Analysis
-
max time kernel
151s -
max time network
132s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 02:49
Static task
static1
Behavioral task
behavioral1
Sample
196797ddaa7f03dc83a8ca36bb8d97426e693f6daf9579f9a2e71e140ad7b550.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
196797ddaa7f03dc83a8ca36bb8d97426e693f6daf9579f9a2e71e140ad7b550.exe
Resource
win10v2004-en-20220113
General
-
Target
196797ddaa7f03dc83a8ca36bb8d97426e693f6daf9579f9a2e71e140ad7b550.exe
-
Size
99KB
-
MD5
098c2330b2b39304b37311b8103365e3
-
SHA1
00790acc9e7041c3d993b04394e9c35543538a8b
-
SHA256
196797ddaa7f03dc83a8ca36bb8d97426e693f6daf9579f9a2e71e140ad7b550
-
SHA512
0b0f21028a271906a42223fe611d5703ca5b44839f6851be6dfcd9c0e2f422779f9c56704bb87bed0109f675a56863ad5860d7ee819ecca5809fb79cd64917b4
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1580 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 432 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
196797ddaa7f03dc83a8ca36bb8d97426e693f6daf9579f9a2e71e140ad7b550.exepid process 968 196797ddaa7f03dc83a8ca36bb8d97426e693f6daf9579f9a2e71e140ad7b550.exe 968 196797ddaa7f03dc83a8ca36bb8d97426e693f6daf9579f9a2e71e140ad7b550.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
196797ddaa7f03dc83a8ca36bb8d97426e693f6daf9579f9a2e71e140ad7b550.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 196797ddaa7f03dc83a8ca36bb8d97426e693f6daf9579f9a2e71e140ad7b550.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
196797ddaa7f03dc83a8ca36bb8d97426e693f6daf9579f9a2e71e140ad7b550.exedescription pid process Token: SeIncBasePriorityPrivilege 968 196797ddaa7f03dc83a8ca36bb8d97426e693f6daf9579f9a2e71e140ad7b550.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
196797ddaa7f03dc83a8ca36bb8d97426e693f6daf9579f9a2e71e140ad7b550.execmd.exedescription pid process target process PID 968 wrote to memory of 1580 968 196797ddaa7f03dc83a8ca36bb8d97426e693f6daf9579f9a2e71e140ad7b550.exe MediaCenter.exe PID 968 wrote to memory of 1580 968 196797ddaa7f03dc83a8ca36bb8d97426e693f6daf9579f9a2e71e140ad7b550.exe MediaCenter.exe PID 968 wrote to memory of 1580 968 196797ddaa7f03dc83a8ca36bb8d97426e693f6daf9579f9a2e71e140ad7b550.exe MediaCenter.exe PID 968 wrote to memory of 1580 968 196797ddaa7f03dc83a8ca36bb8d97426e693f6daf9579f9a2e71e140ad7b550.exe MediaCenter.exe PID 968 wrote to memory of 432 968 196797ddaa7f03dc83a8ca36bb8d97426e693f6daf9579f9a2e71e140ad7b550.exe cmd.exe PID 968 wrote to memory of 432 968 196797ddaa7f03dc83a8ca36bb8d97426e693f6daf9579f9a2e71e140ad7b550.exe cmd.exe PID 968 wrote to memory of 432 968 196797ddaa7f03dc83a8ca36bb8d97426e693f6daf9579f9a2e71e140ad7b550.exe cmd.exe PID 968 wrote to memory of 432 968 196797ddaa7f03dc83a8ca36bb8d97426e693f6daf9579f9a2e71e140ad7b550.exe cmd.exe PID 432 wrote to memory of 1560 432 cmd.exe PING.EXE PID 432 wrote to memory of 1560 432 cmd.exe PING.EXE PID 432 wrote to memory of 1560 432 cmd.exe PING.EXE PID 432 wrote to memory of 1560 432 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\196797ddaa7f03dc83a8ca36bb8d97426e693f6daf9579f9a2e71e140ad7b550.exe"C:\Users\Admin\AppData\Local\Temp\196797ddaa7f03dc83a8ca36bb8d97426e693f6daf9579f9a2e71e140ad7b550.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:968 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1580 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\196797ddaa7f03dc83a8ca36bb8d97426e693f6daf9579f9a2e71e140ad7b550.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:432 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1560
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
98345dbbf75b51395d7c0e62bb6c9a2d
SHA1bce6d597321af0de7a8881d63291ca601ae9e598
SHA256119eba899d931dafc245ed413dcbd7b2c4a1e3170ad9828b8dc0dea56c2f765f
SHA5120cfaaa8172cfd723a1ac7bf36a5e71da0610125c39b4e3d4eb423248399568d6b8334821a0f31382e9beb18a5d6cfce5ededdaae97240a5d0a36b6b8c6c91c9a
-
MD5
98345dbbf75b51395d7c0e62bb6c9a2d
SHA1bce6d597321af0de7a8881d63291ca601ae9e598
SHA256119eba899d931dafc245ed413dcbd7b2c4a1e3170ad9828b8dc0dea56c2f765f
SHA5120cfaaa8172cfd723a1ac7bf36a5e71da0610125c39b4e3d4eb423248399568d6b8334821a0f31382e9beb18a5d6cfce5ededdaae97240a5d0a36b6b8c6c91c9a
-
MD5
98345dbbf75b51395d7c0e62bb6c9a2d
SHA1bce6d597321af0de7a8881d63291ca601ae9e598
SHA256119eba899d931dafc245ed413dcbd7b2c4a1e3170ad9828b8dc0dea56c2f765f
SHA5120cfaaa8172cfd723a1ac7bf36a5e71da0610125c39b4e3d4eb423248399568d6b8334821a0f31382e9beb18a5d6cfce5ededdaae97240a5d0a36b6b8c6c91c9a