Analysis
-
max time kernel
118s -
max time network
125s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 02:52
Static task
static1
Behavioral task
behavioral1
Sample
1936d84d11745c674c02cb2b82ba2924688175824c6b1f38c113c5d771d480e7.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
1936d84d11745c674c02cb2b82ba2924688175824c6b1f38c113c5d771d480e7.exe
Resource
win10v2004-en-20220113
General
-
Target
1936d84d11745c674c02cb2b82ba2924688175824c6b1f38c113c5d771d480e7.exe
-
Size
100KB
-
MD5
2c1205f66dc8a5c14e1d0b75b307ee4d
-
SHA1
42be13bf1e0842a61defbb457e29379a9f0870ad
-
SHA256
1936d84d11745c674c02cb2b82ba2924688175824c6b1f38c113c5d771d480e7
-
SHA512
00a2b19bbd39054edd5b0bd1c6ccf1596a564714d1501b431c6aa10aedc0557a76f57a5637b2f699a2c768f79137791152422177d2837d35e57c616c94f58992
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 320 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1552 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
1936d84d11745c674c02cb2b82ba2924688175824c6b1f38c113c5d771d480e7.exepid process 1912 1936d84d11745c674c02cb2b82ba2924688175824c6b1f38c113c5d771d480e7.exe 1912 1936d84d11745c674c02cb2b82ba2924688175824c6b1f38c113c5d771d480e7.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
1936d84d11745c674c02cb2b82ba2924688175824c6b1f38c113c5d771d480e7.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 1936d84d11745c674c02cb2b82ba2924688175824c6b1f38c113c5d771d480e7.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
1936d84d11745c674c02cb2b82ba2924688175824c6b1f38c113c5d771d480e7.exedescription pid process Token: SeIncBasePriorityPrivilege 1912 1936d84d11745c674c02cb2b82ba2924688175824c6b1f38c113c5d771d480e7.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
1936d84d11745c674c02cb2b82ba2924688175824c6b1f38c113c5d771d480e7.execmd.exedescription pid process target process PID 1912 wrote to memory of 320 1912 1936d84d11745c674c02cb2b82ba2924688175824c6b1f38c113c5d771d480e7.exe MediaCenter.exe PID 1912 wrote to memory of 320 1912 1936d84d11745c674c02cb2b82ba2924688175824c6b1f38c113c5d771d480e7.exe MediaCenter.exe PID 1912 wrote to memory of 320 1912 1936d84d11745c674c02cb2b82ba2924688175824c6b1f38c113c5d771d480e7.exe MediaCenter.exe PID 1912 wrote to memory of 320 1912 1936d84d11745c674c02cb2b82ba2924688175824c6b1f38c113c5d771d480e7.exe MediaCenter.exe PID 1912 wrote to memory of 1552 1912 1936d84d11745c674c02cb2b82ba2924688175824c6b1f38c113c5d771d480e7.exe cmd.exe PID 1912 wrote to memory of 1552 1912 1936d84d11745c674c02cb2b82ba2924688175824c6b1f38c113c5d771d480e7.exe cmd.exe PID 1912 wrote to memory of 1552 1912 1936d84d11745c674c02cb2b82ba2924688175824c6b1f38c113c5d771d480e7.exe cmd.exe PID 1912 wrote to memory of 1552 1912 1936d84d11745c674c02cb2b82ba2924688175824c6b1f38c113c5d771d480e7.exe cmd.exe PID 1552 wrote to memory of 988 1552 cmd.exe PING.EXE PID 1552 wrote to memory of 988 1552 cmd.exe PING.EXE PID 1552 wrote to memory of 988 1552 cmd.exe PING.EXE PID 1552 wrote to memory of 988 1552 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\1936d84d11745c674c02cb2b82ba2924688175824c6b1f38c113c5d771d480e7.exe"C:\Users\Admin\AppData\Local\Temp\1936d84d11745c674c02cb2b82ba2924688175824c6b1f38c113c5d771d480e7.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1912 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:320 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\1936d84d11745c674c02cb2b82ba2924688175824c6b1f38c113c5d771d480e7.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1552 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:988
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
9f94b69b5f3fe79774f702e99d135643
SHA1334bff28843a2436239550facf40d2b2e25eadd4
SHA256b0f05dda2ea30b8dd7b953d1729a8c2738a406145cfb7dc9339d8ebb1e683fc5
SHA51282670acf6980302bdaf6e169c86f4486c4739e39dd985e4587c7790429db7e084cd75563e0a613a0191f82907fa313729d818ac7335b21c6afc487487aec239f
-
MD5
9f94b69b5f3fe79774f702e99d135643
SHA1334bff28843a2436239550facf40d2b2e25eadd4
SHA256b0f05dda2ea30b8dd7b953d1729a8c2738a406145cfb7dc9339d8ebb1e683fc5
SHA51282670acf6980302bdaf6e169c86f4486c4739e39dd985e4587c7790429db7e084cd75563e0a613a0191f82907fa313729d818ac7335b21c6afc487487aec239f
-
MD5
9f94b69b5f3fe79774f702e99d135643
SHA1334bff28843a2436239550facf40d2b2e25eadd4
SHA256b0f05dda2ea30b8dd7b953d1729a8c2738a406145cfb7dc9339d8ebb1e683fc5
SHA51282670acf6980302bdaf6e169c86f4486c4739e39dd985e4587c7790429db7e084cd75563e0a613a0191f82907fa313729d818ac7335b21c6afc487487aec239f