Analysis
-
max time kernel
123s -
max time network
127s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 03:32
Static task
static1
Behavioral task
behavioral1
Sample
1767c64dfeee3df386f20ef7297b42719a1dd34e1c7411684d6d4e762f3b2c7e.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
1767c64dfeee3df386f20ef7297b42719a1dd34e1c7411684d6d4e762f3b2c7e.exe
Resource
win10v2004-en-20220112
General
-
Target
1767c64dfeee3df386f20ef7297b42719a1dd34e1c7411684d6d4e762f3b2c7e.exe
-
Size
168KB
-
MD5
1277754a9e270620875e4962c2280312
-
SHA1
1a7bdc81edb913e6773a5350b6a3e9dce45ee96e
-
SHA256
1767c64dfeee3df386f20ef7297b42719a1dd34e1c7411684d6d4e762f3b2c7e
-
SHA512
1fdb883d59de4fe819b95419c14cacb4c7ce36ea935139f0dfda45067a1c86faa0e0b2befbf758b8f50d06f2e535e384b34e9d97b7d6908f2b27bcf1b1bc3d33
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral1/memory/1880-57-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral1/memory/1212-58-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1212 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1996 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
1767c64dfeee3df386f20ef7297b42719a1dd34e1c7411684d6d4e762f3b2c7e.exepid process 1880 1767c64dfeee3df386f20ef7297b42719a1dd34e1c7411684d6d4e762f3b2c7e.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
1767c64dfeee3df386f20ef7297b42719a1dd34e1c7411684d6d4e762f3b2c7e.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 1767c64dfeee3df386f20ef7297b42719a1dd34e1c7411684d6d4e762f3b2c7e.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
1767c64dfeee3df386f20ef7297b42719a1dd34e1c7411684d6d4e762f3b2c7e.exedescription pid process Token: SeIncBasePriorityPrivilege 1880 1767c64dfeee3df386f20ef7297b42719a1dd34e1c7411684d6d4e762f3b2c7e.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
1767c64dfeee3df386f20ef7297b42719a1dd34e1c7411684d6d4e762f3b2c7e.execmd.exedescription pid process target process PID 1880 wrote to memory of 1212 1880 1767c64dfeee3df386f20ef7297b42719a1dd34e1c7411684d6d4e762f3b2c7e.exe MediaCenter.exe PID 1880 wrote to memory of 1212 1880 1767c64dfeee3df386f20ef7297b42719a1dd34e1c7411684d6d4e762f3b2c7e.exe MediaCenter.exe PID 1880 wrote to memory of 1212 1880 1767c64dfeee3df386f20ef7297b42719a1dd34e1c7411684d6d4e762f3b2c7e.exe MediaCenter.exe PID 1880 wrote to memory of 1212 1880 1767c64dfeee3df386f20ef7297b42719a1dd34e1c7411684d6d4e762f3b2c7e.exe MediaCenter.exe PID 1880 wrote to memory of 1996 1880 1767c64dfeee3df386f20ef7297b42719a1dd34e1c7411684d6d4e762f3b2c7e.exe cmd.exe PID 1880 wrote to memory of 1996 1880 1767c64dfeee3df386f20ef7297b42719a1dd34e1c7411684d6d4e762f3b2c7e.exe cmd.exe PID 1880 wrote to memory of 1996 1880 1767c64dfeee3df386f20ef7297b42719a1dd34e1c7411684d6d4e762f3b2c7e.exe cmd.exe PID 1880 wrote to memory of 1996 1880 1767c64dfeee3df386f20ef7297b42719a1dd34e1c7411684d6d4e762f3b2c7e.exe cmd.exe PID 1996 wrote to memory of 1172 1996 cmd.exe PING.EXE PID 1996 wrote to memory of 1172 1996 cmd.exe PING.EXE PID 1996 wrote to memory of 1172 1996 cmd.exe PING.EXE PID 1996 wrote to memory of 1172 1996 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\1767c64dfeee3df386f20ef7297b42719a1dd34e1c7411684d6d4e762f3b2c7e.exe"C:\Users\Admin\AppData\Local\Temp\1767c64dfeee3df386f20ef7297b42719a1dd34e1c7411684d6d4e762f3b2c7e.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1880 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1212 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\1767c64dfeee3df386f20ef7297b42719a1dd34e1c7411684d6d4e762f3b2c7e.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1172
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
85a5658167d3569f780a00509ca53da4
SHA1bfd25eb822651cbbef3c37e0f9f6e968b14fba77
SHA2562f9a924cf72b216f40c4382d201de55ca5dc3fc544349510d53af947554a2bcc
SHA51215de66be4e798aca0b4b4595915e7e4024371db90b5a092c436805fc019b5f989dca6f9afabd43bf578540431fd6d61226cfe81a9306baf7bac1e2197a1b16df
-
MD5
85a5658167d3569f780a00509ca53da4
SHA1bfd25eb822651cbbef3c37e0f9f6e968b14fba77
SHA2562f9a924cf72b216f40c4382d201de55ca5dc3fc544349510d53af947554a2bcc
SHA51215de66be4e798aca0b4b4595915e7e4024371db90b5a092c436805fc019b5f989dca6f9afabd43bf578540431fd6d61226cfe81a9306baf7bac1e2197a1b16df