Analysis
-
max time kernel
139s -
max time network
155s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 03:03
Static task
static1
Behavioral task
behavioral1
Sample
18b40d316499a87430b4a8fc108cd827d4879fb982134fc5fb47ac61e5f76348.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
18b40d316499a87430b4a8fc108cd827d4879fb982134fc5fb47ac61e5f76348.exe
Resource
win10v2004-en-20220112
General
-
Target
18b40d316499a87430b4a8fc108cd827d4879fb982134fc5fb47ac61e5f76348.exe
-
Size
92KB
-
MD5
3ef84c10c55dec6cc90f7f8d8317a772
-
SHA1
63fe6ca8c523f582ca8c517a3a0698d638cbcc53
-
SHA256
18b40d316499a87430b4a8fc108cd827d4879fb982134fc5fb47ac61e5f76348
-
SHA512
51b422610652683e40be56715358e5c11ac69d48d71b49feef50c99951322a75578f178ebc97fcd83ec8c083179ec0524276290e027d9af47d237ec045d6b825
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1516 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1164 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
18b40d316499a87430b4a8fc108cd827d4879fb982134fc5fb47ac61e5f76348.exepid process 804 18b40d316499a87430b4a8fc108cd827d4879fb982134fc5fb47ac61e5f76348.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
18b40d316499a87430b4a8fc108cd827d4879fb982134fc5fb47ac61e5f76348.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 18b40d316499a87430b4a8fc108cd827d4879fb982134fc5fb47ac61e5f76348.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
18b40d316499a87430b4a8fc108cd827d4879fb982134fc5fb47ac61e5f76348.exedescription pid process Token: SeIncBasePriorityPrivilege 804 18b40d316499a87430b4a8fc108cd827d4879fb982134fc5fb47ac61e5f76348.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
18b40d316499a87430b4a8fc108cd827d4879fb982134fc5fb47ac61e5f76348.execmd.exedescription pid process target process PID 804 wrote to memory of 1516 804 18b40d316499a87430b4a8fc108cd827d4879fb982134fc5fb47ac61e5f76348.exe MediaCenter.exe PID 804 wrote to memory of 1516 804 18b40d316499a87430b4a8fc108cd827d4879fb982134fc5fb47ac61e5f76348.exe MediaCenter.exe PID 804 wrote to memory of 1516 804 18b40d316499a87430b4a8fc108cd827d4879fb982134fc5fb47ac61e5f76348.exe MediaCenter.exe PID 804 wrote to memory of 1516 804 18b40d316499a87430b4a8fc108cd827d4879fb982134fc5fb47ac61e5f76348.exe MediaCenter.exe PID 804 wrote to memory of 1164 804 18b40d316499a87430b4a8fc108cd827d4879fb982134fc5fb47ac61e5f76348.exe cmd.exe PID 804 wrote to memory of 1164 804 18b40d316499a87430b4a8fc108cd827d4879fb982134fc5fb47ac61e5f76348.exe cmd.exe PID 804 wrote to memory of 1164 804 18b40d316499a87430b4a8fc108cd827d4879fb982134fc5fb47ac61e5f76348.exe cmd.exe PID 804 wrote to memory of 1164 804 18b40d316499a87430b4a8fc108cd827d4879fb982134fc5fb47ac61e5f76348.exe cmd.exe PID 1164 wrote to memory of 1184 1164 cmd.exe PING.EXE PID 1164 wrote to memory of 1184 1164 cmd.exe PING.EXE PID 1164 wrote to memory of 1184 1164 cmd.exe PING.EXE PID 1164 wrote to memory of 1184 1164 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\18b40d316499a87430b4a8fc108cd827d4879fb982134fc5fb47ac61e5f76348.exe"C:\Users\Admin\AppData\Local\Temp\18b40d316499a87430b4a8fc108cd827d4879fb982134fc5fb47ac61e5f76348.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:804 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1516 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\18b40d316499a87430b4a8fc108cd827d4879fb982134fc5fb47ac61e5f76348.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1164 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1184
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
52e9e9a17b6419fbd06cb83e15591b4c
SHA15a84f18e6efc558fc781033e18141074b1fec834
SHA256f3a16680aa21b92191cbe400db489a62ea8b79fc54b64ae1fe34ff39da87804b
SHA512a541b9494705eda3dcf1b6414937fb96ff530403240a5cb7155cc55582299ba2c83d83945643b56bfae5bba5ac88c809987bdb137f263fa270712af0d5e67b2b
-
MD5
52e9e9a17b6419fbd06cb83e15591b4c
SHA15a84f18e6efc558fc781033e18141074b1fec834
SHA256f3a16680aa21b92191cbe400db489a62ea8b79fc54b64ae1fe34ff39da87804b
SHA512a541b9494705eda3dcf1b6414937fb96ff530403240a5cb7155cc55582299ba2c83d83945643b56bfae5bba5ac88c809987bdb137f263fa270712af0d5e67b2b