Analysis
-
max time kernel
140s -
max time network
147s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 03:15
Static task
static1
Behavioral task
behavioral1
Sample
183be9177d8a2b524a9ad6d5232a235dd8373f23c1d40119880da96435457ea4.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
183be9177d8a2b524a9ad6d5232a235dd8373f23c1d40119880da96435457ea4.exe
Resource
win10v2004-en-20220113
General
-
Target
183be9177d8a2b524a9ad6d5232a235dd8373f23c1d40119880da96435457ea4.exe
-
Size
216KB
-
MD5
f36700142a35f7561561f68872e8d923
-
SHA1
ad7cf346d728919e8480d2659034dea1d1a04b4b
-
SHA256
183be9177d8a2b524a9ad6d5232a235dd8373f23c1d40119880da96435457ea4
-
SHA512
b0ea08183d807a170ab66ce27c71b71568e547433e636135c505156a27e84bbfc5cc33f1c2459805e07523f5de0f22f98d88430104e97606caf1fb3d71c21c8d
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral1/memory/1880-58-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral1/memory/1212-59-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1212 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1172 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
183be9177d8a2b524a9ad6d5232a235dd8373f23c1d40119880da96435457ea4.exepid process 1880 183be9177d8a2b524a9ad6d5232a235dd8373f23c1d40119880da96435457ea4.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
183be9177d8a2b524a9ad6d5232a235dd8373f23c1d40119880da96435457ea4.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 183be9177d8a2b524a9ad6d5232a235dd8373f23c1d40119880da96435457ea4.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
183be9177d8a2b524a9ad6d5232a235dd8373f23c1d40119880da96435457ea4.exedescription pid process Token: SeIncBasePriorityPrivilege 1880 183be9177d8a2b524a9ad6d5232a235dd8373f23c1d40119880da96435457ea4.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
183be9177d8a2b524a9ad6d5232a235dd8373f23c1d40119880da96435457ea4.execmd.exedescription pid process target process PID 1880 wrote to memory of 1212 1880 183be9177d8a2b524a9ad6d5232a235dd8373f23c1d40119880da96435457ea4.exe MediaCenter.exe PID 1880 wrote to memory of 1212 1880 183be9177d8a2b524a9ad6d5232a235dd8373f23c1d40119880da96435457ea4.exe MediaCenter.exe PID 1880 wrote to memory of 1212 1880 183be9177d8a2b524a9ad6d5232a235dd8373f23c1d40119880da96435457ea4.exe MediaCenter.exe PID 1880 wrote to memory of 1212 1880 183be9177d8a2b524a9ad6d5232a235dd8373f23c1d40119880da96435457ea4.exe MediaCenter.exe PID 1880 wrote to memory of 1172 1880 183be9177d8a2b524a9ad6d5232a235dd8373f23c1d40119880da96435457ea4.exe cmd.exe PID 1880 wrote to memory of 1172 1880 183be9177d8a2b524a9ad6d5232a235dd8373f23c1d40119880da96435457ea4.exe cmd.exe PID 1880 wrote to memory of 1172 1880 183be9177d8a2b524a9ad6d5232a235dd8373f23c1d40119880da96435457ea4.exe cmd.exe PID 1880 wrote to memory of 1172 1880 183be9177d8a2b524a9ad6d5232a235dd8373f23c1d40119880da96435457ea4.exe cmd.exe PID 1172 wrote to memory of 1036 1172 cmd.exe PING.EXE PID 1172 wrote to memory of 1036 1172 cmd.exe PING.EXE PID 1172 wrote to memory of 1036 1172 cmd.exe PING.EXE PID 1172 wrote to memory of 1036 1172 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\183be9177d8a2b524a9ad6d5232a235dd8373f23c1d40119880da96435457ea4.exe"C:\Users\Admin\AppData\Local\Temp\183be9177d8a2b524a9ad6d5232a235dd8373f23c1d40119880da96435457ea4.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1880 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1212 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\183be9177d8a2b524a9ad6d5232a235dd8373f23c1d40119880da96435457ea4.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1172 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1036
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
d2f4c74e6c4dbb43dab27310fc46ff72
SHA1065993c555fb52beeaaed002015df48c5de2328b
SHA25672ab3baf876cc19f7d69317fee1a02aa9b44a700369627be5afc2c7a80d15631
SHA512023bfce1cf03aa7172ac0afa421916a7e7c60805357d7394c038d6b3de283187f356f343f934d385d72e8b4bf8fb7dd61569c33cea2aedb530e9ad23226f92a9
-
MD5
d2f4c74e6c4dbb43dab27310fc46ff72
SHA1065993c555fb52beeaaed002015df48c5de2328b
SHA25672ab3baf876cc19f7d69317fee1a02aa9b44a700369627be5afc2c7a80d15631
SHA512023bfce1cf03aa7172ac0afa421916a7e7c60805357d7394c038d6b3de283187f356f343f934d385d72e8b4bf8fb7dd61569c33cea2aedb530e9ad23226f92a9