Analysis
-
max time kernel
132s -
max time network
153s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 02:50
Static task
static1
Behavioral task
behavioral1
Sample
196226537038edf32fb5d2f4845ac60f5b0c1f80c99dc39518cca32617904b2e.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
196226537038edf32fb5d2f4845ac60f5b0c1f80c99dc39518cca32617904b2e.exe
Resource
win10v2004-en-20220112
General
-
Target
196226537038edf32fb5d2f4845ac60f5b0c1f80c99dc39518cca32617904b2e.exe
-
Size
192KB
-
MD5
2d5fde9ea0e4b71dcd627a5d1cccc532
-
SHA1
c2af6d9d553988a99bc9594e78c177af80bbe060
-
SHA256
196226537038edf32fb5d2f4845ac60f5b0c1f80c99dc39518cca32617904b2e
-
SHA512
869cd380f9836a5895b109daff673a6cd2b93a7b523d0fc37aaf532210da183b6c5dac2218374eda8e4a9f4f2537078acf41079df2f4d14a13c0166b3bf2d02e
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1720 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 520 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
196226537038edf32fb5d2f4845ac60f5b0c1f80c99dc39518cca32617904b2e.exepid process 1536 196226537038edf32fb5d2f4845ac60f5b0c1f80c99dc39518cca32617904b2e.exe 1536 196226537038edf32fb5d2f4845ac60f5b0c1f80c99dc39518cca32617904b2e.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
196226537038edf32fb5d2f4845ac60f5b0c1f80c99dc39518cca32617904b2e.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 196226537038edf32fb5d2f4845ac60f5b0c1f80c99dc39518cca32617904b2e.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
196226537038edf32fb5d2f4845ac60f5b0c1f80c99dc39518cca32617904b2e.exedescription pid process Token: SeIncBasePriorityPrivilege 1536 196226537038edf32fb5d2f4845ac60f5b0c1f80c99dc39518cca32617904b2e.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
196226537038edf32fb5d2f4845ac60f5b0c1f80c99dc39518cca32617904b2e.execmd.exedescription pid process target process PID 1536 wrote to memory of 1720 1536 196226537038edf32fb5d2f4845ac60f5b0c1f80c99dc39518cca32617904b2e.exe MediaCenter.exe PID 1536 wrote to memory of 1720 1536 196226537038edf32fb5d2f4845ac60f5b0c1f80c99dc39518cca32617904b2e.exe MediaCenter.exe PID 1536 wrote to memory of 1720 1536 196226537038edf32fb5d2f4845ac60f5b0c1f80c99dc39518cca32617904b2e.exe MediaCenter.exe PID 1536 wrote to memory of 1720 1536 196226537038edf32fb5d2f4845ac60f5b0c1f80c99dc39518cca32617904b2e.exe MediaCenter.exe PID 1536 wrote to memory of 520 1536 196226537038edf32fb5d2f4845ac60f5b0c1f80c99dc39518cca32617904b2e.exe cmd.exe PID 1536 wrote to memory of 520 1536 196226537038edf32fb5d2f4845ac60f5b0c1f80c99dc39518cca32617904b2e.exe cmd.exe PID 1536 wrote to memory of 520 1536 196226537038edf32fb5d2f4845ac60f5b0c1f80c99dc39518cca32617904b2e.exe cmd.exe PID 1536 wrote to memory of 520 1536 196226537038edf32fb5d2f4845ac60f5b0c1f80c99dc39518cca32617904b2e.exe cmd.exe PID 520 wrote to memory of 1164 520 cmd.exe PING.EXE PID 520 wrote to memory of 1164 520 cmd.exe PING.EXE PID 520 wrote to memory of 1164 520 cmd.exe PING.EXE PID 520 wrote to memory of 1164 520 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\196226537038edf32fb5d2f4845ac60f5b0c1f80c99dc39518cca32617904b2e.exe"C:\Users\Admin\AppData\Local\Temp\196226537038edf32fb5d2f4845ac60f5b0c1f80c99dc39518cca32617904b2e.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1536 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1720 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\196226537038edf32fb5d2f4845ac60f5b0c1f80c99dc39518cca32617904b2e.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:520 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1164
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
083679d65719031881ea4fbca5c8e11d
SHA124ec850853449d4db801b598d0d3ad1bd0d3425c
SHA256cdd4f773e55d1f55624acf4190c67f1f0147b00e43dc71a4abc42616574a3b7e
SHA512aa0b3bd3e224d61c239a28995aa4cf58f106595485db43450270377e52f2f5801b19c9753aa8db5bebc995c15e9c6e71d121b051e4d5a8f3449fba6ccb5027b2
-
MD5
083679d65719031881ea4fbca5c8e11d
SHA124ec850853449d4db801b598d0d3ad1bd0d3425c
SHA256cdd4f773e55d1f55624acf4190c67f1f0147b00e43dc71a4abc42616574a3b7e
SHA512aa0b3bd3e224d61c239a28995aa4cf58f106595485db43450270377e52f2f5801b19c9753aa8db5bebc995c15e9c6e71d121b051e4d5a8f3449fba6ccb5027b2
-
MD5
083679d65719031881ea4fbca5c8e11d
SHA124ec850853449d4db801b598d0d3ad1bd0d3425c
SHA256cdd4f773e55d1f55624acf4190c67f1f0147b00e43dc71a4abc42616574a3b7e
SHA512aa0b3bd3e224d61c239a28995aa4cf58f106595485db43450270377e52f2f5801b19c9753aa8db5bebc995c15e9c6e71d121b051e4d5a8f3449fba6ccb5027b2