Analysis
-
max time kernel
127s -
max time network
159s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 03:13
Static task
static1
Behavioral task
behavioral1
Sample
184f98ae48e0c9e46953de1eba24a411489b8c6a4d0c773662b6822a179c6619.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
184f98ae48e0c9e46953de1eba24a411489b8c6a4d0c773662b6822a179c6619.exe
Resource
win10v2004-en-20220112
General
-
Target
184f98ae48e0c9e46953de1eba24a411489b8c6a4d0c773662b6822a179c6619.exe
-
Size
80KB
-
MD5
cec64bcb7938bc0315467975841036a8
-
SHA1
6ae33b649309cfb7800ec9ba73ded95355937a22
-
SHA256
184f98ae48e0c9e46953de1eba24a411489b8c6a4d0c773662b6822a179c6619
-
SHA512
70d7f023e9bc2e79c69c0eb9ca03a9154a2bf3a884e76b0d31bf8e3f12c5ac4753392587a65336f8f276783e46e6f382f516bd277c84ca9564b196f0d8fcfdff
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1528 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 656 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
184f98ae48e0c9e46953de1eba24a411489b8c6a4d0c773662b6822a179c6619.exepid process 1520 184f98ae48e0c9e46953de1eba24a411489b8c6a4d0c773662b6822a179c6619.exe 1520 184f98ae48e0c9e46953de1eba24a411489b8c6a4d0c773662b6822a179c6619.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
184f98ae48e0c9e46953de1eba24a411489b8c6a4d0c773662b6822a179c6619.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 184f98ae48e0c9e46953de1eba24a411489b8c6a4d0c773662b6822a179c6619.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
184f98ae48e0c9e46953de1eba24a411489b8c6a4d0c773662b6822a179c6619.exedescription pid process Token: SeIncBasePriorityPrivilege 1520 184f98ae48e0c9e46953de1eba24a411489b8c6a4d0c773662b6822a179c6619.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
184f98ae48e0c9e46953de1eba24a411489b8c6a4d0c773662b6822a179c6619.execmd.exedescription pid process target process PID 1520 wrote to memory of 1528 1520 184f98ae48e0c9e46953de1eba24a411489b8c6a4d0c773662b6822a179c6619.exe MediaCenter.exe PID 1520 wrote to memory of 1528 1520 184f98ae48e0c9e46953de1eba24a411489b8c6a4d0c773662b6822a179c6619.exe MediaCenter.exe PID 1520 wrote to memory of 1528 1520 184f98ae48e0c9e46953de1eba24a411489b8c6a4d0c773662b6822a179c6619.exe MediaCenter.exe PID 1520 wrote to memory of 1528 1520 184f98ae48e0c9e46953de1eba24a411489b8c6a4d0c773662b6822a179c6619.exe MediaCenter.exe PID 1520 wrote to memory of 656 1520 184f98ae48e0c9e46953de1eba24a411489b8c6a4d0c773662b6822a179c6619.exe cmd.exe PID 1520 wrote to memory of 656 1520 184f98ae48e0c9e46953de1eba24a411489b8c6a4d0c773662b6822a179c6619.exe cmd.exe PID 1520 wrote to memory of 656 1520 184f98ae48e0c9e46953de1eba24a411489b8c6a4d0c773662b6822a179c6619.exe cmd.exe PID 1520 wrote to memory of 656 1520 184f98ae48e0c9e46953de1eba24a411489b8c6a4d0c773662b6822a179c6619.exe cmd.exe PID 656 wrote to memory of 1556 656 cmd.exe PING.EXE PID 656 wrote to memory of 1556 656 cmd.exe PING.EXE PID 656 wrote to memory of 1556 656 cmd.exe PING.EXE PID 656 wrote to memory of 1556 656 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\184f98ae48e0c9e46953de1eba24a411489b8c6a4d0c773662b6822a179c6619.exe"C:\Users\Admin\AppData\Local\Temp\184f98ae48e0c9e46953de1eba24a411489b8c6a4d0c773662b6822a179c6619.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1520 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1528 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\184f98ae48e0c9e46953de1eba24a411489b8c6a4d0c773662b6822a179c6619.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:656 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1556
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
ec642167ca0f3270859c513f3a5fef0b
SHA1e3e67c59b5ef8b2ea1d32fa586cd12f861dd26e8
SHA25646fe5ebee8e5077f74b47691adbe39e1c15a5ae1f4627d2a2a0c64a396b9ccc6
SHA51271f7ae4bcc24db18021b89f9fa6c2faf4f7207a164db2081315147bf55b12a8f5a6f1a60af9f93a9954b14e6f0801558cc2cb0ce3cfd039cb0afc6522160ee6b
-
MD5
ec642167ca0f3270859c513f3a5fef0b
SHA1e3e67c59b5ef8b2ea1d32fa586cd12f861dd26e8
SHA25646fe5ebee8e5077f74b47691adbe39e1c15a5ae1f4627d2a2a0c64a396b9ccc6
SHA51271f7ae4bcc24db18021b89f9fa6c2faf4f7207a164db2081315147bf55b12a8f5a6f1a60af9f93a9954b14e6f0801558cc2cb0ce3cfd039cb0afc6522160ee6b
-
MD5
ec642167ca0f3270859c513f3a5fef0b
SHA1e3e67c59b5ef8b2ea1d32fa586cd12f861dd26e8
SHA25646fe5ebee8e5077f74b47691adbe39e1c15a5ae1f4627d2a2a0c64a396b9ccc6
SHA51271f7ae4bcc24db18021b89f9fa6c2faf4f7207a164db2081315147bf55b12a8f5a6f1a60af9f93a9954b14e6f0801558cc2cb0ce3cfd039cb0afc6522160ee6b