Analysis
-
max time kernel
138s -
max time network
160s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 03:03
Static task
static1
Behavioral task
behavioral1
Sample
18b3eb5679c447691b85a5aeda46c6fe56c72d9f3e1d2bce1386cadf93638e32.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
18b3eb5679c447691b85a5aeda46c6fe56c72d9f3e1d2bce1386cadf93638e32.exe
Resource
win10v2004-en-20220113
General
-
Target
18b3eb5679c447691b85a5aeda46c6fe56c72d9f3e1d2bce1386cadf93638e32.exe
-
Size
192KB
-
MD5
25f3bcd45f14f7130dd5bafa329b876e
-
SHA1
7a2281175d79c80dd4b251cd2ba4646e9dda4588
-
SHA256
18b3eb5679c447691b85a5aeda46c6fe56c72d9f3e1d2bce1386cadf93638e32
-
SHA512
99a89af4088d72ec2aee87d13415ee294301f1c42ac39e9106bfd7908314bebe7ce475a467c96e0446cab8f8dd99bd35dd881036d023c6b877eac36d5c457a73
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 524 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1828 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
18b3eb5679c447691b85a5aeda46c6fe56c72d9f3e1d2bce1386cadf93638e32.exepid process 1632 18b3eb5679c447691b85a5aeda46c6fe56c72d9f3e1d2bce1386cadf93638e32.exe 1632 18b3eb5679c447691b85a5aeda46c6fe56c72d9f3e1d2bce1386cadf93638e32.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
18b3eb5679c447691b85a5aeda46c6fe56c72d9f3e1d2bce1386cadf93638e32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 18b3eb5679c447691b85a5aeda46c6fe56c72d9f3e1d2bce1386cadf93638e32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
18b3eb5679c447691b85a5aeda46c6fe56c72d9f3e1d2bce1386cadf93638e32.exedescription pid process Token: SeIncBasePriorityPrivilege 1632 18b3eb5679c447691b85a5aeda46c6fe56c72d9f3e1d2bce1386cadf93638e32.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
18b3eb5679c447691b85a5aeda46c6fe56c72d9f3e1d2bce1386cadf93638e32.execmd.exedescription pid process target process PID 1632 wrote to memory of 524 1632 18b3eb5679c447691b85a5aeda46c6fe56c72d9f3e1d2bce1386cadf93638e32.exe MediaCenter.exe PID 1632 wrote to memory of 524 1632 18b3eb5679c447691b85a5aeda46c6fe56c72d9f3e1d2bce1386cadf93638e32.exe MediaCenter.exe PID 1632 wrote to memory of 524 1632 18b3eb5679c447691b85a5aeda46c6fe56c72d9f3e1d2bce1386cadf93638e32.exe MediaCenter.exe PID 1632 wrote to memory of 524 1632 18b3eb5679c447691b85a5aeda46c6fe56c72d9f3e1d2bce1386cadf93638e32.exe MediaCenter.exe PID 1632 wrote to memory of 1828 1632 18b3eb5679c447691b85a5aeda46c6fe56c72d9f3e1d2bce1386cadf93638e32.exe cmd.exe PID 1632 wrote to memory of 1828 1632 18b3eb5679c447691b85a5aeda46c6fe56c72d9f3e1d2bce1386cadf93638e32.exe cmd.exe PID 1632 wrote to memory of 1828 1632 18b3eb5679c447691b85a5aeda46c6fe56c72d9f3e1d2bce1386cadf93638e32.exe cmd.exe PID 1632 wrote to memory of 1828 1632 18b3eb5679c447691b85a5aeda46c6fe56c72d9f3e1d2bce1386cadf93638e32.exe cmd.exe PID 1828 wrote to memory of 1260 1828 cmd.exe PING.EXE PID 1828 wrote to memory of 1260 1828 cmd.exe PING.EXE PID 1828 wrote to memory of 1260 1828 cmd.exe PING.EXE PID 1828 wrote to memory of 1260 1828 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\18b3eb5679c447691b85a5aeda46c6fe56c72d9f3e1d2bce1386cadf93638e32.exe"C:\Users\Admin\AppData\Local\Temp\18b3eb5679c447691b85a5aeda46c6fe56c72d9f3e1d2bce1386cadf93638e32.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1632 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:524 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\18b3eb5679c447691b85a5aeda46c6fe56c72d9f3e1d2bce1386cadf93638e32.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1828 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1260
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
e1d8a714f4aab00390dd9172fcd1541c
SHA1e66749be4eb08e1f1dbc887609eeb1eeb3247ed4
SHA2568f6cb80542638d829485520d8c66f89a79fa80b030261b3dbad35ce67108c6ae
SHA5122e12376677f04b94e56025f0d3ece5911b4c70c3072dbd7ac103ee118319fa98998fa1a4593265b2f312b9eef94b97fb167eb055de91397caaf691da8e1f8289
-
MD5
e1d8a714f4aab00390dd9172fcd1541c
SHA1e66749be4eb08e1f1dbc887609eeb1eeb3247ed4
SHA2568f6cb80542638d829485520d8c66f89a79fa80b030261b3dbad35ce67108c6ae
SHA5122e12376677f04b94e56025f0d3ece5911b4c70c3072dbd7ac103ee118319fa98998fa1a4593265b2f312b9eef94b97fb167eb055de91397caaf691da8e1f8289
-
MD5
e1d8a714f4aab00390dd9172fcd1541c
SHA1e66749be4eb08e1f1dbc887609eeb1eeb3247ed4
SHA2568f6cb80542638d829485520d8c66f89a79fa80b030261b3dbad35ce67108c6ae
SHA5122e12376677f04b94e56025f0d3ece5911b4c70c3072dbd7ac103ee118319fa98998fa1a4593265b2f312b9eef94b97fb167eb055de91397caaf691da8e1f8289