Analysis
-
max time kernel
128s -
max time network
141s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 02:51
Static task
static1
Behavioral task
behavioral1
Sample
1944a255e18eba7866fb78f0a6e4e18daf6a87db461793590f98fda5e810fa17.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
1944a255e18eba7866fb78f0a6e4e18daf6a87db461793590f98fda5e810fa17.exe
Resource
win10v2004-en-20220113
General
-
Target
1944a255e18eba7866fb78f0a6e4e18daf6a87db461793590f98fda5e810fa17.exe
-
Size
176KB
-
MD5
30eeb2c745769f3d427646c69829b026
-
SHA1
45046f21b09c2b327f65a37d35c1d089701d9d30
-
SHA256
1944a255e18eba7866fb78f0a6e4e18daf6a87db461793590f98fda5e810fa17
-
SHA512
b42cb2e3e6f0c210e97ded293909c3733f65b2d0076592936c4a092328fd313e569a33e2e1a2e6c3216e731d9274589e0ca08a682d939ce57bf97829ed168795
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral1/memory/1848-59-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral1/memory/1636-61-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1636 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1996 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
1944a255e18eba7866fb78f0a6e4e18daf6a87db461793590f98fda5e810fa17.exepid process 1848 1944a255e18eba7866fb78f0a6e4e18daf6a87db461793590f98fda5e810fa17.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
1944a255e18eba7866fb78f0a6e4e18daf6a87db461793590f98fda5e810fa17.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 1944a255e18eba7866fb78f0a6e4e18daf6a87db461793590f98fda5e810fa17.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
1944a255e18eba7866fb78f0a6e4e18daf6a87db461793590f98fda5e810fa17.exedescription pid process Token: SeIncBasePriorityPrivilege 1848 1944a255e18eba7866fb78f0a6e4e18daf6a87db461793590f98fda5e810fa17.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
1944a255e18eba7866fb78f0a6e4e18daf6a87db461793590f98fda5e810fa17.execmd.exedescription pid process target process PID 1848 wrote to memory of 1636 1848 1944a255e18eba7866fb78f0a6e4e18daf6a87db461793590f98fda5e810fa17.exe MediaCenter.exe PID 1848 wrote to memory of 1636 1848 1944a255e18eba7866fb78f0a6e4e18daf6a87db461793590f98fda5e810fa17.exe MediaCenter.exe PID 1848 wrote to memory of 1636 1848 1944a255e18eba7866fb78f0a6e4e18daf6a87db461793590f98fda5e810fa17.exe MediaCenter.exe PID 1848 wrote to memory of 1636 1848 1944a255e18eba7866fb78f0a6e4e18daf6a87db461793590f98fda5e810fa17.exe MediaCenter.exe PID 1848 wrote to memory of 1996 1848 1944a255e18eba7866fb78f0a6e4e18daf6a87db461793590f98fda5e810fa17.exe cmd.exe PID 1848 wrote to memory of 1996 1848 1944a255e18eba7866fb78f0a6e4e18daf6a87db461793590f98fda5e810fa17.exe cmd.exe PID 1848 wrote to memory of 1996 1848 1944a255e18eba7866fb78f0a6e4e18daf6a87db461793590f98fda5e810fa17.exe cmd.exe PID 1848 wrote to memory of 1996 1848 1944a255e18eba7866fb78f0a6e4e18daf6a87db461793590f98fda5e810fa17.exe cmd.exe PID 1996 wrote to memory of 2044 1996 cmd.exe PING.EXE PID 1996 wrote to memory of 2044 1996 cmd.exe PING.EXE PID 1996 wrote to memory of 2044 1996 cmd.exe PING.EXE PID 1996 wrote to memory of 2044 1996 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\1944a255e18eba7866fb78f0a6e4e18daf6a87db461793590f98fda5e810fa17.exe"C:\Users\Admin\AppData\Local\Temp\1944a255e18eba7866fb78f0a6e4e18daf6a87db461793590f98fda5e810fa17.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1848 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1636 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\1944a255e18eba7866fb78f0a6e4e18daf6a87db461793590f98fda5e810fa17.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:2044
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
61f577bca6e46cf001111e3aa530d4d0
SHA11f638d939c36c85a1b06ddd7076737e7669642ca
SHA256849b4346ebbd36e2c5093a2217ef66ccda1ff6dcf0939d017631bc2477f223d9
SHA512906a477d0349a931da3c7a8ae36d1c17747279f44b55142e58e47167b7d7b8177706950aa2a0eb33be80e95ac4ad0d1361e6f7d84779e1847c5dedc6afbbb627
-
MD5
61f577bca6e46cf001111e3aa530d4d0
SHA11f638d939c36c85a1b06ddd7076737e7669642ca
SHA256849b4346ebbd36e2c5093a2217ef66ccda1ff6dcf0939d017631bc2477f223d9
SHA512906a477d0349a931da3c7a8ae36d1c17747279f44b55142e58e47167b7d7b8177706950aa2a0eb33be80e95ac4ad0d1361e6f7d84779e1847c5dedc6afbbb627