Analysis
-
max time kernel
154s -
max time network
175s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 03:36
Static task
static1
Behavioral task
behavioral1
Sample
1736416df7c82f26a1ebdec013edd7145d9d5ecf8a4a077ab60fc0c7ae2aa2ae.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
1736416df7c82f26a1ebdec013edd7145d9d5ecf8a4a077ab60fc0c7ae2aa2ae.exe
Resource
win10v2004-en-20220113
General
-
Target
1736416df7c82f26a1ebdec013edd7145d9d5ecf8a4a077ab60fc0c7ae2aa2ae.exe
-
Size
188KB
-
MD5
927fd99c0096e75d21f527bd5eabfa86
-
SHA1
2c848ebc250dec44f69b1de8f703e37be5fc408c
-
SHA256
1736416df7c82f26a1ebdec013edd7145d9d5ecf8a4a077ab60fc0c7ae2aa2ae
-
SHA512
4e23a79ebb9632c4a1e567ca834af591d660284a2ce58fde003b189cf30e86f3343c82e29f1b80428c8c74a733e755cede9ed12249b0c59aabd0c5552fd7edd0
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral1/memory/1636-59-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral1/memory/1588-60-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1588 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1912 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
1736416df7c82f26a1ebdec013edd7145d9d5ecf8a4a077ab60fc0c7ae2aa2ae.exepid process 1636 1736416df7c82f26a1ebdec013edd7145d9d5ecf8a4a077ab60fc0c7ae2aa2ae.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
1736416df7c82f26a1ebdec013edd7145d9d5ecf8a4a077ab60fc0c7ae2aa2ae.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 1736416df7c82f26a1ebdec013edd7145d9d5ecf8a4a077ab60fc0c7ae2aa2ae.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
1736416df7c82f26a1ebdec013edd7145d9d5ecf8a4a077ab60fc0c7ae2aa2ae.exedescription pid process Token: SeIncBasePriorityPrivilege 1636 1736416df7c82f26a1ebdec013edd7145d9d5ecf8a4a077ab60fc0c7ae2aa2ae.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
1736416df7c82f26a1ebdec013edd7145d9d5ecf8a4a077ab60fc0c7ae2aa2ae.execmd.exedescription pid process target process PID 1636 wrote to memory of 1588 1636 1736416df7c82f26a1ebdec013edd7145d9d5ecf8a4a077ab60fc0c7ae2aa2ae.exe MediaCenter.exe PID 1636 wrote to memory of 1588 1636 1736416df7c82f26a1ebdec013edd7145d9d5ecf8a4a077ab60fc0c7ae2aa2ae.exe MediaCenter.exe PID 1636 wrote to memory of 1588 1636 1736416df7c82f26a1ebdec013edd7145d9d5ecf8a4a077ab60fc0c7ae2aa2ae.exe MediaCenter.exe PID 1636 wrote to memory of 1588 1636 1736416df7c82f26a1ebdec013edd7145d9d5ecf8a4a077ab60fc0c7ae2aa2ae.exe MediaCenter.exe PID 1636 wrote to memory of 1912 1636 1736416df7c82f26a1ebdec013edd7145d9d5ecf8a4a077ab60fc0c7ae2aa2ae.exe cmd.exe PID 1636 wrote to memory of 1912 1636 1736416df7c82f26a1ebdec013edd7145d9d5ecf8a4a077ab60fc0c7ae2aa2ae.exe cmd.exe PID 1636 wrote to memory of 1912 1636 1736416df7c82f26a1ebdec013edd7145d9d5ecf8a4a077ab60fc0c7ae2aa2ae.exe cmd.exe PID 1636 wrote to memory of 1912 1636 1736416df7c82f26a1ebdec013edd7145d9d5ecf8a4a077ab60fc0c7ae2aa2ae.exe cmd.exe PID 1912 wrote to memory of 1080 1912 cmd.exe PING.EXE PID 1912 wrote to memory of 1080 1912 cmd.exe PING.EXE PID 1912 wrote to memory of 1080 1912 cmd.exe PING.EXE PID 1912 wrote to memory of 1080 1912 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\1736416df7c82f26a1ebdec013edd7145d9d5ecf8a4a077ab60fc0c7ae2aa2ae.exe"C:\Users\Admin\AppData\Local\Temp\1736416df7c82f26a1ebdec013edd7145d9d5ecf8a4a077ab60fc0c7ae2aa2ae.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1588 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\1736416df7c82f26a1ebdec013edd7145d9d5ecf8a4a077ab60fc0c7ae2aa2ae.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1912 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1080
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
1263e834731ddb066f529971e7c3ab42
SHA141bd5d61e8a9eb4788a857632132fda8ebe07355
SHA256b3f3819a00b73e7bd01657fc70f429811c4c88bdca46b9b5dd21025acefec392
SHA5121054450c560fb9e2afd44873b31f0c73c665fff541b4a48883a9464f738c229f1fbff6c61487dff6830e4c2062d3f96944065492c544e4b43dd4e979ae44dd6c
-
MD5
1263e834731ddb066f529971e7c3ab42
SHA141bd5d61e8a9eb4788a857632132fda8ebe07355
SHA256b3f3819a00b73e7bd01657fc70f429811c4c88bdca46b9b5dd21025acefec392
SHA5121054450c560fb9e2afd44873b31f0c73c665fff541b4a48883a9464f738c229f1fbff6c61487dff6830e4c2062d3f96944065492c544e4b43dd4e979ae44dd6c