Analysis
-
max time kernel
117s -
max time network
126s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 03:14
Static task
static1
Behavioral task
behavioral1
Sample
183ffedf8d1cbe414ebdbc6dc546cdbf0285ee289a784a9ecb694934ae4078e6.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
183ffedf8d1cbe414ebdbc6dc546cdbf0285ee289a784a9ecb694934ae4078e6.exe
Resource
win10v2004-en-20220113
General
-
Target
183ffedf8d1cbe414ebdbc6dc546cdbf0285ee289a784a9ecb694934ae4078e6.exe
-
Size
99KB
-
MD5
5965902257abe4225f4b84237065fcae
-
SHA1
336e7e010d775bd47c2f40a45187f7126c1f48c3
-
SHA256
183ffedf8d1cbe414ebdbc6dc546cdbf0285ee289a784a9ecb694934ae4078e6
-
SHA512
0abb06fd084b7b09b2ead9e4f8ed7b178d9474701b873f18621ee48661722518a2bbd9029f9dd145fe8fdc920d3069b58a16725b422d1bf84b1d31e57a7c1670
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1684 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1988 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
183ffedf8d1cbe414ebdbc6dc546cdbf0285ee289a784a9ecb694934ae4078e6.exepid process 1748 183ffedf8d1cbe414ebdbc6dc546cdbf0285ee289a784a9ecb694934ae4078e6.exe 1748 183ffedf8d1cbe414ebdbc6dc546cdbf0285ee289a784a9ecb694934ae4078e6.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
183ffedf8d1cbe414ebdbc6dc546cdbf0285ee289a784a9ecb694934ae4078e6.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 183ffedf8d1cbe414ebdbc6dc546cdbf0285ee289a784a9ecb694934ae4078e6.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
183ffedf8d1cbe414ebdbc6dc546cdbf0285ee289a784a9ecb694934ae4078e6.exedescription pid process Token: SeIncBasePriorityPrivilege 1748 183ffedf8d1cbe414ebdbc6dc546cdbf0285ee289a784a9ecb694934ae4078e6.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
183ffedf8d1cbe414ebdbc6dc546cdbf0285ee289a784a9ecb694934ae4078e6.execmd.exedescription pid process target process PID 1748 wrote to memory of 1684 1748 183ffedf8d1cbe414ebdbc6dc546cdbf0285ee289a784a9ecb694934ae4078e6.exe MediaCenter.exe PID 1748 wrote to memory of 1684 1748 183ffedf8d1cbe414ebdbc6dc546cdbf0285ee289a784a9ecb694934ae4078e6.exe MediaCenter.exe PID 1748 wrote to memory of 1684 1748 183ffedf8d1cbe414ebdbc6dc546cdbf0285ee289a784a9ecb694934ae4078e6.exe MediaCenter.exe PID 1748 wrote to memory of 1684 1748 183ffedf8d1cbe414ebdbc6dc546cdbf0285ee289a784a9ecb694934ae4078e6.exe MediaCenter.exe PID 1748 wrote to memory of 1988 1748 183ffedf8d1cbe414ebdbc6dc546cdbf0285ee289a784a9ecb694934ae4078e6.exe cmd.exe PID 1748 wrote to memory of 1988 1748 183ffedf8d1cbe414ebdbc6dc546cdbf0285ee289a784a9ecb694934ae4078e6.exe cmd.exe PID 1748 wrote to memory of 1988 1748 183ffedf8d1cbe414ebdbc6dc546cdbf0285ee289a784a9ecb694934ae4078e6.exe cmd.exe PID 1748 wrote to memory of 1988 1748 183ffedf8d1cbe414ebdbc6dc546cdbf0285ee289a784a9ecb694934ae4078e6.exe cmd.exe PID 1988 wrote to memory of 1032 1988 cmd.exe PING.EXE PID 1988 wrote to memory of 1032 1988 cmd.exe PING.EXE PID 1988 wrote to memory of 1032 1988 cmd.exe PING.EXE PID 1988 wrote to memory of 1032 1988 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\183ffedf8d1cbe414ebdbc6dc546cdbf0285ee289a784a9ecb694934ae4078e6.exe"C:\Users\Admin\AppData\Local\Temp\183ffedf8d1cbe414ebdbc6dc546cdbf0285ee289a784a9ecb694934ae4078e6.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1684 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\183ffedf8d1cbe414ebdbc6dc546cdbf0285ee289a784a9ecb694934ae4078e6.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1988 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1032
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
4bec21e4e94f79f7fb8624d5a23776e3
SHA187dfbb8d6963bc77dc93ebb737d774f2126b211e
SHA256f35dcbb83401b78142ad929ce54fac26a2d666690860dbc15735fd008a95b03c
SHA512933064f26bb4fd299cd4dea0e99f89434fed52819ac5a34cad3bf2174000b0a1d08f3113f7dd060c81a6727a2269c43cb83075345dbc1bb11cd59d167e5c1bc0
-
MD5
4bec21e4e94f79f7fb8624d5a23776e3
SHA187dfbb8d6963bc77dc93ebb737d774f2126b211e
SHA256f35dcbb83401b78142ad929ce54fac26a2d666690860dbc15735fd008a95b03c
SHA512933064f26bb4fd299cd4dea0e99f89434fed52819ac5a34cad3bf2174000b0a1d08f3113f7dd060c81a6727a2269c43cb83075345dbc1bb11cd59d167e5c1bc0
-
MD5
4bec21e4e94f79f7fb8624d5a23776e3
SHA187dfbb8d6963bc77dc93ebb737d774f2126b211e
SHA256f35dcbb83401b78142ad929ce54fac26a2d666690860dbc15735fd008a95b03c
SHA512933064f26bb4fd299cd4dea0e99f89434fed52819ac5a34cad3bf2174000b0a1d08f3113f7dd060c81a6727a2269c43cb83075345dbc1bb11cd59d167e5c1bc0