Analysis
-
max time kernel
139s -
max time network
159s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 03:00
Static task
static1
Behavioral task
behavioral1
Sample
18d77f871460b8b0c760d2965bc265350056f449f4d229a5e3b4867049bf2241.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
18d77f871460b8b0c760d2965bc265350056f449f4d229a5e3b4867049bf2241.exe
Resource
win10v2004-en-20220113
General
-
Target
18d77f871460b8b0c760d2965bc265350056f449f4d229a5e3b4867049bf2241.exe
-
Size
92KB
-
MD5
b6eb8f16cd609dafe310c5e033532ef8
-
SHA1
e1c893f72847b12757a4aa5d70c23245ce62cc29
-
SHA256
18d77f871460b8b0c760d2965bc265350056f449f4d229a5e3b4867049bf2241
-
SHA512
14e747ead4cda8b819e8bd039b3b2c9df3cb2e7093dfab501af85f9851d449a38cf2fd7fb44fb27f574e6e5423012d94d168175edfb889ce892f9dfae3ac0a59
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1672 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1060 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
18d77f871460b8b0c760d2965bc265350056f449f4d229a5e3b4867049bf2241.exepid process 1316 18d77f871460b8b0c760d2965bc265350056f449f4d229a5e3b4867049bf2241.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
18d77f871460b8b0c760d2965bc265350056f449f4d229a5e3b4867049bf2241.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 18d77f871460b8b0c760d2965bc265350056f449f4d229a5e3b4867049bf2241.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
18d77f871460b8b0c760d2965bc265350056f449f4d229a5e3b4867049bf2241.exedescription pid process Token: SeIncBasePriorityPrivilege 1316 18d77f871460b8b0c760d2965bc265350056f449f4d229a5e3b4867049bf2241.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
18d77f871460b8b0c760d2965bc265350056f449f4d229a5e3b4867049bf2241.execmd.exedescription pid process target process PID 1316 wrote to memory of 1672 1316 18d77f871460b8b0c760d2965bc265350056f449f4d229a5e3b4867049bf2241.exe MediaCenter.exe PID 1316 wrote to memory of 1672 1316 18d77f871460b8b0c760d2965bc265350056f449f4d229a5e3b4867049bf2241.exe MediaCenter.exe PID 1316 wrote to memory of 1672 1316 18d77f871460b8b0c760d2965bc265350056f449f4d229a5e3b4867049bf2241.exe MediaCenter.exe PID 1316 wrote to memory of 1672 1316 18d77f871460b8b0c760d2965bc265350056f449f4d229a5e3b4867049bf2241.exe MediaCenter.exe PID 1316 wrote to memory of 1060 1316 18d77f871460b8b0c760d2965bc265350056f449f4d229a5e3b4867049bf2241.exe cmd.exe PID 1316 wrote to memory of 1060 1316 18d77f871460b8b0c760d2965bc265350056f449f4d229a5e3b4867049bf2241.exe cmd.exe PID 1316 wrote to memory of 1060 1316 18d77f871460b8b0c760d2965bc265350056f449f4d229a5e3b4867049bf2241.exe cmd.exe PID 1316 wrote to memory of 1060 1316 18d77f871460b8b0c760d2965bc265350056f449f4d229a5e3b4867049bf2241.exe cmd.exe PID 1060 wrote to memory of 1572 1060 cmd.exe PING.EXE PID 1060 wrote to memory of 1572 1060 cmd.exe PING.EXE PID 1060 wrote to memory of 1572 1060 cmd.exe PING.EXE PID 1060 wrote to memory of 1572 1060 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\18d77f871460b8b0c760d2965bc265350056f449f4d229a5e3b4867049bf2241.exe"C:\Users\Admin\AppData\Local\Temp\18d77f871460b8b0c760d2965bc265350056f449f4d229a5e3b4867049bf2241.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1316 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1672 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\18d77f871460b8b0c760d2965bc265350056f449f4d229a5e3b4867049bf2241.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1060 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1572
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
a5cdaa0987a01d8eb4d53e70af13d758
SHA19121cee7e97ec708fb3704f998f5ec1296128dc6
SHA2561df12f0d5527b518459f0b32d2bcb4afcfc10a7930fd272c3e0add87a92f7320
SHA512dacb99b862837459701e0ef46bd8c9f008c3ac5e734a45e352d4b546724aac8d4d107f38fa8593fe1d97a87ccb7c3563cbbe5f3372ee36d85ea744fb4e651504
-
MD5
a5cdaa0987a01d8eb4d53e70af13d758
SHA19121cee7e97ec708fb3704f998f5ec1296128dc6
SHA2561df12f0d5527b518459f0b32d2bcb4afcfc10a7930fd272c3e0add87a92f7320
SHA512dacb99b862837459701e0ef46bd8c9f008c3ac5e734a45e352d4b546724aac8d4d107f38fa8593fe1d97a87ccb7c3563cbbe5f3372ee36d85ea744fb4e651504