Analysis
-
max time kernel
140s -
max time network
172s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 03:02
Static task
static1
Behavioral task
behavioral1
Sample
18c09def78bbe812bf15fc58755ccef4b68a45b24c1f7fd408de900898a8378b.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
18c09def78bbe812bf15fc58755ccef4b68a45b24c1f7fd408de900898a8378b.exe
Resource
win10v2004-en-20220113
General
-
Target
18c09def78bbe812bf15fc58755ccef4b68a45b24c1f7fd408de900898a8378b.exe
-
Size
144KB
-
MD5
02b10c58e74a7784a842ba3b0287a124
-
SHA1
ca6b99c1fb3e4edf7ce4db2af131d2fc4fbe0cec
-
SHA256
18c09def78bbe812bf15fc58755ccef4b68a45b24c1f7fd408de900898a8378b
-
SHA512
79e975b06c70ac70c6f40f5e82239bf8f92c42fa45a0ffd73bb74af5cb2a481fd5a8cd7ae1cfc95b4f69dbdd4cd3db956cc3e08da2e5a03ab27c297ebf5f641c
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1500 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1156 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
18c09def78bbe812bf15fc58755ccef4b68a45b24c1f7fd408de900898a8378b.exepid process 1192 18c09def78bbe812bf15fc58755ccef4b68a45b24c1f7fd408de900898a8378b.exe 1192 18c09def78bbe812bf15fc58755ccef4b68a45b24c1f7fd408de900898a8378b.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
18c09def78bbe812bf15fc58755ccef4b68a45b24c1f7fd408de900898a8378b.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 18c09def78bbe812bf15fc58755ccef4b68a45b24c1f7fd408de900898a8378b.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
18c09def78bbe812bf15fc58755ccef4b68a45b24c1f7fd408de900898a8378b.exedescription pid process Token: SeIncBasePriorityPrivilege 1192 18c09def78bbe812bf15fc58755ccef4b68a45b24c1f7fd408de900898a8378b.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
18c09def78bbe812bf15fc58755ccef4b68a45b24c1f7fd408de900898a8378b.execmd.exedescription pid process target process PID 1192 wrote to memory of 1500 1192 18c09def78bbe812bf15fc58755ccef4b68a45b24c1f7fd408de900898a8378b.exe MediaCenter.exe PID 1192 wrote to memory of 1500 1192 18c09def78bbe812bf15fc58755ccef4b68a45b24c1f7fd408de900898a8378b.exe MediaCenter.exe PID 1192 wrote to memory of 1500 1192 18c09def78bbe812bf15fc58755ccef4b68a45b24c1f7fd408de900898a8378b.exe MediaCenter.exe PID 1192 wrote to memory of 1500 1192 18c09def78bbe812bf15fc58755ccef4b68a45b24c1f7fd408de900898a8378b.exe MediaCenter.exe PID 1192 wrote to memory of 1156 1192 18c09def78bbe812bf15fc58755ccef4b68a45b24c1f7fd408de900898a8378b.exe cmd.exe PID 1192 wrote to memory of 1156 1192 18c09def78bbe812bf15fc58755ccef4b68a45b24c1f7fd408de900898a8378b.exe cmd.exe PID 1192 wrote to memory of 1156 1192 18c09def78bbe812bf15fc58755ccef4b68a45b24c1f7fd408de900898a8378b.exe cmd.exe PID 1192 wrote to memory of 1156 1192 18c09def78bbe812bf15fc58755ccef4b68a45b24c1f7fd408de900898a8378b.exe cmd.exe PID 1156 wrote to memory of 1836 1156 cmd.exe PING.EXE PID 1156 wrote to memory of 1836 1156 cmd.exe PING.EXE PID 1156 wrote to memory of 1836 1156 cmd.exe PING.EXE PID 1156 wrote to memory of 1836 1156 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\18c09def78bbe812bf15fc58755ccef4b68a45b24c1f7fd408de900898a8378b.exe"C:\Users\Admin\AppData\Local\Temp\18c09def78bbe812bf15fc58755ccef4b68a45b24c1f7fd408de900898a8378b.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1192 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1500 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\18c09def78bbe812bf15fc58755ccef4b68a45b24c1f7fd408de900898a8378b.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1156 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1836
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
b783132508dd86fa4d4179dd3437a611
SHA141647e785cf50cabe4b94f5eceef2104c2578350
SHA256baf147781ccf2fd0fd4f015af32d0d1a04bdf8d12124737f1210e1c3c91e7710
SHA5121ee3dcb7a5947ca3469ae9eecfb55440be66bcf5ec91d1cc67cd9141f239121d747faa76ff20efa887a03270c1a1d50bc9dcb9fd8b719f84a893032a6c1b2a6f
-
MD5
b783132508dd86fa4d4179dd3437a611
SHA141647e785cf50cabe4b94f5eceef2104c2578350
SHA256baf147781ccf2fd0fd4f015af32d0d1a04bdf8d12124737f1210e1c3c91e7710
SHA5121ee3dcb7a5947ca3469ae9eecfb55440be66bcf5ec91d1cc67cd9141f239121d747faa76ff20efa887a03270c1a1d50bc9dcb9fd8b719f84a893032a6c1b2a6f
-
MD5
b783132508dd86fa4d4179dd3437a611
SHA141647e785cf50cabe4b94f5eceef2104c2578350
SHA256baf147781ccf2fd0fd4f015af32d0d1a04bdf8d12124737f1210e1c3c91e7710
SHA5121ee3dcb7a5947ca3469ae9eecfb55440be66bcf5ec91d1cc67cd9141f239121d747faa76ff20efa887a03270c1a1d50bc9dcb9fd8b719f84a893032a6c1b2a6f