Analysis
-
max time kernel
126s -
max time network
134s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 03:06
Static task
static1
Behavioral task
behavioral1
Sample
189723671cbb5c6674f93e8b2beb6ddbf0a781ba5a9c6a6d4c8ad573d75c06f3.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
189723671cbb5c6674f93e8b2beb6ddbf0a781ba5a9c6a6d4c8ad573d75c06f3.exe
Resource
win10v2004-en-20220113
General
-
Target
189723671cbb5c6674f93e8b2beb6ddbf0a781ba5a9c6a6d4c8ad573d75c06f3.exe
-
Size
216KB
-
MD5
40c5fb51bcf576c757738b507666d0fa
-
SHA1
503905c395c0d7f83802d3144d4ec1d0756e3795
-
SHA256
189723671cbb5c6674f93e8b2beb6ddbf0a781ba5a9c6a6d4c8ad573d75c06f3
-
SHA512
9613b527836e526c164047cbb2af24050201b5907f4af7947bb5eda78fcbd74cc6e0d7edc969281bd80b7bdd2cd15f3e307967d4f97c02c7c49e50c4d51a6423
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral1/memory/1592-58-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral1/memory/1032-59-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1032 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1796 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
189723671cbb5c6674f93e8b2beb6ddbf0a781ba5a9c6a6d4c8ad573d75c06f3.exepid process 1592 189723671cbb5c6674f93e8b2beb6ddbf0a781ba5a9c6a6d4c8ad573d75c06f3.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
189723671cbb5c6674f93e8b2beb6ddbf0a781ba5a9c6a6d4c8ad573d75c06f3.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 189723671cbb5c6674f93e8b2beb6ddbf0a781ba5a9c6a6d4c8ad573d75c06f3.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
189723671cbb5c6674f93e8b2beb6ddbf0a781ba5a9c6a6d4c8ad573d75c06f3.exedescription pid process Token: SeIncBasePriorityPrivilege 1592 189723671cbb5c6674f93e8b2beb6ddbf0a781ba5a9c6a6d4c8ad573d75c06f3.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
189723671cbb5c6674f93e8b2beb6ddbf0a781ba5a9c6a6d4c8ad573d75c06f3.execmd.exedescription pid process target process PID 1592 wrote to memory of 1032 1592 189723671cbb5c6674f93e8b2beb6ddbf0a781ba5a9c6a6d4c8ad573d75c06f3.exe MediaCenter.exe PID 1592 wrote to memory of 1032 1592 189723671cbb5c6674f93e8b2beb6ddbf0a781ba5a9c6a6d4c8ad573d75c06f3.exe MediaCenter.exe PID 1592 wrote to memory of 1032 1592 189723671cbb5c6674f93e8b2beb6ddbf0a781ba5a9c6a6d4c8ad573d75c06f3.exe MediaCenter.exe PID 1592 wrote to memory of 1032 1592 189723671cbb5c6674f93e8b2beb6ddbf0a781ba5a9c6a6d4c8ad573d75c06f3.exe MediaCenter.exe PID 1592 wrote to memory of 1796 1592 189723671cbb5c6674f93e8b2beb6ddbf0a781ba5a9c6a6d4c8ad573d75c06f3.exe cmd.exe PID 1592 wrote to memory of 1796 1592 189723671cbb5c6674f93e8b2beb6ddbf0a781ba5a9c6a6d4c8ad573d75c06f3.exe cmd.exe PID 1592 wrote to memory of 1796 1592 189723671cbb5c6674f93e8b2beb6ddbf0a781ba5a9c6a6d4c8ad573d75c06f3.exe cmd.exe PID 1592 wrote to memory of 1796 1592 189723671cbb5c6674f93e8b2beb6ddbf0a781ba5a9c6a6d4c8ad573d75c06f3.exe cmd.exe PID 1796 wrote to memory of 1280 1796 cmd.exe PING.EXE PID 1796 wrote to memory of 1280 1796 cmd.exe PING.EXE PID 1796 wrote to memory of 1280 1796 cmd.exe PING.EXE PID 1796 wrote to memory of 1280 1796 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\189723671cbb5c6674f93e8b2beb6ddbf0a781ba5a9c6a6d4c8ad573d75c06f3.exe"C:\Users\Admin\AppData\Local\Temp\189723671cbb5c6674f93e8b2beb6ddbf0a781ba5a9c6a6d4c8ad573d75c06f3.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1592 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1032 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\189723671cbb5c6674f93e8b2beb6ddbf0a781ba5a9c6a6d4c8ad573d75c06f3.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1796 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1280
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
f1989780cc5fcfda277aa11361919111
SHA136526ffeb21fa5e8e02f62bf62aa58313216324d
SHA2568b27f14a23391d37f73e279810a7f4f4765f3f6d08dace8faab31aff8ab6339d
SHA51217f50618b3531e816cb39f8f84b172f87903792178c8c40e2a45ef53aba832f2e1d400490c195af373e1b91e76c82805c2e4ccb2e7277e911a0d84875d22b265
-
MD5
f1989780cc5fcfda277aa11361919111
SHA136526ffeb21fa5e8e02f62bf62aa58313216324d
SHA2568b27f14a23391d37f73e279810a7f4f4765f3f6d08dace8faab31aff8ab6339d
SHA51217f50618b3531e816cb39f8f84b172f87903792178c8c40e2a45ef53aba832f2e1d400490c195af373e1b91e76c82805c2e4ccb2e7277e911a0d84875d22b265