Analysis
-
max time kernel
135s -
max time network
160s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 02:54
Static task
static1
Behavioral task
behavioral1
Sample
1920998df65bf1dbf37434e394feb8fa29c8b786496463f4b0bad0229b87fa6d.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
1920998df65bf1dbf37434e394feb8fa29c8b786496463f4b0bad0229b87fa6d.exe
Resource
win10v2004-en-20220112
General
-
Target
1920998df65bf1dbf37434e394feb8fa29c8b786496463f4b0bad0229b87fa6d.exe
-
Size
99KB
-
MD5
ba02812316eb6ea7c4ba1af31d83b63d
-
SHA1
3fc85f3b9b267b00fea32996cf4b46e45167bd7e
-
SHA256
1920998df65bf1dbf37434e394feb8fa29c8b786496463f4b0bad0229b87fa6d
-
SHA512
f41a49d2cc39fd63b1b54417da2fe18514db6f7758102c2093be045f1f2135ed3ae08e02637ee14525d95aabbacdaaef48a3f950def8f4eedf3817616cccfc7f
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1692 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 968 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
1920998df65bf1dbf37434e394feb8fa29c8b786496463f4b0bad0229b87fa6d.exepid process 1248 1920998df65bf1dbf37434e394feb8fa29c8b786496463f4b0bad0229b87fa6d.exe 1248 1920998df65bf1dbf37434e394feb8fa29c8b786496463f4b0bad0229b87fa6d.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
1920998df65bf1dbf37434e394feb8fa29c8b786496463f4b0bad0229b87fa6d.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 1920998df65bf1dbf37434e394feb8fa29c8b786496463f4b0bad0229b87fa6d.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
1920998df65bf1dbf37434e394feb8fa29c8b786496463f4b0bad0229b87fa6d.exedescription pid process Token: SeIncBasePriorityPrivilege 1248 1920998df65bf1dbf37434e394feb8fa29c8b786496463f4b0bad0229b87fa6d.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
1920998df65bf1dbf37434e394feb8fa29c8b786496463f4b0bad0229b87fa6d.execmd.exedescription pid process target process PID 1248 wrote to memory of 1692 1248 1920998df65bf1dbf37434e394feb8fa29c8b786496463f4b0bad0229b87fa6d.exe MediaCenter.exe PID 1248 wrote to memory of 1692 1248 1920998df65bf1dbf37434e394feb8fa29c8b786496463f4b0bad0229b87fa6d.exe MediaCenter.exe PID 1248 wrote to memory of 1692 1248 1920998df65bf1dbf37434e394feb8fa29c8b786496463f4b0bad0229b87fa6d.exe MediaCenter.exe PID 1248 wrote to memory of 1692 1248 1920998df65bf1dbf37434e394feb8fa29c8b786496463f4b0bad0229b87fa6d.exe MediaCenter.exe PID 1248 wrote to memory of 968 1248 1920998df65bf1dbf37434e394feb8fa29c8b786496463f4b0bad0229b87fa6d.exe cmd.exe PID 1248 wrote to memory of 968 1248 1920998df65bf1dbf37434e394feb8fa29c8b786496463f4b0bad0229b87fa6d.exe cmd.exe PID 1248 wrote to memory of 968 1248 1920998df65bf1dbf37434e394feb8fa29c8b786496463f4b0bad0229b87fa6d.exe cmd.exe PID 1248 wrote to memory of 968 1248 1920998df65bf1dbf37434e394feb8fa29c8b786496463f4b0bad0229b87fa6d.exe cmd.exe PID 968 wrote to memory of 1152 968 cmd.exe PING.EXE PID 968 wrote to memory of 1152 968 cmd.exe PING.EXE PID 968 wrote to memory of 1152 968 cmd.exe PING.EXE PID 968 wrote to memory of 1152 968 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\1920998df65bf1dbf37434e394feb8fa29c8b786496463f4b0bad0229b87fa6d.exe"C:\Users\Admin\AppData\Local\Temp\1920998df65bf1dbf37434e394feb8fa29c8b786496463f4b0bad0229b87fa6d.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1248 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1692 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\1920998df65bf1dbf37434e394feb8fa29c8b786496463f4b0bad0229b87fa6d.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:968 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1152
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
0c6529e07b2356a5a4e83f6338fe4091
SHA10cc7997045a6b126da408ab8c2c33ee59f677faf
SHA256e88368a7b9de1d47ef0445bea28f839d866e941db5a2cfed716e80114a5b9629
SHA5125e530183a661daaf12dc65ad4beff73b2943b616c93c06a889a916ce805b683246567ada8003fe6b05c1d6168903118cae03792508d8c173ceb66b697c86127f
-
MD5
0c6529e07b2356a5a4e83f6338fe4091
SHA10cc7997045a6b126da408ab8c2c33ee59f677faf
SHA256e88368a7b9de1d47ef0445bea28f839d866e941db5a2cfed716e80114a5b9629
SHA5125e530183a661daaf12dc65ad4beff73b2943b616c93c06a889a916ce805b683246567ada8003fe6b05c1d6168903118cae03792508d8c173ceb66b697c86127f
-
MD5
0c6529e07b2356a5a4e83f6338fe4091
SHA10cc7997045a6b126da408ab8c2c33ee59f677faf
SHA256e88368a7b9de1d47ef0445bea28f839d866e941db5a2cfed716e80114a5b9629
SHA5125e530183a661daaf12dc65ad4beff73b2943b616c93c06a889a916ce805b683246567ada8003fe6b05c1d6168903118cae03792508d8c173ceb66b697c86127f