Analysis
-
max time kernel
134s -
max time network
154s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 03:03
Static task
static1
Behavioral task
behavioral1
Sample
18b6bdf592dfe139db45d4bb4b101d1541eb24661bdb484fa142cfe871d7d3cc.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
18b6bdf592dfe139db45d4bb4b101d1541eb24661bdb484fa142cfe871d7d3cc.exe
Resource
win10v2004-en-20220113
General
-
Target
18b6bdf592dfe139db45d4bb4b101d1541eb24661bdb484fa142cfe871d7d3cc.exe
-
Size
192KB
-
MD5
9a1da133d53e004cc748fbb33d04998f
-
SHA1
49dd1e3e7ff1ac18829e83cc0f95f8eac2f7bbb2
-
SHA256
18b6bdf592dfe139db45d4bb4b101d1541eb24661bdb484fa142cfe871d7d3cc
-
SHA512
e8932e53841ef3bfeca43bbe84ee0271b17bf4dcedbd495699e4e2f2f0d490289b17eed7ea5c209119b41eff55ffc3bceed5c9ac86f4c936aa8661fb4db1e2b9
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1508 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1536 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
18b6bdf592dfe139db45d4bb4b101d1541eb24661bdb484fa142cfe871d7d3cc.exepid process 964 18b6bdf592dfe139db45d4bb4b101d1541eb24661bdb484fa142cfe871d7d3cc.exe 964 18b6bdf592dfe139db45d4bb4b101d1541eb24661bdb484fa142cfe871d7d3cc.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
18b6bdf592dfe139db45d4bb4b101d1541eb24661bdb484fa142cfe871d7d3cc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 18b6bdf592dfe139db45d4bb4b101d1541eb24661bdb484fa142cfe871d7d3cc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
18b6bdf592dfe139db45d4bb4b101d1541eb24661bdb484fa142cfe871d7d3cc.exedescription pid process Token: SeIncBasePriorityPrivilege 964 18b6bdf592dfe139db45d4bb4b101d1541eb24661bdb484fa142cfe871d7d3cc.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
18b6bdf592dfe139db45d4bb4b101d1541eb24661bdb484fa142cfe871d7d3cc.execmd.exedescription pid process target process PID 964 wrote to memory of 1508 964 18b6bdf592dfe139db45d4bb4b101d1541eb24661bdb484fa142cfe871d7d3cc.exe MediaCenter.exe PID 964 wrote to memory of 1508 964 18b6bdf592dfe139db45d4bb4b101d1541eb24661bdb484fa142cfe871d7d3cc.exe MediaCenter.exe PID 964 wrote to memory of 1508 964 18b6bdf592dfe139db45d4bb4b101d1541eb24661bdb484fa142cfe871d7d3cc.exe MediaCenter.exe PID 964 wrote to memory of 1508 964 18b6bdf592dfe139db45d4bb4b101d1541eb24661bdb484fa142cfe871d7d3cc.exe MediaCenter.exe PID 964 wrote to memory of 1536 964 18b6bdf592dfe139db45d4bb4b101d1541eb24661bdb484fa142cfe871d7d3cc.exe cmd.exe PID 964 wrote to memory of 1536 964 18b6bdf592dfe139db45d4bb4b101d1541eb24661bdb484fa142cfe871d7d3cc.exe cmd.exe PID 964 wrote to memory of 1536 964 18b6bdf592dfe139db45d4bb4b101d1541eb24661bdb484fa142cfe871d7d3cc.exe cmd.exe PID 964 wrote to memory of 1536 964 18b6bdf592dfe139db45d4bb4b101d1541eb24661bdb484fa142cfe871d7d3cc.exe cmd.exe PID 1536 wrote to memory of 392 1536 cmd.exe PING.EXE PID 1536 wrote to memory of 392 1536 cmd.exe PING.EXE PID 1536 wrote to memory of 392 1536 cmd.exe PING.EXE PID 1536 wrote to memory of 392 1536 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\18b6bdf592dfe139db45d4bb4b101d1541eb24661bdb484fa142cfe871d7d3cc.exe"C:\Users\Admin\AppData\Local\Temp\18b6bdf592dfe139db45d4bb4b101d1541eb24661bdb484fa142cfe871d7d3cc.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:964 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1508 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\18b6bdf592dfe139db45d4bb4b101d1541eb24661bdb484fa142cfe871d7d3cc.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1536 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:392
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
7e4a693e5ab1222a8d7abbf6525e6640
SHA1dc1f8c484dc2c42be8b5b0dd33a8a15a37dfe0a6
SHA256ef48ad41b4cc538c5007e7a16085080ad43ecc29421a953ded3aca9c9fe2aae1
SHA512f839dce7ae5771d1e3d7bca976ad4a2c99f4828d99ce15525a387a4e9e46b636b6da524a36b6941e78b3cada68cea3c505c774365874cfbf4e0e8b13473da503
-
MD5
7e4a693e5ab1222a8d7abbf6525e6640
SHA1dc1f8c484dc2c42be8b5b0dd33a8a15a37dfe0a6
SHA256ef48ad41b4cc538c5007e7a16085080ad43ecc29421a953ded3aca9c9fe2aae1
SHA512f839dce7ae5771d1e3d7bca976ad4a2c99f4828d99ce15525a387a4e9e46b636b6da524a36b6941e78b3cada68cea3c505c774365874cfbf4e0e8b13473da503
-
MD5
7e4a693e5ab1222a8d7abbf6525e6640
SHA1dc1f8c484dc2c42be8b5b0dd33a8a15a37dfe0a6
SHA256ef48ad41b4cc538c5007e7a16085080ad43ecc29421a953ded3aca9c9fe2aae1
SHA512f839dce7ae5771d1e3d7bca976ad4a2c99f4828d99ce15525a387a4e9e46b636b6da524a36b6941e78b3cada68cea3c505c774365874cfbf4e0e8b13473da503