Analysis
-
max time kernel
147s -
max time network
155s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 02:54
Static task
static1
Behavioral task
behavioral1
Sample
191d58388535debe9486a0611db2d9ce88ac59ee8dd363f3e36a0bd15008382b.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
191d58388535debe9486a0611db2d9ce88ac59ee8dd363f3e36a0bd15008382b.exe
Resource
win10v2004-en-20220112
General
-
Target
191d58388535debe9486a0611db2d9ce88ac59ee8dd363f3e36a0bd15008382b.exe
-
Size
99KB
-
MD5
e67a768d42802365f4e67b692939a50c
-
SHA1
649e0ae34acea76ded16d47f404aff4c5e139420
-
SHA256
191d58388535debe9486a0611db2d9ce88ac59ee8dd363f3e36a0bd15008382b
-
SHA512
5f802a6f2941184fa12e31340b2bc76e85d9d2150fbd3be716ec275c952f15378b134d4ee5fca3f6475eaa2a66504414cac1aef8ce72d5db6e7aefc8eec24f88
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 964 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 828 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
191d58388535debe9486a0611db2d9ce88ac59ee8dd363f3e36a0bd15008382b.exepid process 1844 191d58388535debe9486a0611db2d9ce88ac59ee8dd363f3e36a0bd15008382b.exe 1844 191d58388535debe9486a0611db2d9ce88ac59ee8dd363f3e36a0bd15008382b.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
191d58388535debe9486a0611db2d9ce88ac59ee8dd363f3e36a0bd15008382b.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 191d58388535debe9486a0611db2d9ce88ac59ee8dd363f3e36a0bd15008382b.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
191d58388535debe9486a0611db2d9ce88ac59ee8dd363f3e36a0bd15008382b.exedescription pid process Token: SeIncBasePriorityPrivilege 1844 191d58388535debe9486a0611db2d9ce88ac59ee8dd363f3e36a0bd15008382b.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
191d58388535debe9486a0611db2d9ce88ac59ee8dd363f3e36a0bd15008382b.execmd.exedescription pid process target process PID 1844 wrote to memory of 964 1844 191d58388535debe9486a0611db2d9ce88ac59ee8dd363f3e36a0bd15008382b.exe MediaCenter.exe PID 1844 wrote to memory of 964 1844 191d58388535debe9486a0611db2d9ce88ac59ee8dd363f3e36a0bd15008382b.exe MediaCenter.exe PID 1844 wrote to memory of 964 1844 191d58388535debe9486a0611db2d9ce88ac59ee8dd363f3e36a0bd15008382b.exe MediaCenter.exe PID 1844 wrote to memory of 964 1844 191d58388535debe9486a0611db2d9ce88ac59ee8dd363f3e36a0bd15008382b.exe MediaCenter.exe PID 1844 wrote to memory of 828 1844 191d58388535debe9486a0611db2d9ce88ac59ee8dd363f3e36a0bd15008382b.exe cmd.exe PID 1844 wrote to memory of 828 1844 191d58388535debe9486a0611db2d9ce88ac59ee8dd363f3e36a0bd15008382b.exe cmd.exe PID 1844 wrote to memory of 828 1844 191d58388535debe9486a0611db2d9ce88ac59ee8dd363f3e36a0bd15008382b.exe cmd.exe PID 1844 wrote to memory of 828 1844 191d58388535debe9486a0611db2d9ce88ac59ee8dd363f3e36a0bd15008382b.exe cmd.exe PID 828 wrote to memory of 1972 828 cmd.exe PING.EXE PID 828 wrote to memory of 1972 828 cmd.exe PING.EXE PID 828 wrote to memory of 1972 828 cmd.exe PING.EXE PID 828 wrote to memory of 1972 828 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\191d58388535debe9486a0611db2d9ce88ac59ee8dd363f3e36a0bd15008382b.exe"C:\Users\Admin\AppData\Local\Temp\191d58388535debe9486a0611db2d9ce88ac59ee8dd363f3e36a0bd15008382b.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1844 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:964 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\191d58388535debe9486a0611db2d9ce88ac59ee8dd363f3e36a0bd15008382b.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:828 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1972
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
6742ea19bf803842ab469f1246372932
SHA105cf548c945bd94c105a3ca15c9728c5e920e0c1
SHA256aaa56b96a1c0b37d6bb3dacf4b254f4fac3cd990c071c3430973b7456a78c24b
SHA512221d3a8d993c4b7b2cae6d7efdcc9eebee1df8ea98eb51bd188239d22ee144c10426b0140d1b15f97c87854a7b9045604777eee9c4b289ed300d5c6add789f7d
-
MD5
6742ea19bf803842ab469f1246372932
SHA105cf548c945bd94c105a3ca15c9728c5e920e0c1
SHA256aaa56b96a1c0b37d6bb3dacf4b254f4fac3cd990c071c3430973b7456a78c24b
SHA512221d3a8d993c4b7b2cae6d7efdcc9eebee1df8ea98eb51bd188239d22ee144c10426b0140d1b15f97c87854a7b9045604777eee9c4b289ed300d5c6add789f7d
-
MD5
6742ea19bf803842ab469f1246372932
SHA105cf548c945bd94c105a3ca15c9728c5e920e0c1
SHA256aaa56b96a1c0b37d6bb3dacf4b254f4fac3cd990c071c3430973b7456a78c24b
SHA512221d3a8d993c4b7b2cae6d7efdcc9eebee1df8ea98eb51bd188239d22ee144c10426b0140d1b15f97c87854a7b9045604777eee9c4b289ed300d5c6add789f7d