Analysis
-
max time kernel
127s -
max time network
153s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 03:35
Static task
static1
Behavioral task
behavioral1
Sample
173af2eac22a725fba263869b74d122159dc2c88726bd4cd3903fd886619747b.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
173af2eac22a725fba263869b74d122159dc2c88726bd4cd3903fd886619747b.exe
Resource
win10v2004-en-20220113
General
-
Target
173af2eac22a725fba263869b74d122159dc2c88726bd4cd3903fd886619747b.exe
-
Size
80KB
-
MD5
c3b9c7da9478ef797e20c39f3eaca30f
-
SHA1
95d76717ba0fbced700fd65e9777aa7b7ead131f
-
SHA256
173af2eac22a725fba263869b74d122159dc2c88726bd4cd3903fd886619747b
-
SHA512
7e103c54fab4bfb00360da06a79feca3ac0c53eaf6228fb027b7d26cfbfd718129f5abcbeebec1891913968616d49ccaf40f4a39f99e13f0bc004d58789a9539
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 884 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1052 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
173af2eac22a725fba263869b74d122159dc2c88726bd4cd3903fd886619747b.exepid process 516 173af2eac22a725fba263869b74d122159dc2c88726bd4cd3903fd886619747b.exe 516 173af2eac22a725fba263869b74d122159dc2c88726bd4cd3903fd886619747b.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
173af2eac22a725fba263869b74d122159dc2c88726bd4cd3903fd886619747b.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 173af2eac22a725fba263869b74d122159dc2c88726bd4cd3903fd886619747b.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
173af2eac22a725fba263869b74d122159dc2c88726bd4cd3903fd886619747b.exedescription pid process Token: SeIncBasePriorityPrivilege 516 173af2eac22a725fba263869b74d122159dc2c88726bd4cd3903fd886619747b.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
173af2eac22a725fba263869b74d122159dc2c88726bd4cd3903fd886619747b.execmd.exedescription pid process target process PID 516 wrote to memory of 884 516 173af2eac22a725fba263869b74d122159dc2c88726bd4cd3903fd886619747b.exe MediaCenter.exe PID 516 wrote to memory of 884 516 173af2eac22a725fba263869b74d122159dc2c88726bd4cd3903fd886619747b.exe MediaCenter.exe PID 516 wrote to memory of 884 516 173af2eac22a725fba263869b74d122159dc2c88726bd4cd3903fd886619747b.exe MediaCenter.exe PID 516 wrote to memory of 884 516 173af2eac22a725fba263869b74d122159dc2c88726bd4cd3903fd886619747b.exe MediaCenter.exe PID 516 wrote to memory of 1052 516 173af2eac22a725fba263869b74d122159dc2c88726bd4cd3903fd886619747b.exe cmd.exe PID 516 wrote to memory of 1052 516 173af2eac22a725fba263869b74d122159dc2c88726bd4cd3903fd886619747b.exe cmd.exe PID 516 wrote to memory of 1052 516 173af2eac22a725fba263869b74d122159dc2c88726bd4cd3903fd886619747b.exe cmd.exe PID 516 wrote to memory of 1052 516 173af2eac22a725fba263869b74d122159dc2c88726bd4cd3903fd886619747b.exe cmd.exe PID 1052 wrote to memory of 1476 1052 cmd.exe PING.EXE PID 1052 wrote to memory of 1476 1052 cmd.exe PING.EXE PID 1052 wrote to memory of 1476 1052 cmd.exe PING.EXE PID 1052 wrote to memory of 1476 1052 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\173af2eac22a725fba263869b74d122159dc2c88726bd4cd3903fd886619747b.exe"C:\Users\Admin\AppData\Local\Temp\173af2eac22a725fba263869b74d122159dc2c88726bd4cd3903fd886619747b.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:516 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:884 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\173af2eac22a725fba263869b74d122159dc2c88726bd4cd3903fd886619747b.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1052 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1476
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
6d0ce458d2eeee1c5718e10fba9a14e7
SHA1a4c79ba07579386bb93b851553d3442f3792e0fe
SHA256ef3fd04dcddd519acf397eea237abf4d80d408e33e69c74de2745c25c09977cf
SHA512b2280e5a6c8515dd46c15d2408686dacda35030676a10271ac893c585536b2749be419510bc77cd01185a6dc9d79cf13d14f5f46f7e2c7c04f0adfeac8c9a0e1
-
MD5
6d0ce458d2eeee1c5718e10fba9a14e7
SHA1a4c79ba07579386bb93b851553d3442f3792e0fe
SHA256ef3fd04dcddd519acf397eea237abf4d80d408e33e69c74de2745c25c09977cf
SHA512b2280e5a6c8515dd46c15d2408686dacda35030676a10271ac893c585536b2749be419510bc77cd01185a6dc9d79cf13d14f5f46f7e2c7c04f0adfeac8c9a0e1
-
MD5
6d0ce458d2eeee1c5718e10fba9a14e7
SHA1a4c79ba07579386bb93b851553d3442f3792e0fe
SHA256ef3fd04dcddd519acf397eea237abf4d80d408e33e69c74de2745c25c09977cf
SHA512b2280e5a6c8515dd46c15d2408686dacda35030676a10271ac893c585536b2749be419510bc77cd01185a6dc9d79cf13d14f5f46f7e2c7c04f0adfeac8c9a0e1