Analysis
-
max time kernel
132s -
max time network
156s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 02:48
Static task
static1
Behavioral task
behavioral1
Sample
1971c56b1ff468066e445e7f719876fc8a2cb166810639a0df1b137dd65875ed.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
1971c56b1ff468066e445e7f719876fc8a2cb166810639a0df1b137dd65875ed.exe
Resource
win10v2004-en-20220112
General
-
Target
1971c56b1ff468066e445e7f719876fc8a2cb166810639a0df1b137dd65875ed.exe
-
Size
100KB
-
MD5
285fda8557a7b785c9f6e7a020bd5087
-
SHA1
d87ab460171ad178bf1de5694198ed13dd219045
-
SHA256
1971c56b1ff468066e445e7f719876fc8a2cb166810639a0df1b137dd65875ed
-
SHA512
9a6d8b3b4d733dc15390f09897f4ad14492a83706aa58b31e33819825630aebe768a9c158880a11180fca49441bdb814779babd7236d25e6242254a5f4a4f840
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 516 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 528 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
1971c56b1ff468066e445e7f719876fc8a2cb166810639a0df1b137dd65875ed.exepid process 820 1971c56b1ff468066e445e7f719876fc8a2cb166810639a0df1b137dd65875ed.exe 820 1971c56b1ff468066e445e7f719876fc8a2cb166810639a0df1b137dd65875ed.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
1971c56b1ff468066e445e7f719876fc8a2cb166810639a0df1b137dd65875ed.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 1971c56b1ff468066e445e7f719876fc8a2cb166810639a0df1b137dd65875ed.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
1971c56b1ff468066e445e7f719876fc8a2cb166810639a0df1b137dd65875ed.exedescription pid process Token: SeIncBasePriorityPrivilege 820 1971c56b1ff468066e445e7f719876fc8a2cb166810639a0df1b137dd65875ed.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
1971c56b1ff468066e445e7f719876fc8a2cb166810639a0df1b137dd65875ed.execmd.exedescription pid process target process PID 820 wrote to memory of 516 820 1971c56b1ff468066e445e7f719876fc8a2cb166810639a0df1b137dd65875ed.exe MediaCenter.exe PID 820 wrote to memory of 516 820 1971c56b1ff468066e445e7f719876fc8a2cb166810639a0df1b137dd65875ed.exe MediaCenter.exe PID 820 wrote to memory of 516 820 1971c56b1ff468066e445e7f719876fc8a2cb166810639a0df1b137dd65875ed.exe MediaCenter.exe PID 820 wrote to memory of 516 820 1971c56b1ff468066e445e7f719876fc8a2cb166810639a0df1b137dd65875ed.exe MediaCenter.exe PID 820 wrote to memory of 528 820 1971c56b1ff468066e445e7f719876fc8a2cb166810639a0df1b137dd65875ed.exe cmd.exe PID 820 wrote to memory of 528 820 1971c56b1ff468066e445e7f719876fc8a2cb166810639a0df1b137dd65875ed.exe cmd.exe PID 820 wrote to memory of 528 820 1971c56b1ff468066e445e7f719876fc8a2cb166810639a0df1b137dd65875ed.exe cmd.exe PID 820 wrote to memory of 528 820 1971c56b1ff468066e445e7f719876fc8a2cb166810639a0df1b137dd65875ed.exe cmd.exe PID 528 wrote to memory of 1132 528 cmd.exe PING.EXE PID 528 wrote to memory of 1132 528 cmd.exe PING.EXE PID 528 wrote to memory of 1132 528 cmd.exe PING.EXE PID 528 wrote to memory of 1132 528 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\1971c56b1ff468066e445e7f719876fc8a2cb166810639a0df1b137dd65875ed.exe"C:\Users\Admin\AppData\Local\Temp\1971c56b1ff468066e445e7f719876fc8a2cb166810639a0df1b137dd65875ed.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:820 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:516 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\1971c56b1ff468066e445e7f719876fc8a2cb166810639a0df1b137dd65875ed.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:528 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1132
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
67a131147db4891917d9dc04d7594123
SHA1292df21ead509fb9c28c685e9f38a6040481009b
SHA256736041ef4cee1304a44b61cdc4b2a08994a2e082f06eb13a9cd30bd3ba3b5623
SHA5124ed3c476a539314547e5308be617b59ad5c70388ba2fba4050323c8f4a5fc0843cd5e6b41af7c92fee5960ce836bb8178255f7269e5efd7b198e68dfc9e41baa
-
MD5
67a131147db4891917d9dc04d7594123
SHA1292df21ead509fb9c28c685e9f38a6040481009b
SHA256736041ef4cee1304a44b61cdc4b2a08994a2e082f06eb13a9cd30bd3ba3b5623
SHA5124ed3c476a539314547e5308be617b59ad5c70388ba2fba4050323c8f4a5fc0843cd5e6b41af7c92fee5960ce836bb8178255f7269e5efd7b198e68dfc9e41baa
-
MD5
67a131147db4891917d9dc04d7594123
SHA1292df21ead509fb9c28c685e9f38a6040481009b
SHA256736041ef4cee1304a44b61cdc4b2a08994a2e082f06eb13a9cd30bd3ba3b5623
SHA5124ed3c476a539314547e5308be617b59ad5c70388ba2fba4050323c8f4a5fc0843cd5e6b41af7c92fee5960ce836bb8178255f7269e5efd7b198e68dfc9e41baa