Analysis
-
max time kernel
147s -
max time network
180s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 03:01
Static task
static1
Behavioral task
behavioral1
Sample
18c1b96f4d5d2469afdb0044ccd295b3654f123571c255d0367e2274ee797124.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
18c1b96f4d5d2469afdb0044ccd295b3654f123571c255d0367e2274ee797124.exe
Resource
win10v2004-en-20220112
General
-
Target
18c1b96f4d5d2469afdb0044ccd295b3654f123571c255d0367e2274ee797124.exe
-
Size
101KB
-
MD5
b6ac54687eca082135b2c9db71e6052e
-
SHA1
d9f81879fccf7dcb33c79593a1a7c44df298aa31
-
SHA256
18c1b96f4d5d2469afdb0044ccd295b3654f123571c255d0367e2274ee797124
-
SHA512
7bbc1ea855a2957b1be1812b5f12c02300a3334d148b98446a359d1a67c3e8d8056bf26fa2d4d97f3bc3690dac2c491e5558b714f33e1f9cf62777f5052bcc5b
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 944 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1952 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
18c1b96f4d5d2469afdb0044ccd295b3654f123571c255d0367e2274ee797124.exepid process 1704 18c1b96f4d5d2469afdb0044ccd295b3654f123571c255d0367e2274ee797124.exe 1704 18c1b96f4d5d2469afdb0044ccd295b3654f123571c255d0367e2274ee797124.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
18c1b96f4d5d2469afdb0044ccd295b3654f123571c255d0367e2274ee797124.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 18c1b96f4d5d2469afdb0044ccd295b3654f123571c255d0367e2274ee797124.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
18c1b96f4d5d2469afdb0044ccd295b3654f123571c255d0367e2274ee797124.exedescription pid process Token: SeIncBasePriorityPrivilege 1704 18c1b96f4d5d2469afdb0044ccd295b3654f123571c255d0367e2274ee797124.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
18c1b96f4d5d2469afdb0044ccd295b3654f123571c255d0367e2274ee797124.execmd.exedescription pid process target process PID 1704 wrote to memory of 944 1704 18c1b96f4d5d2469afdb0044ccd295b3654f123571c255d0367e2274ee797124.exe MediaCenter.exe PID 1704 wrote to memory of 944 1704 18c1b96f4d5d2469afdb0044ccd295b3654f123571c255d0367e2274ee797124.exe MediaCenter.exe PID 1704 wrote to memory of 944 1704 18c1b96f4d5d2469afdb0044ccd295b3654f123571c255d0367e2274ee797124.exe MediaCenter.exe PID 1704 wrote to memory of 944 1704 18c1b96f4d5d2469afdb0044ccd295b3654f123571c255d0367e2274ee797124.exe MediaCenter.exe PID 1704 wrote to memory of 1952 1704 18c1b96f4d5d2469afdb0044ccd295b3654f123571c255d0367e2274ee797124.exe cmd.exe PID 1704 wrote to memory of 1952 1704 18c1b96f4d5d2469afdb0044ccd295b3654f123571c255d0367e2274ee797124.exe cmd.exe PID 1704 wrote to memory of 1952 1704 18c1b96f4d5d2469afdb0044ccd295b3654f123571c255d0367e2274ee797124.exe cmd.exe PID 1704 wrote to memory of 1952 1704 18c1b96f4d5d2469afdb0044ccd295b3654f123571c255d0367e2274ee797124.exe cmd.exe PID 1952 wrote to memory of 1800 1952 cmd.exe PING.EXE PID 1952 wrote to memory of 1800 1952 cmd.exe PING.EXE PID 1952 wrote to memory of 1800 1952 cmd.exe PING.EXE PID 1952 wrote to memory of 1800 1952 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\18c1b96f4d5d2469afdb0044ccd295b3654f123571c255d0367e2274ee797124.exe"C:\Users\Admin\AppData\Local\Temp\18c1b96f4d5d2469afdb0044ccd295b3654f123571c255d0367e2274ee797124.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1704 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:944 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\18c1b96f4d5d2469afdb0044ccd295b3654f123571c255d0367e2274ee797124.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1952 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1800
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
7cd29efc38f39205050c78e9edd19b23
SHA18a4a56abf4c7d9ac039cdd87c698b748e7ee68af
SHA25609cfc9e9672b290cad0f3037247cfbe2c964d2696dd8ee34c01c6e7d4d79fd5f
SHA5124d7932667bca5c9bfcc743413f08f753cc3a8fee9812175b5ed1a6faadf6f28dcf9044316a708b41c2db033b836c066ab7178a48f8710d202edc6ac9c5039abd
-
MD5
7cd29efc38f39205050c78e9edd19b23
SHA18a4a56abf4c7d9ac039cdd87c698b748e7ee68af
SHA25609cfc9e9672b290cad0f3037247cfbe2c964d2696dd8ee34c01c6e7d4d79fd5f
SHA5124d7932667bca5c9bfcc743413f08f753cc3a8fee9812175b5ed1a6faadf6f28dcf9044316a708b41c2db033b836c066ab7178a48f8710d202edc6ac9c5039abd
-
MD5
7cd29efc38f39205050c78e9edd19b23
SHA18a4a56abf4c7d9ac039cdd87c698b748e7ee68af
SHA25609cfc9e9672b290cad0f3037247cfbe2c964d2696dd8ee34c01c6e7d4d79fd5f
SHA5124d7932667bca5c9bfcc743413f08f753cc3a8fee9812175b5ed1a6faadf6f28dcf9044316a708b41c2db033b836c066ab7178a48f8710d202edc6ac9c5039abd