral task
behavioral1
Sample
179158835971a436bd772b42e8722789bbe0b5834526fe63ead565eb4bf278d3.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
179158835971a436bd772b42e8722789bbe0b5834526fe63ead565eb4bf278d3.exe
Resource
win10v2004-en-20220112
General
-
Target
179158835971a436bd772b42e8722789bbe0b5834526fe63ead565eb4bf278d3.exe
-
Size
101KB
-
MD5
f5a1aae9180bfc2b94e107c28137ed02
-
SHA1
0f036369680bc684eefd7ff3ab246f32d394ba27
-
SHA256
179158835971a436bd772b42e8722789bbe0b5834526fe63ead565eb4bf278d3
-
SHA512
102fa17d91a079dccb18818feb6a841becd5071f3dbd6ac931252bfaea09cae6c2bacd73adcbd809c42809ef81155482110e12a6d691353bde84dd141b5a15a2
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1096 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1224 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
179158835971a436bd772b42e8722789bbe0b5834526fe63ead565eb4bf278d3.exepid process 840 179158835971a436bd772b42e8722789bbe0b5834526fe63ead565eb4bf278d3.exe 840 179158835971a436bd772b42e8722789bbe0b5834526fe63ead565eb4bf278d3.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
179158835971a436bd772b42e8722789bbe0b5834526fe63ead565eb4bf278d3.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 179158835971a436bd772b42e8722789bbe0b5834526fe63ead565eb4bf278d3.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
179158835971a436bd772b42e8722789bbe0b5834526fe63ead565eb4bf278d3.exedescription pid process Token: SeIncBasePriorityPrivilege 840 179158835971a436bd772b42e8722789bbe0b5834526fe63ead565eb4bf278d3.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
179158835971a436bd772b42e8722789bbe0b5834526fe63ead565eb4bf278d3.execmd.exedescription pid process target process PID 840 wrote to memory of 1096 840 179158835971a436bd772b42e8722789bbe0b5834526fe63ead565eb4bf278d3.exe MediaCenter.exe PID 840 wrote to memory of 1096 840 179158835971a436bd772b42e8722789bbe0b5834526fe63ead565eb4bf278d3.exe MediaCenter.exe PID 840 wrote to memory of 1096 840 179158835971a436bd772b42e8722789bbe0b5834526fe63ead565eb4bf278d3.exe MediaCenter.exe PID 840 wrote to memory of 1096 840 179158835971a436bd772b42e8722789bbe0b5834526fe63ead565eb4bf278d3.exe MediaCenter.exe PID 840 wrote to memory of 1224 840 179158835971a436bd772b42e8722789bbe0b5834526fe63ead565eb4bf278d3.exe cmd.exe PID 840 wrote to memory of 1224 840 179158835971a436bd772b42e8722789bbe0b5834526fe63ead565eb4bf278d3.exe cmd.exe PID 840 wrote to memory of 1224 840 179158835971a436bd772b42e8722789bbe0b5834526fe63ead565eb4bf278d3.exe cmd.exe PID 840 wrote to memory of 1224 840 179158835971a436bd772b42e8722789bbe0b5834526fe63ead565eb4bf278d3.exe cmd.exe PID 1224 wrote to memory of 632 1224 cmd.exe PING.EXE PID 1224 wrote to memory of 632 1224 cmd.exe PING.EXE PID 1224 wrote to memory of 632 1224 cmd.exe PING.EXE PID 1224 wrote to memory of 632 1224 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\179158835971a436bd772b42e8722789bbe0b5834526fe63ead565eb4bf278d3.exe"C:\Users\Admin\AppData\Local\Temp\179158835971a436bd772b42e8722789bbe0b5834526fe63ead565eb4bf278d3.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:840 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1096 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\179158835971a436bd772b42e8722789bbe0b5834526fe63ead565eb4bf278d3.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1224 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:632
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
a3636f675b4e21d1d2c2e74e56abe8f9
SHA15823bc0e0ab3ad208af8c21ea1be963f6045f8d8
SHA2564b39ecea55dda4bec3ce64e5b964496203dc0525720327beee005bb7f4815969
SHA51239d2bbd50cf07fcf9d01d511a326e39646cd796784416961ab7db36b04abc6c09f3afbbb2b7a6f2768a6b45d85a5b80c0763517e19fa5272687994acf9714a7f
-
MD5
a3636f675b4e21d1d2c2e74e56abe8f9
SHA15823bc0e0ab3ad208af8c21ea1be963f6045f8d8
SHA2564b39ecea55dda4bec3ce64e5b964496203dc0525720327beee005bb7f4815969
SHA51239d2bbd50cf07fcf9d01d511a326e39646cd796784416961ab7db36b04abc6c09f3afbbb2b7a6f2768a6b45d85a5b80c0763517e19fa5272687994acf9714a7f
-
MD5
a3636f675b4e21d1d2c2e74e56abe8f9
SHA15823bc0e0ab3ad208af8c21ea1be963f6045f8d8
SHA2564b39ecea55dda4bec3ce64e5b964496203dc0525720327beee005bb7f4815969
SHA51239d2bbd50cf07fcf9d01d511a326e39646cd796784416961ab7db36b04abc6c09f3afbbb2b7a6f2768a6b45d85a5b80c0763517e19fa5272687994acf9714a7f