Analysis
-
max time kernel
152s -
max time network
160s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 02:57
Static task
static1
Behavioral task
behavioral1
Sample
18f84bdb542e635ac3ac945de6b5b98905fdddc5b2a70f7ad94b81867deb6bcc.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
18f84bdb542e635ac3ac945de6b5b98905fdddc5b2a70f7ad94b81867deb6bcc.exe
Resource
win10v2004-en-20220112
General
-
Target
18f84bdb542e635ac3ac945de6b5b98905fdddc5b2a70f7ad94b81867deb6bcc.exe
-
Size
100KB
-
MD5
40838f13add6d2d951097039e343b091
-
SHA1
f953ee277543648ec5f4f0151077d3927b638c60
-
SHA256
18f84bdb542e635ac3ac945de6b5b98905fdddc5b2a70f7ad94b81867deb6bcc
-
SHA512
47aa3259b24939ef4c1878d5d00f7cbc340a8a7bb4c2f4b21f5f2b9841eece8948ff59313d3ee5e16ffc604c29c4b5db21f3e7ad2a719384b08f603465882291
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1096 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1188 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
18f84bdb542e635ac3ac945de6b5b98905fdddc5b2a70f7ad94b81867deb6bcc.exepid process 840 18f84bdb542e635ac3ac945de6b5b98905fdddc5b2a70f7ad94b81867deb6bcc.exe 840 18f84bdb542e635ac3ac945de6b5b98905fdddc5b2a70f7ad94b81867deb6bcc.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
18f84bdb542e635ac3ac945de6b5b98905fdddc5b2a70f7ad94b81867deb6bcc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 18f84bdb542e635ac3ac945de6b5b98905fdddc5b2a70f7ad94b81867deb6bcc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
18f84bdb542e635ac3ac945de6b5b98905fdddc5b2a70f7ad94b81867deb6bcc.exedescription pid process Token: SeIncBasePriorityPrivilege 840 18f84bdb542e635ac3ac945de6b5b98905fdddc5b2a70f7ad94b81867deb6bcc.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
18f84bdb542e635ac3ac945de6b5b98905fdddc5b2a70f7ad94b81867deb6bcc.execmd.exedescription pid process target process PID 840 wrote to memory of 1096 840 18f84bdb542e635ac3ac945de6b5b98905fdddc5b2a70f7ad94b81867deb6bcc.exe MediaCenter.exe PID 840 wrote to memory of 1096 840 18f84bdb542e635ac3ac945de6b5b98905fdddc5b2a70f7ad94b81867deb6bcc.exe MediaCenter.exe PID 840 wrote to memory of 1096 840 18f84bdb542e635ac3ac945de6b5b98905fdddc5b2a70f7ad94b81867deb6bcc.exe MediaCenter.exe PID 840 wrote to memory of 1096 840 18f84bdb542e635ac3ac945de6b5b98905fdddc5b2a70f7ad94b81867deb6bcc.exe MediaCenter.exe PID 840 wrote to memory of 1188 840 18f84bdb542e635ac3ac945de6b5b98905fdddc5b2a70f7ad94b81867deb6bcc.exe cmd.exe PID 840 wrote to memory of 1188 840 18f84bdb542e635ac3ac945de6b5b98905fdddc5b2a70f7ad94b81867deb6bcc.exe cmd.exe PID 840 wrote to memory of 1188 840 18f84bdb542e635ac3ac945de6b5b98905fdddc5b2a70f7ad94b81867deb6bcc.exe cmd.exe PID 840 wrote to memory of 1188 840 18f84bdb542e635ac3ac945de6b5b98905fdddc5b2a70f7ad94b81867deb6bcc.exe cmd.exe PID 1188 wrote to memory of 392 1188 cmd.exe PING.EXE PID 1188 wrote to memory of 392 1188 cmd.exe PING.EXE PID 1188 wrote to memory of 392 1188 cmd.exe PING.EXE PID 1188 wrote to memory of 392 1188 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\18f84bdb542e635ac3ac945de6b5b98905fdddc5b2a70f7ad94b81867deb6bcc.exe"C:\Users\Admin\AppData\Local\Temp\18f84bdb542e635ac3ac945de6b5b98905fdddc5b2a70f7ad94b81867deb6bcc.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:840 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1096 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\18f84bdb542e635ac3ac945de6b5b98905fdddc5b2a70f7ad94b81867deb6bcc.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1188 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:392
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
b459467fe1997f6ffefeee696ad52d47
SHA19a5f03c984dd8a50adce5c00833bd61e51cf0272
SHA256e155e9adf3448f53182355bae71c4962c5384ebf87bd043cc81157fea56c1b03
SHA51274134066f05f6f558084ecae9cacf0db40e3bb649fcd588f076d6f48e7c8da3fab8949849fd7e400b4c5fa9670ac1f721709d755d3d9fb236ef55c2c5473dc23
-
MD5
b459467fe1997f6ffefeee696ad52d47
SHA19a5f03c984dd8a50adce5c00833bd61e51cf0272
SHA256e155e9adf3448f53182355bae71c4962c5384ebf87bd043cc81157fea56c1b03
SHA51274134066f05f6f558084ecae9cacf0db40e3bb649fcd588f076d6f48e7c8da3fab8949849fd7e400b4c5fa9670ac1f721709d755d3d9fb236ef55c2c5473dc23
-
MD5
b459467fe1997f6ffefeee696ad52d47
SHA19a5f03c984dd8a50adce5c00833bd61e51cf0272
SHA256e155e9adf3448f53182355bae71c4962c5384ebf87bd043cc81157fea56c1b03
SHA51274134066f05f6f558084ecae9cacf0db40e3bb649fcd588f076d6f48e7c8da3fab8949849fd7e400b4c5fa9670ac1f721709d755d3d9fb236ef55c2c5473dc23