Analysis
-
max time kernel
146s -
max time network
152s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 03:11
Static task
static1
Behavioral task
behavioral1
Sample
185e705dbb8e46409587cd5192da2e6a6aa5db77be8c5714d1b75cf9ac9cd618.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
185e705dbb8e46409587cd5192da2e6a6aa5db77be8c5714d1b75cf9ac9cd618.exe
Resource
win10v2004-en-20220112
General
-
Target
185e705dbb8e46409587cd5192da2e6a6aa5db77be8c5714d1b75cf9ac9cd618.exe
-
Size
89KB
-
MD5
b871b7f7601a78a372241089a4370bb1
-
SHA1
14565f15d001f5f892cbf300dbb2e08dffad03fd
-
SHA256
185e705dbb8e46409587cd5192da2e6a6aa5db77be8c5714d1b75cf9ac9cd618
-
SHA512
6dae0e80913360dc492b3d3b95e086d4cbaa63583bc1a1cb553ab649e9745356dd654e5b65b061651e87205b2526556c6dea2344f1c0d7afdd5610dad74888b3
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral1/memory/952-57-0x0000000000400000-0x000000000041B000-memory.dmp family_sakula behavioral1/memory/1664-58-0x0000000000400000-0x000000000041B000-memory.dmp family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1664 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1004 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
185e705dbb8e46409587cd5192da2e6a6aa5db77be8c5714d1b75cf9ac9cd618.exepid process 952 185e705dbb8e46409587cd5192da2e6a6aa5db77be8c5714d1b75cf9ac9cd618.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
185e705dbb8e46409587cd5192da2e6a6aa5db77be8c5714d1b75cf9ac9cd618.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 185e705dbb8e46409587cd5192da2e6a6aa5db77be8c5714d1b75cf9ac9cd618.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
185e705dbb8e46409587cd5192da2e6a6aa5db77be8c5714d1b75cf9ac9cd618.exedescription pid process Token: SeIncBasePriorityPrivilege 952 185e705dbb8e46409587cd5192da2e6a6aa5db77be8c5714d1b75cf9ac9cd618.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
185e705dbb8e46409587cd5192da2e6a6aa5db77be8c5714d1b75cf9ac9cd618.execmd.exedescription pid process target process PID 952 wrote to memory of 1664 952 185e705dbb8e46409587cd5192da2e6a6aa5db77be8c5714d1b75cf9ac9cd618.exe MediaCenter.exe PID 952 wrote to memory of 1664 952 185e705dbb8e46409587cd5192da2e6a6aa5db77be8c5714d1b75cf9ac9cd618.exe MediaCenter.exe PID 952 wrote to memory of 1664 952 185e705dbb8e46409587cd5192da2e6a6aa5db77be8c5714d1b75cf9ac9cd618.exe MediaCenter.exe PID 952 wrote to memory of 1664 952 185e705dbb8e46409587cd5192da2e6a6aa5db77be8c5714d1b75cf9ac9cd618.exe MediaCenter.exe PID 952 wrote to memory of 1004 952 185e705dbb8e46409587cd5192da2e6a6aa5db77be8c5714d1b75cf9ac9cd618.exe cmd.exe PID 952 wrote to memory of 1004 952 185e705dbb8e46409587cd5192da2e6a6aa5db77be8c5714d1b75cf9ac9cd618.exe cmd.exe PID 952 wrote to memory of 1004 952 185e705dbb8e46409587cd5192da2e6a6aa5db77be8c5714d1b75cf9ac9cd618.exe cmd.exe PID 952 wrote to memory of 1004 952 185e705dbb8e46409587cd5192da2e6a6aa5db77be8c5714d1b75cf9ac9cd618.exe cmd.exe PID 1004 wrote to memory of 1100 1004 cmd.exe PING.EXE PID 1004 wrote to memory of 1100 1004 cmd.exe PING.EXE PID 1004 wrote to memory of 1100 1004 cmd.exe PING.EXE PID 1004 wrote to memory of 1100 1004 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\185e705dbb8e46409587cd5192da2e6a6aa5db77be8c5714d1b75cf9ac9cd618.exe"C:\Users\Admin\AppData\Local\Temp\185e705dbb8e46409587cd5192da2e6a6aa5db77be8c5714d1b75cf9ac9cd618.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:952 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1664 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\185e705dbb8e46409587cd5192da2e6a6aa5db77be8c5714d1b75cf9ac9cd618.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1004 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1100
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
c5021475395c715b39e3089416dbb6fd
SHA1c51893f6d21aabc60691363fb07cb3dc7b4e58b1
SHA256fae88c610429b2287db3db9b403272c0862ca0a5aebbbca3d0e7cdbf5fd6f16e
SHA51262c567470a553e870bed2ebabb450667bdc8085eea6e9316cd149f29d5de760403a7252d0cd5f27ac3db6f2b84f09774f06d92b17e4b5b395bac28caa1f6be2d
-
MD5
c5021475395c715b39e3089416dbb6fd
SHA1c51893f6d21aabc60691363fb07cb3dc7b4e58b1
SHA256fae88c610429b2287db3db9b403272c0862ca0a5aebbbca3d0e7cdbf5fd6f16e
SHA51262c567470a553e870bed2ebabb450667bdc8085eea6e9316cd149f29d5de760403a7252d0cd5f27ac3db6f2b84f09774f06d92b17e4b5b395bac28caa1f6be2d