Analysis
-
max time kernel
142s -
max time network
151s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 03:06
Static task
static1
Behavioral task
behavioral1
Sample
1891ca6eb7e7e9aabab817b7e83eb82c400836952b2ad0f58a3ac2ff24da6187.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
1891ca6eb7e7e9aabab817b7e83eb82c400836952b2ad0f58a3ac2ff24da6187.exe
Resource
win10v2004-en-20220112
General
-
Target
1891ca6eb7e7e9aabab817b7e83eb82c400836952b2ad0f58a3ac2ff24da6187.exe
-
Size
150KB
-
MD5
3c30a0951fb24a5c3166fbcb35dafcca
-
SHA1
fba602abb1f9018a9a2ab1ac60e3b85a8a19fce6
-
SHA256
1891ca6eb7e7e9aabab817b7e83eb82c400836952b2ad0f58a3ac2ff24da6187
-
SHA512
9e78656a613fb3a244c02142bca9801b81be8ac52cb780730d7750b5114b15ccf1b909dbb8e5bf185a1ffd8ae0c793edc96fcfb5930d09734b258e765dc1dc27
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1608 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 916 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
1891ca6eb7e7e9aabab817b7e83eb82c400836952b2ad0f58a3ac2ff24da6187.exepid process 1740 1891ca6eb7e7e9aabab817b7e83eb82c400836952b2ad0f58a3ac2ff24da6187.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
1891ca6eb7e7e9aabab817b7e83eb82c400836952b2ad0f58a3ac2ff24da6187.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 1891ca6eb7e7e9aabab817b7e83eb82c400836952b2ad0f58a3ac2ff24da6187.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
1891ca6eb7e7e9aabab817b7e83eb82c400836952b2ad0f58a3ac2ff24da6187.exedescription pid process Token: SeIncBasePriorityPrivilege 1740 1891ca6eb7e7e9aabab817b7e83eb82c400836952b2ad0f58a3ac2ff24da6187.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
1891ca6eb7e7e9aabab817b7e83eb82c400836952b2ad0f58a3ac2ff24da6187.execmd.exedescription pid process target process PID 1740 wrote to memory of 1608 1740 1891ca6eb7e7e9aabab817b7e83eb82c400836952b2ad0f58a3ac2ff24da6187.exe MediaCenter.exe PID 1740 wrote to memory of 1608 1740 1891ca6eb7e7e9aabab817b7e83eb82c400836952b2ad0f58a3ac2ff24da6187.exe MediaCenter.exe PID 1740 wrote to memory of 1608 1740 1891ca6eb7e7e9aabab817b7e83eb82c400836952b2ad0f58a3ac2ff24da6187.exe MediaCenter.exe PID 1740 wrote to memory of 1608 1740 1891ca6eb7e7e9aabab817b7e83eb82c400836952b2ad0f58a3ac2ff24da6187.exe MediaCenter.exe PID 1740 wrote to memory of 916 1740 1891ca6eb7e7e9aabab817b7e83eb82c400836952b2ad0f58a3ac2ff24da6187.exe cmd.exe PID 1740 wrote to memory of 916 1740 1891ca6eb7e7e9aabab817b7e83eb82c400836952b2ad0f58a3ac2ff24da6187.exe cmd.exe PID 1740 wrote to memory of 916 1740 1891ca6eb7e7e9aabab817b7e83eb82c400836952b2ad0f58a3ac2ff24da6187.exe cmd.exe PID 1740 wrote to memory of 916 1740 1891ca6eb7e7e9aabab817b7e83eb82c400836952b2ad0f58a3ac2ff24da6187.exe cmd.exe PID 916 wrote to memory of 1984 916 cmd.exe PING.EXE PID 916 wrote to memory of 1984 916 cmd.exe PING.EXE PID 916 wrote to memory of 1984 916 cmd.exe PING.EXE PID 916 wrote to memory of 1984 916 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\1891ca6eb7e7e9aabab817b7e83eb82c400836952b2ad0f58a3ac2ff24da6187.exe"C:\Users\Admin\AppData\Local\Temp\1891ca6eb7e7e9aabab817b7e83eb82c400836952b2ad0f58a3ac2ff24da6187.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1740 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1608 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\1891ca6eb7e7e9aabab817b7e83eb82c400836952b2ad0f58a3ac2ff24da6187.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:916 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1984
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
204d9b808772a82244960694784d22af
SHA191f5d8bd762def3c1c0a53eb7f0c7154becad32b
SHA256dcdf239ee39570ebbd4972ad60131f953c9081d4ef4e95632b2751d41208e7a0
SHA512a1d9e367f744b5fe679a7ff6d45540ed0a19f757e7714a03d46d41c197b1bbd17196b995075b1343c98c46722f840381862d4e638eefd0ecf4e10d7a3171f10a
-
MD5
204d9b808772a82244960694784d22af
SHA191f5d8bd762def3c1c0a53eb7f0c7154becad32b
SHA256dcdf239ee39570ebbd4972ad60131f953c9081d4ef4e95632b2751d41208e7a0
SHA512a1d9e367f744b5fe679a7ff6d45540ed0a19f757e7714a03d46d41c197b1bbd17196b995075b1343c98c46722f840381862d4e638eefd0ecf4e10d7a3171f10a