Analysis
-
max time kernel
144s -
max time network
149s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 02:50
Static task
static1
Behavioral task
behavioral1
Sample
1950b439ea74d9d4590ad87633e004e23bc2b2d4d4d270c7b0c3e2e4f9be6c04.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
1950b439ea74d9d4590ad87633e004e23bc2b2d4d4d270c7b0c3e2e4f9be6c04.exe
Resource
win10v2004-en-20220112
General
-
Target
1950b439ea74d9d4590ad87633e004e23bc2b2d4d4d270c7b0c3e2e4f9be6c04.exe
-
Size
89KB
-
MD5
0d390e2b88ff63735b18f2ad8a9f875a
-
SHA1
c6c9bc8866fb666299564150e159c6f40e0fe220
-
SHA256
1950b439ea74d9d4590ad87633e004e23bc2b2d4d4d270c7b0c3e2e4f9be6c04
-
SHA512
43c0afa7720cefe73b68c5ddbf35120ddbd25add9ef975a61f53200d08bbfe0ef5b2c0fcbca6c4d09e80ed12ee4cad2b90394d023353dd6b7fc494c011ce6a46
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1668 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1764 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
1950b439ea74d9d4590ad87633e004e23bc2b2d4d4d270c7b0c3e2e4f9be6c04.exepid process 968 1950b439ea74d9d4590ad87633e004e23bc2b2d4d4d270c7b0c3e2e4f9be6c04.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
1950b439ea74d9d4590ad87633e004e23bc2b2d4d4d270c7b0c3e2e4f9be6c04.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 1950b439ea74d9d4590ad87633e004e23bc2b2d4d4d270c7b0c3e2e4f9be6c04.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
1950b439ea74d9d4590ad87633e004e23bc2b2d4d4d270c7b0c3e2e4f9be6c04.exedescription pid process Token: SeIncBasePriorityPrivilege 968 1950b439ea74d9d4590ad87633e004e23bc2b2d4d4d270c7b0c3e2e4f9be6c04.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
1950b439ea74d9d4590ad87633e004e23bc2b2d4d4d270c7b0c3e2e4f9be6c04.execmd.exedescription pid process target process PID 968 wrote to memory of 1668 968 1950b439ea74d9d4590ad87633e004e23bc2b2d4d4d270c7b0c3e2e4f9be6c04.exe MediaCenter.exe PID 968 wrote to memory of 1668 968 1950b439ea74d9d4590ad87633e004e23bc2b2d4d4d270c7b0c3e2e4f9be6c04.exe MediaCenter.exe PID 968 wrote to memory of 1668 968 1950b439ea74d9d4590ad87633e004e23bc2b2d4d4d270c7b0c3e2e4f9be6c04.exe MediaCenter.exe PID 968 wrote to memory of 1668 968 1950b439ea74d9d4590ad87633e004e23bc2b2d4d4d270c7b0c3e2e4f9be6c04.exe MediaCenter.exe PID 968 wrote to memory of 1764 968 1950b439ea74d9d4590ad87633e004e23bc2b2d4d4d270c7b0c3e2e4f9be6c04.exe cmd.exe PID 968 wrote to memory of 1764 968 1950b439ea74d9d4590ad87633e004e23bc2b2d4d4d270c7b0c3e2e4f9be6c04.exe cmd.exe PID 968 wrote to memory of 1764 968 1950b439ea74d9d4590ad87633e004e23bc2b2d4d4d270c7b0c3e2e4f9be6c04.exe cmd.exe PID 968 wrote to memory of 1764 968 1950b439ea74d9d4590ad87633e004e23bc2b2d4d4d270c7b0c3e2e4f9be6c04.exe cmd.exe PID 1764 wrote to memory of 816 1764 cmd.exe PING.EXE PID 1764 wrote to memory of 816 1764 cmd.exe PING.EXE PID 1764 wrote to memory of 816 1764 cmd.exe PING.EXE PID 1764 wrote to memory of 816 1764 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\1950b439ea74d9d4590ad87633e004e23bc2b2d4d4d270c7b0c3e2e4f9be6c04.exe"C:\Users\Admin\AppData\Local\Temp\1950b439ea74d9d4590ad87633e004e23bc2b2d4d4d270c7b0c3e2e4f9be6c04.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:968 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1668 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\1950b439ea74d9d4590ad87633e004e23bc2b2d4d4d270c7b0c3e2e4f9be6c04.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1764 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:816
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
f13e0fdf1ea8d56296e6cb5dd1d57096
SHA15e1e1ce0cd015e606d4ecd8294e0e8ff76e6862e
SHA256e22215d316a41e5fe4630fd614e277336aa204e048a5daff7a51886518d74dda
SHA512248cfcacbe2ed79e9ea0322937e9813cbe982b5804955c92b21c15d0d106cb69d1e3e5430d6993ba7174622770726f595514655b16cae3665897f5eb919ff981
-
MD5
f13e0fdf1ea8d56296e6cb5dd1d57096
SHA15e1e1ce0cd015e606d4ecd8294e0e8ff76e6862e
SHA256e22215d316a41e5fe4630fd614e277336aa204e048a5daff7a51886518d74dda
SHA512248cfcacbe2ed79e9ea0322937e9813cbe982b5804955c92b21c15d0d106cb69d1e3e5430d6993ba7174622770726f595514655b16cae3665897f5eb919ff981