Analysis
-
max time kernel
134s -
max time network
151s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 03:27
Static task
static1
Behavioral task
behavioral1
Sample
179501d7a1cd5c9592088bdbaf6d5060425a8b845ed871623d68eb3342438dc8.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
179501d7a1cd5c9592088bdbaf6d5060425a8b845ed871623d68eb3342438dc8.exe
Resource
win10v2004-en-20220113
General
-
Target
179501d7a1cd5c9592088bdbaf6d5060425a8b845ed871623d68eb3342438dc8.exe
-
Size
192KB
-
MD5
8b909593485ed1d2d61fbf2698e19e5c
-
SHA1
ed0852a5be85b416b4eaf6a6d453407c8322ab9f
-
SHA256
179501d7a1cd5c9592088bdbaf6d5060425a8b845ed871623d68eb3342438dc8
-
SHA512
8974bf3ad2a5a238c07bf8bd6e54a73cb110a3666731cfd4d223a5698011f57dbdab93d928f16891d1da30af9d6a815e0a183869cee530a1efe16c576da72eef
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1404 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 396 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
179501d7a1cd5c9592088bdbaf6d5060425a8b845ed871623d68eb3342438dc8.exepid process 1144 179501d7a1cd5c9592088bdbaf6d5060425a8b845ed871623d68eb3342438dc8.exe 1144 179501d7a1cd5c9592088bdbaf6d5060425a8b845ed871623d68eb3342438dc8.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
179501d7a1cd5c9592088bdbaf6d5060425a8b845ed871623d68eb3342438dc8.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 179501d7a1cd5c9592088bdbaf6d5060425a8b845ed871623d68eb3342438dc8.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
179501d7a1cd5c9592088bdbaf6d5060425a8b845ed871623d68eb3342438dc8.exedescription pid process Token: SeIncBasePriorityPrivilege 1144 179501d7a1cd5c9592088bdbaf6d5060425a8b845ed871623d68eb3342438dc8.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
179501d7a1cd5c9592088bdbaf6d5060425a8b845ed871623d68eb3342438dc8.execmd.exedescription pid process target process PID 1144 wrote to memory of 1404 1144 179501d7a1cd5c9592088bdbaf6d5060425a8b845ed871623d68eb3342438dc8.exe MediaCenter.exe PID 1144 wrote to memory of 1404 1144 179501d7a1cd5c9592088bdbaf6d5060425a8b845ed871623d68eb3342438dc8.exe MediaCenter.exe PID 1144 wrote to memory of 1404 1144 179501d7a1cd5c9592088bdbaf6d5060425a8b845ed871623d68eb3342438dc8.exe MediaCenter.exe PID 1144 wrote to memory of 1404 1144 179501d7a1cd5c9592088bdbaf6d5060425a8b845ed871623d68eb3342438dc8.exe MediaCenter.exe PID 1144 wrote to memory of 396 1144 179501d7a1cd5c9592088bdbaf6d5060425a8b845ed871623d68eb3342438dc8.exe cmd.exe PID 1144 wrote to memory of 396 1144 179501d7a1cd5c9592088bdbaf6d5060425a8b845ed871623d68eb3342438dc8.exe cmd.exe PID 1144 wrote to memory of 396 1144 179501d7a1cd5c9592088bdbaf6d5060425a8b845ed871623d68eb3342438dc8.exe cmd.exe PID 1144 wrote to memory of 396 1144 179501d7a1cd5c9592088bdbaf6d5060425a8b845ed871623d68eb3342438dc8.exe cmd.exe PID 396 wrote to memory of 1960 396 cmd.exe PING.EXE PID 396 wrote to memory of 1960 396 cmd.exe PING.EXE PID 396 wrote to memory of 1960 396 cmd.exe PING.EXE PID 396 wrote to memory of 1960 396 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\179501d7a1cd5c9592088bdbaf6d5060425a8b845ed871623d68eb3342438dc8.exe"C:\Users\Admin\AppData\Local\Temp\179501d7a1cd5c9592088bdbaf6d5060425a8b845ed871623d68eb3342438dc8.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1144 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1404 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\179501d7a1cd5c9592088bdbaf6d5060425a8b845ed871623d68eb3342438dc8.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:396 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1960
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
a875c7ef1d4bcfc8ea4db286a72c44ff
SHA12ce857f2181150c51ffd95d57979421d0c5ee2d3
SHA256ead1222a4dbd9df2ea22b20e6fcf65b3bb3d0e0c0fd26384b4beba117ef1ddea
SHA51287e2afbe38331b53958a58be85b5b1ac64284113b42d42fecb0a7f1428d3d1d509e774901c684fb833eaf29b17805ddb82b6235d4c422c095d78f4a7b2e94064
-
MD5
a875c7ef1d4bcfc8ea4db286a72c44ff
SHA12ce857f2181150c51ffd95d57979421d0c5ee2d3
SHA256ead1222a4dbd9df2ea22b20e6fcf65b3bb3d0e0c0fd26384b4beba117ef1ddea
SHA51287e2afbe38331b53958a58be85b5b1ac64284113b42d42fecb0a7f1428d3d1d509e774901c684fb833eaf29b17805ddb82b6235d4c422c095d78f4a7b2e94064
-
MD5
a875c7ef1d4bcfc8ea4db286a72c44ff
SHA12ce857f2181150c51ffd95d57979421d0c5ee2d3
SHA256ead1222a4dbd9df2ea22b20e6fcf65b3bb3d0e0c0fd26384b4beba117ef1ddea
SHA51287e2afbe38331b53958a58be85b5b1ac64284113b42d42fecb0a7f1428d3d1d509e774901c684fb833eaf29b17805ddb82b6235d4c422c095d78f4a7b2e94064