Analysis
-
max time kernel
149s -
max time network
158s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 03:26
Static task
static1
Behavioral task
behavioral1
Sample
179cc2c0e87c05d0d4b27bbf861be2b1510faca1943feca14a1ed1d31877298c.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
179cc2c0e87c05d0d4b27bbf861be2b1510faca1943feca14a1ed1d31877298c.exe
Resource
win10v2004-en-20220113
General
-
Target
179cc2c0e87c05d0d4b27bbf861be2b1510faca1943feca14a1ed1d31877298c.exe
-
Size
101KB
-
MD5
6c83a7fedb2bdc8342aa7fa4f10e838c
-
SHA1
f43585baedaba2ab60aeaf48de8f3e407b06c22f
-
SHA256
179cc2c0e87c05d0d4b27bbf861be2b1510faca1943feca14a1ed1d31877298c
-
SHA512
9c68b0d836fd91167098c562c561d88d272c9c8cfe4af0c061a77fa9cd65d64a953241544b0f588867fe2d7b590d8eec2a53dcb551a9b6f765098fd5cd8f3ab6
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 268 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1792 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
179cc2c0e87c05d0d4b27bbf861be2b1510faca1943feca14a1ed1d31877298c.exepid process 1156 179cc2c0e87c05d0d4b27bbf861be2b1510faca1943feca14a1ed1d31877298c.exe 1156 179cc2c0e87c05d0d4b27bbf861be2b1510faca1943feca14a1ed1d31877298c.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
179cc2c0e87c05d0d4b27bbf861be2b1510faca1943feca14a1ed1d31877298c.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 179cc2c0e87c05d0d4b27bbf861be2b1510faca1943feca14a1ed1d31877298c.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
179cc2c0e87c05d0d4b27bbf861be2b1510faca1943feca14a1ed1d31877298c.exedescription pid process Token: SeIncBasePriorityPrivilege 1156 179cc2c0e87c05d0d4b27bbf861be2b1510faca1943feca14a1ed1d31877298c.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
179cc2c0e87c05d0d4b27bbf861be2b1510faca1943feca14a1ed1d31877298c.execmd.exedescription pid process target process PID 1156 wrote to memory of 268 1156 179cc2c0e87c05d0d4b27bbf861be2b1510faca1943feca14a1ed1d31877298c.exe MediaCenter.exe PID 1156 wrote to memory of 268 1156 179cc2c0e87c05d0d4b27bbf861be2b1510faca1943feca14a1ed1d31877298c.exe MediaCenter.exe PID 1156 wrote to memory of 268 1156 179cc2c0e87c05d0d4b27bbf861be2b1510faca1943feca14a1ed1d31877298c.exe MediaCenter.exe PID 1156 wrote to memory of 268 1156 179cc2c0e87c05d0d4b27bbf861be2b1510faca1943feca14a1ed1d31877298c.exe MediaCenter.exe PID 1156 wrote to memory of 1792 1156 179cc2c0e87c05d0d4b27bbf861be2b1510faca1943feca14a1ed1d31877298c.exe cmd.exe PID 1156 wrote to memory of 1792 1156 179cc2c0e87c05d0d4b27bbf861be2b1510faca1943feca14a1ed1d31877298c.exe cmd.exe PID 1156 wrote to memory of 1792 1156 179cc2c0e87c05d0d4b27bbf861be2b1510faca1943feca14a1ed1d31877298c.exe cmd.exe PID 1156 wrote to memory of 1792 1156 179cc2c0e87c05d0d4b27bbf861be2b1510faca1943feca14a1ed1d31877298c.exe cmd.exe PID 1792 wrote to memory of 1308 1792 cmd.exe PING.EXE PID 1792 wrote to memory of 1308 1792 cmd.exe PING.EXE PID 1792 wrote to memory of 1308 1792 cmd.exe PING.EXE PID 1792 wrote to memory of 1308 1792 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\179cc2c0e87c05d0d4b27bbf861be2b1510faca1943feca14a1ed1d31877298c.exe"C:\Users\Admin\AppData\Local\Temp\179cc2c0e87c05d0d4b27bbf861be2b1510faca1943feca14a1ed1d31877298c.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1156 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:268 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\179cc2c0e87c05d0d4b27bbf861be2b1510faca1943feca14a1ed1d31877298c.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1792 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1308
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
e0a59cea5ebcf5924b456cd777072155
SHA1c1247a4aab961ce728a920a74c4234ec2c7107c0
SHA2561d8d2a72cf7dc39665a2167826e40de8b715e8f7808cee45b07fad01088fa5ba
SHA512d15c00b1994a69d9f1fe5fcd83d2a5cd604f1806e00d5be61ceed206655e70100688a89d5d4dc1d87f8abf5043b9b76dac123286445d17a370a90e728e02641a
-
MD5
e0a59cea5ebcf5924b456cd777072155
SHA1c1247a4aab961ce728a920a74c4234ec2c7107c0
SHA2561d8d2a72cf7dc39665a2167826e40de8b715e8f7808cee45b07fad01088fa5ba
SHA512d15c00b1994a69d9f1fe5fcd83d2a5cd604f1806e00d5be61ceed206655e70100688a89d5d4dc1d87f8abf5043b9b76dac123286445d17a370a90e728e02641a
-
MD5
e0a59cea5ebcf5924b456cd777072155
SHA1c1247a4aab961ce728a920a74c4234ec2c7107c0
SHA2561d8d2a72cf7dc39665a2167826e40de8b715e8f7808cee45b07fad01088fa5ba
SHA512d15c00b1994a69d9f1fe5fcd83d2a5cd604f1806e00d5be61ceed206655e70100688a89d5d4dc1d87f8abf5043b9b76dac123286445d17a370a90e728e02641a