Analysis
-
max time kernel
117s -
max time network
145s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 03:15
Static task
static1
Behavioral task
behavioral1
Sample
1838c7ab3a0e8aa21df6b5d74021c97d2c17e5018a4082291fd2db814793031c.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
1838c7ab3a0e8aa21df6b5d74021c97d2c17e5018a4082291fd2db814793031c.exe
Resource
win10v2004-en-20220113
General
-
Target
1838c7ab3a0e8aa21df6b5d74021c97d2c17e5018a4082291fd2db814793031c.exe
-
Size
99KB
-
MD5
511a9557f8f087a77143afc81ce5addf
-
SHA1
b1559ec3f6551e6adbcb19511096406b6f976cdb
-
SHA256
1838c7ab3a0e8aa21df6b5d74021c97d2c17e5018a4082291fd2db814793031c
-
SHA512
52edc6a5040242e3e4dd631ed34554179184da1eba91f8eff11341f3709687deab51c7cc459c6d86aa218be558103292d2587ad05d15a2c39e94368b4f37ac83
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1668 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1848 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
1838c7ab3a0e8aa21df6b5d74021c97d2c17e5018a4082291fd2db814793031c.exepid process 948 1838c7ab3a0e8aa21df6b5d74021c97d2c17e5018a4082291fd2db814793031c.exe 948 1838c7ab3a0e8aa21df6b5d74021c97d2c17e5018a4082291fd2db814793031c.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
1838c7ab3a0e8aa21df6b5d74021c97d2c17e5018a4082291fd2db814793031c.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 1838c7ab3a0e8aa21df6b5d74021c97d2c17e5018a4082291fd2db814793031c.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
1838c7ab3a0e8aa21df6b5d74021c97d2c17e5018a4082291fd2db814793031c.exedescription pid process Token: SeIncBasePriorityPrivilege 948 1838c7ab3a0e8aa21df6b5d74021c97d2c17e5018a4082291fd2db814793031c.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
1838c7ab3a0e8aa21df6b5d74021c97d2c17e5018a4082291fd2db814793031c.execmd.exedescription pid process target process PID 948 wrote to memory of 1668 948 1838c7ab3a0e8aa21df6b5d74021c97d2c17e5018a4082291fd2db814793031c.exe MediaCenter.exe PID 948 wrote to memory of 1668 948 1838c7ab3a0e8aa21df6b5d74021c97d2c17e5018a4082291fd2db814793031c.exe MediaCenter.exe PID 948 wrote to memory of 1668 948 1838c7ab3a0e8aa21df6b5d74021c97d2c17e5018a4082291fd2db814793031c.exe MediaCenter.exe PID 948 wrote to memory of 1668 948 1838c7ab3a0e8aa21df6b5d74021c97d2c17e5018a4082291fd2db814793031c.exe MediaCenter.exe PID 948 wrote to memory of 1848 948 1838c7ab3a0e8aa21df6b5d74021c97d2c17e5018a4082291fd2db814793031c.exe cmd.exe PID 948 wrote to memory of 1848 948 1838c7ab3a0e8aa21df6b5d74021c97d2c17e5018a4082291fd2db814793031c.exe cmd.exe PID 948 wrote to memory of 1848 948 1838c7ab3a0e8aa21df6b5d74021c97d2c17e5018a4082291fd2db814793031c.exe cmd.exe PID 948 wrote to memory of 1848 948 1838c7ab3a0e8aa21df6b5d74021c97d2c17e5018a4082291fd2db814793031c.exe cmd.exe PID 1848 wrote to memory of 1648 1848 cmd.exe PING.EXE PID 1848 wrote to memory of 1648 1848 cmd.exe PING.EXE PID 1848 wrote to memory of 1648 1848 cmd.exe PING.EXE PID 1848 wrote to memory of 1648 1848 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\1838c7ab3a0e8aa21df6b5d74021c97d2c17e5018a4082291fd2db814793031c.exe"C:\Users\Admin\AppData\Local\Temp\1838c7ab3a0e8aa21df6b5d74021c97d2c17e5018a4082291fd2db814793031c.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:948 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1668 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\1838c7ab3a0e8aa21df6b5d74021c97d2c17e5018a4082291fd2db814793031c.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1848 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1648
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
e34a28ca96be0c26c3009b46bd492ed9
SHA1662586f517f372a45ed99d25ec4a42461687cdd4
SHA2566e52287173d12a812dd492956223cb1843d0d108341985c7b6d4142d5365a8cd
SHA5122b4df52ed782cc02f217e6e905c060e2e9730042f9ee4ccc0b7f26b7e0ab26b714d4c716c5663d1823e47b4fff4a4fbd310d8a6f3f605dc4080b71128501124c
-
MD5
e34a28ca96be0c26c3009b46bd492ed9
SHA1662586f517f372a45ed99d25ec4a42461687cdd4
SHA2566e52287173d12a812dd492956223cb1843d0d108341985c7b6d4142d5365a8cd
SHA5122b4df52ed782cc02f217e6e905c060e2e9730042f9ee4ccc0b7f26b7e0ab26b714d4c716c5663d1823e47b4fff4a4fbd310d8a6f3f605dc4080b71128501124c
-
MD5
e34a28ca96be0c26c3009b46bd492ed9
SHA1662586f517f372a45ed99d25ec4a42461687cdd4
SHA2566e52287173d12a812dd492956223cb1843d0d108341985c7b6d4142d5365a8cd
SHA5122b4df52ed782cc02f217e6e905c060e2e9730042f9ee4ccc0b7f26b7e0ab26b714d4c716c5663d1823e47b4fff4a4fbd310d8a6f3f605dc4080b71128501124c