Analysis
-
max time kernel
131s -
max time network
160s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 03:27
Static task
static1
Behavioral task
behavioral1
Sample
179ab139dc128b795997aa0329a35a658b8b4994119aa6d30d2fd5973420681d.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
179ab139dc128b795997aa0329a35a658b8b4994119aa6d30d2fd5973420681d.exe
Resource
win10v2004-en-20220113
General
-
Target
179ab139dc128b795997aa0329a35a658b8b4994119aa6d30d2fd5973420681d.exe
-
Size
191KB
-
MD5
797c998b353456449c3b22fdf1b729cf
-
SHA1
0318ac93c2cb82cbd3ad36df8558c5aab282fb7b
-
SHA256
179ab139dc128b795997aa0329a35a658b8b4994119aa6d30d2fd5973420681d
-
SHA512
a2376c4d94197bc36e6a2323aa85eda92c7c8e4a0143c536fe9e6e036ba044b60b277b0dd65df65435944211c70e009e7c5860ad1f016551f5a883802470edb6
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1628 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1868 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
179ab139dc128b795997aa0329a35a658b8b4994119aa6d30d2fd5973420681d.exepid process 788 179ab139dc128b795997aa0329a35a658b8b4994119aa6d30d2fd5973420681d.exe 788 179ab139dc128b795997aa0329a35a658b8b4994119aa6d30d2fd5973420681d.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
179ab139dc128b795997aa0329a35a658b8b4994119aa6d30d2fd5973420681d.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 179ab139dc128b795997aa0329a35a658b8b4994119aa6d30d2fd5973420681d.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
179ab139dc128b795997aa0329a35a658b8b4994119aa6d30d2fd5973420681d.exedescription pid process Token: SeIncBasePriorityPrivilege 788 179ab139dc128b795997aa0329a35a658b8b4994119aa6d30d2fd5973420681d.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
179ab139dc128b795997aa0329a35a658b8b4994119aa6d30d2fd5973420681d.execmd.exedescription pid process target process PID 788 wrote to memory of 1628 788 179ab139dc128b795997aa0329a35a658b8b4994119aa6d30d2fd5973420681d.exe MediaCenter.exe PID 788 wrote to memory of 1628 788 179ab139dc128b795997aa0329a35a658b8b4994119aa6d30d2fd5973420681d.exe MediaCenter.exe PID 788 wrote to memory of 1628 788 179ab139dc128b795997aa0329a35a658b8b4994119aa6d30d2fd5973420681d.exe MediaCenter.exe PID 788 wrote to memory of 1628 788 179ab139dc128b795997aa0329a35a658b8b4994119aa6d30d2fd5973420681d.exe MediaCenter.exe PID 788 wrote to memory of 1868 788 179ab139dc128b795997aa0329a35a658b8b4994119aa6d30d2fd5973420681d.exe cmd.exe PID 788 wrote to memory of 1868 788 179ab139dc128b795997aa0329a35a658b8b4994119aa6d30d2fd5973420681d.exe cmd.exe PID 788 wrote to memory of 1868 788 179ab139dc128b795997aa0329a35a658b8b4994119aa6d30d2fd5973420681d.exe cmd.exe PID 788 wrote to memory of 1868 788 179ab139dc128b795997aa0329a35a658b8b4994119aa6d30d2fd5973420681d.exe cmd.exe PID 1868 wrote to memory of 1496 1868 cmd.exe PING.EXE PID 1868 wrote to memory of 1496 1868 cmd.exe PING.EXE PID 1868 wrote to memory of 1496 1868 cmd.exe PING.EXE PID 1868 wrote to memory of 1496 1868 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\179ab139dc128b795997aa0329a35a658b8b4994119aa6d30d2fd5973420681d.exe"C:\Users\Admin\AppData\Local\Temp\179ab139dc128b795997aa0329a35a658b8b4994119aa6d30d2fd5973420681d.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:788 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1628 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\179ab139dc128b795997aa0329a35a658b8b4994119aa6d30d2fd5973420681d.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1868 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1496
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
39229dbb7b729d050c4a56e50a094f37
SHA1b1775819a49901f9a19b66ed2eb373d920feb814
SHA25604d8e01b71c60cc526f90617ab177e667dceead13bf3192b55231dcd817c78f7
SHA512c0281703bae7f193e6429e5c0b097504f545ccc507511e2bd03f41c471a64f29d41f62a71588cd52c9b45e8c1b8436e63511906a34713e7d33eefcffda4ef58e
-
MD5
39229dbb7b729d050c4a56e50a094f37
SHA1b1775819a49901f9a19b66ed2eb373d920feb814
SHA25604d8e01b71c60cc526f90617ab177e667dceead13bf3192b55231dcd817c78f7
SHA512c0281703bae7f193e6429e5c0b097504f545ccc507511e2bd03f41c471a64f29d41f62a71588cd52c9b45e8c1b8436e63511906a34713e7d33eefcffda4ef58e
-
MD5
39229dbb7b729d050c4a56e50a094f37
SHA1b1775819a49901f9a19b66ed2eb373d920feb814
SHA25604d8e01b71c60cc526f90617ab177e667dceead13bf3192b55231dcd817c78f7
SHA512c0281703bae7f193e6429e5c0b097504f545ccc507511e2bd03f41c471a64f29d41f62a71588cd52c9b45e8c1b8436e63511906a34713e7d33eefcffda4ef58e