Analysis
-
max time kernel
145s -
max time network
149s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 02:54
Static task
static1
Behavioral task
behavioral1
Sample
191ae443bcefdc26a3925353540020282a5a6350ea816bdd24bf90100235ca7b.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
191ae443bcefdc26a3925353540020282a5a6350ea816bdd24bf90100235ca7b.exe
Resource
win10v2004-en-20220113
General
-
Target
191ae443bcefdc26a3925353540020282a5a6350ea816bdd24bf90100235ca7b.exe
-
Size
216KB
-
MD5
add338167c776cd07b98eb511ff2b3e5
-
SHA1
87c9c30a64ccc7d6f7aad6a8700cc35761a16c5b
-
SHA256
191ae443bcefdc26a3925353540020282a5a6350ea816bdd24bf90100235ca7b
-
SHA512
f7ea3ffa22600ee1c207ad23fe70ad8bd858f7394c9ad3c7aa7779be80900b73541d6b49661f2f42a52339824b36b76121a1b7f2996da80199f4e3bed4934535
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral1/memory/452-57-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral1/memory/1276-58-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1276 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 616 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
191ae443bcefdc26a3925353540020282a5a6350ea816bdd24bf90100235ca7b.exepid process 452 191ae443bcefdc26a3925353540020282a5a6350ea816bdd24bf90100235ca7b.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
191ae443bcefdc26a3925353540020282a5a6350ea816bdd24bf90100235ca7b.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 191ae443bcefdc26a3925353540020282a5a6350ea816bdd24bf90100235ca7b.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
191ae443bcefdc26a3925353540020282a5a6350ea816bdd24bf90100235ca7b.exedescription pid process Token: SeIncBasePriorityPrivilege 452 191ae443bcefdc26a3925353540020282a5a6350ea816bdd24bf90100235ca7b.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
191ae443bcefdc26a3925353540020282a5a6350ea816bdd24bf90100235ca7b.execmd.exedescription pid process target process PID 452 wrote to memory of 1276 452 191ae443bcefdc26a3925353540020282a5a6350ea816bdd24bf90100235ca7b.exe MediaCenter.exe PID 452 wrote to memory of 1276 452 191ae443bcefdc26a3925353540020282a5a6350ea816bdd24bf90100235ca7b.exe MediaCenter.exe PID 452 wrote to memory of 1276 452 191ae443bcefdc26a3925353540020282a5a6350ea816bdd24bf90100235ca7b.exe MediaCenter.exe PID 452 wrote to memory of 1276 452 191ae443bcefdc26a3925353540020282a5a6350ea816bdd24bf90100235ca7b.exe MediaCenter.exe PID 452 wrote to memory of 616 452 191ae443bcefdc26a3925353540020282a5a6350ea816bdd24bf90100235ca7b.exe cmd.exe PID 452 wrote to memory of 616 452 191ae443bcefdc26a3925353540020282a5a6350ea816bdd24bf90100235ca7b.exe cmd.exe PID 452 wrote to memory of 616 452 191ae443bcefdc26a3925353540020282a5a6350ea816bdd24bf90100235ca7b.exe cmd.exe PID 452 wrote to memory of 616 452 191ae443bcefdc26a3925353540020282a5a6350ea816bdd24bf90100235ca7b.exe cmd.exe PID 616 wrote to memory of 1996 616 cmd.exe PING.EXE PID 616 wrote to memory of 1996 616 cmd.exe PING.EXE PID 616 wrote to memory of 1996 616 cmd.exe PING.EXE PID 616 wrote to memory of 1996 616 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\191ae443bcefdc26a3925353540020282a5a6350ea816bdd24bf90100235ca7b.exe"C:\Users\Admin\AppData\Local\Temp\191ae443bcefdc26a3925353540020282a5a6350ea816bdd24bf90100235ca7b.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:452 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1276 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\191ae443bcefdc26a3925353540020282a5a6350ea816bdd24bf90100235ca7b.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:616 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1996
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
165e01835e4178f32b3a100a29177377
SHA1f4636ffd7e65cc0a2ec2067a6053715d8e45e6ae
SHA25676870f0db0fe045aec81ff6559be1922226513fbf4f9cf3aefd7917156ed9646
SHA5129b67ecb2d099eb6861e7da7745dce47906dda961a1802fe81aa2144702b732daa9e4b2142fd5d08288d423bd1fb622e3a25ce86ce7c140933c608df77b98ea1f
-
MD5
165e01835e4178f32b3a100a29177377
SHA1f4636ffd7e65cc0a2ec2067a6053715d8e45e6ae
SHA25676870f0db0fe045aec81ff6559be1922226513fbf4f9cf3aefd7917156ed9646
SHA5129b67ecb2d099eb6861e7da7745dce47906dda961a1802fe81aa2144702b732daa9e4b2142fd5d08288d423bd1fb622e3a25ce86ce7c140933c608df77b98ea1f