Analysis
-
max time kernel
144s -
max time network
166s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 02:56
Static task
static1
Behavioral task
behavioral1
Sample
19052d8cd862fa403ad98605c9319537a0ba35e04a346ef86fa526c4e2cc697a.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
19052d8cd862fa403ad98605c9319537a0ba35e04a346ef86fa526c4e2cc697a.exe
Resource
win10v2004-en-20220113
General
-
Target
19052d8cd862fa403ad98605c9319537a0ba35e04a346ef86fa526c4e2cc697a.exe
-
Size
79KB
-
MD5
05cc67597bb3dc1f9963179a679c50a6
-
SHA1
f97de72a66d5186c8b1eefb1cdb171f3a00cfd9f
-
SHA256
19052d8cd862fa403ad98605c9319537a0ba35e04a346ef86fa526c4e2cc697a
-
SHA512
5fd57516257a17c236ff478b56560767e12f18e8b1a3c7484dae7618217997e8f0281afab04870eb0c454c955cc74a57faccd7e288dd1111e535121e03e35994
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 764 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1708 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
19052d8cd862fa403ad98605c9319537a0ba35e04a346ef86fa526c4e2cc697a.exepid process 1192 19052d8cd862fa403ad98605c9319537a0ba35e04a346ef86fa526c4e2cc697a.exe 1192 19052d8cd862fa403ad98605c9319537a0ba35e04a346ef86fa526c4e2cc697a.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
19052d8cd862fa403ad98605c9319537a0ba35e04a346ef86fa526c4e2cc697a.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 19052d8cd862fa403ad98605c9319537a0ba35e04a346ef86fa526c4e2cc697a.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
19052d8cd862fa403ad98605c9319537a0ba35e04a346ef86fa526c4e2cc697a.exedescription pid process Token: SeIncBasePriorityPrivilege 1192 19052d8cd862fa403ad98605c9319537a0ba35e04a346ef86fa526c4e2cc697a.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
19052d8cd862fa403ad98605c9319537a0ba35e04a346ef86fa526c4e2cc697a.execmd.exedescription pid process target process PID 1192 wrote to memory of 764 1192 19052d8cd862fa403ad98605c9319537a0ba35e04a346ef86fa526c4e2cc697a.exe MediaCenter.exe PID 1192 wrote to memory of 764 1192 19052d8cd862fa403ad98605c9319537a0ba35e04a346ef86fa526c4e2cc697a.exe MediaCenter.exe PID 1192 wrote to memory of 764 1192 19052d8cd862fa403ad98605c9319537a0ba35e04a346ef86fa526c4e2cc697a.exe MediaCenter.exe PID 1192 wrote to memory of 764 1192 19052d8cd862fa403ad98605c9319537a0ba35e04a346ef86fa526c4e2cc697a.exe MediaCenter.exe PID 1192 wrote to memory of 1708 1192 19052d8cd862fa403ad98605c9319537a0ba35e04a346ef86fa526c4e2cc697a.exe cmd.exe PID 1192 wrote to memory of 1708 1192 19052d8cd862fa403ad98605c9319537a0ba35e04a346ef86fa526c4e2cc697a.exe cmd.exe PID 1192 wrote to memory of 1708 1192 19052d8cd862fa403ad98605c9319537a0ba35e04a346ef86fa526c4e2cc697a.exe cmd.exe PID 1192 wrote to memory of 1708 1192 19052d8cd862fa403ad98605c9319537a0ba35e04a346ef86fa526c4e2cc697a.exe cmd.exe PID 1708 wrote to memory of 1012 1708 cmd.exe PING.EXE PID 1708 wrote to memory of 1012 1708 cmd.exe PING.EXE PID 1708 wrote to memory of 1012 1708 cmd.exe PING.EXE PID 1708 wrote to memory of 1012 1708 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\19052d8cd862fa403ad98605c9319537a0ba35e04a346ef86fa526c4e2cc697a.exe"C:\Users\Admin\AppData\Local\Temp\19052d8cd862fa403ad98605c9319537a0ba35e04a346ef86fa526c4e2cc697a.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1192 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:764 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\19052d8cd862fa403ad98605c9319537a0ba35e04a346ef86fa526c4e2cc697a.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1708 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1012
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
82fb8f06d9982c230878e5893f6b04ac
SHA13ba8c83b010a806c67d6f4e09caed6e0b221a7a6
SHA256ede3b4dc17cdc792cd611bb2e40a4e898b7c1accceed7227d7a4403625481c91
SHA512aa4796ad8774879a1feeed65620df64b52cfe199416ab8d55083866b77fc1e986c9b6989000ee6907a410085ab494105ad4b62749cd42cdbe5f9e18b8c27919e
-
MD5
82fb8f06d9982c230878e5893f6b04ac
SHA13ba8c83b010a806c67d6f4e09caed6e0b221a7a6
SHA256ede3b4dc17cdc792cd611bb2e40a4e898b7c1accceed7227d7a4403625481c91
SHA512aa4796ad8774879a1feeed65620df64b52cfe199416ab8d55083866b77fc1e986c9b6989000ee6907a410085ab494105ad4b62749cd42cdbe5f9e18b8c27919e
-
MD5
82fb8f06d9982c230878e5893f6b04ac
SHA13ba8c83b010a806c67d6f4e09caed6e0b221a7a6
SHA256ede3b4dc17cdc792cd611bb2e40a4e898b7c1accceed7227d7a4403625481c91
SHA512aa4796ad8774879a1feeed65620df64b52cfe199416ab8d55083866b77fc1e986c9b6989000ee6907a410085ab494105ad4b62749cd42cdbe5f9e18b8c27919e