Analysis
-
max time kernel
156s -
max time network
178s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 03:16
Static task
static1
Behavioral task
behavioral1
Sample
1825ba49aa1326ae4b233d1084b1df16828d0bba19491a3599eb46b30cd4c622.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
1825ba49aa1326ae4b233d1084b1df16828d0bba19491a3599eb46b30cd4c622.exe
Resource
win10v2004-en-20220113
General
-
Target
1825ba49aa1326ae4b233d1084b1df16828d0bba19491a3599eb46b30cd4c622.exe
-
Size
80KB
-
MD5
7fed7c619c05b394f7c954c8e7527586
-
SHA1
972fff94c657faba73bfe311326ff542ed5d7df5
-
SHA256
1825ba49aa1326ae4b233d1084b1df16828d0bba19491a3599eb46b30cd4c622
-
SHA512
61f84f26f46c7ca59c31da3516d666c53f0a5552129fd8ad1af11d677f16f30929a77d8f6bb5d8a2db72c144d59bc4a0de9b671d4f5ea55b3e948fb4b88d850c
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1316 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1084 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
1825ba49aa1326ae4b233d1084b1df16828d0bba19491a3599eb46b30cd4c622.exepid process 1600 1825ba49aa1326ae4b233d1084b1df16828d0bba19491a3599eb46b30cd4c622.exe 1600 1825ba49aa1326ae4b233d1084b1df16828d0bba19491a3599eb46b30cd4c622.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
1825ba49aa1326ae4b233d1084b1df16828d0bba19491a3599eb46b30cd4c622.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 1825ba49aa1326ae4b233d1084b1df16828d0bba19491a3599eb46b30cd4c622.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
1825ba49aa1326ae4b233d1084b1df16828d0bba19491a3599eb46b30cd4c622.exedescription pid process Token: SeIncBasePriorityPrivilege 1600 1825ba49aa1326ae4b233d1084b1df16828d0bba19491a3599eb46b30cd4c622.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
1825ba49aa1326ae4b233d1084b1df16828d0bba19491a3599eb46b30cd4c622.execmd.exedescription pid process target process PID 1600 wrote to memory of 1316 1600 1825ba49aa1326ae4b233d1084b1df16828d0bba19491a3599eb46b30cd4c622.exe MediaCenter.exe PID 1600 wrote to memory of 1316 1600 1825ba49aa1326ae4b233d1084b1df16828d0bba19491a3599eb46b30cd4c622.exe MediaCenter.exe PID 1600 wrote to memory of 1316 1600 1825ba49aa1326ae4b233d1084b1df16828d0bba19491a3599eb46b30cd4c622.exe MediaCenter.exe PID 1600 wrote to memory of 1316 1600 1825ba49aa1326ae4b233d1084b1df16828d0bba19491a3599eb46b30cd4c622.exe MediaCenter.exe PID 1600 wrote to memory of 1084 1600 1825ba49aa1326ae4b233d1084b1df16828d0bba19491a3599eb46b30cd4c622.exe cmd.exe PID 1600 wrote to memory of 1084 1600 1825ba49aa1326ae4b233d1084b1df16828d0bba19491a3599eb46b30cd4c622.exe cmd.exe PID 1600 wrote to memory of 1084 1600 1825ba49aa1326ae4b233d1084b1df16828d0bba19491a3599eb46b30cd4c622.exe cmd.exe PID 1600 wrote to memory of 1084 1600 1825ba49aa1326ae4b233d1084b1df16828d0bba19491a3599eb46b30cd4c622.exe cmd.exe PID 1084 wrote to memory of 780 1084 cmd.exe PING.EXE PID 1084 wrote to memory of 780 1084 cmd.exe PING.EXE PID 1084 wrote to memory of 780 1084 cmd.exe PING.EXE PID 1084 wrote to memory of 780 1084 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\1825ba49aa1326ae4b233d1084b1df16828d0bba19491a3599eb46b30cd4c622.exe"C:\Users\Admin\AppData\Local\Temp\1825ba49aa1326ae4b233d1084b1df16828d0bba19491a3599eb46b30cd4c622.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1600 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1316 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\1825ba49aa1326ae4b233d1084b1df16828d0bba19491a3599eb46b30cd4c622.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1084 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:780
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
b9e8f97340637641526b2643c3570ff5
SHA190abd8009d2af251d9babf7dc06700b54d64215a
SHA25636ad2640182e6932ce3d3cd5036f0c745e91b4ce7ef8a80ba2e60393a495f7f0
SHA5124f93de824026468bac1ec2aee31229f69ec9631a268407734fd1427c8ff2f6d20ee3d3437d62f7b4d664a1c4affab17ca0c1790bd1a9212aeff6dd1866353a64
-
MD5
b9e8f97340637641526b2643c3570ff5
SHA190abd8009d2af251d9babf7dc06700b54d64215a
SHA25636ad2640182e6932ce3d3cd5036f0c745e91b4ce7ef8a80ba2e60393a495f7f0
SHA5124f93de824026468bac1ec2aee31229f69ec9631a268407734fd1427c8ff2f6d20ee3d3437d62f7b4d664a1c4affab17ca0c1790bd1a9212aeff6dd1866353a64
-
MD5
b9e8f97340637641526b2643c3570ff5
SHA190abd8009d2af251d9babf7dc06700b54d64215a
SHA25636ad2640182e6932ce3d3cd5036f0c745e91b4ce7ef8a80ba2e60393a495f7f0
SHA5124f93de824026468bac1ec2aee31229f69ec9631a268407734fd1427c8ff2f6d20ee3d3437d62f7b4d664a1c4affab17ca0c1790bd1a9212aeff6dd1866353a64