Analysis
-
max time kernel
152s -
max time network
167s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 04:24
Static task
static1
Behavioral task
behavioral1
Sample
155dae8670dbefcd0cc855b1ee52c39ea66f23f9d68f966abd12741e74141804.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
155dae8670dbefcd0cc855b1ee52c39ea66f23f9d68f966abd12741e74141804.exe
Resource
win10v2004-en-20220112
General
-
Target
155dae8670dbefcd0cc855b1ee52c39ea66f23f9d68f966abd12741e74141804.exe
-
Size
100KB
-
MD5
146c4c332cabbbf8ad96fa5bd04ed4c4
-
SHA1
c8fcf7e23973f023be7c3f385ed3a5b455687b3f
-
SHA256
155dae8670dbefcd0cc855b1ee52c39ea66f23f9d68f966abd12741e74141804
-
SHA512
3eeda39bb2b3c06d512eec97a607bdff8b522a2cf1c316a284d606f0dc4ffd3a40429e04682ea5af931626ee850c83cea6492064bf350e595c787494a4395bdf
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1472 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 768 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
155dae8670dbefcd0cc855b1ee52c39ea66f23f9d68f966abd12741e74141804.exepid process 1396 155dae8670dbefcd0cc855b1ee52c39ea66f23f9d68f966abd12741e74141804.exe 1396 155dae8670dbefcd0cc855b1ee52c39ea66f23f9d68f966abd12741e74141804.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
155dae8670dbefcd0cc855b1ee52c39ea66f23f9d68f966abd12741e74141804.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 155dae8670dbefcd0cc855b1ee52c39ea66f23f9d68f966abd12741e74141804.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
155dae8670dbefcd0cc855b1ee52c39ea66f23f9d68f966abd12741e74141804.exedescription pid process Token: SeIncBasePriorityPrivilege 1396 155dae8670dbefcd0cc855b1ee52c39ea66f23f9d68f966abd12741e74141804.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
155dae8670dbefcd0cc855b1ee52c39ea66f23f9d68f966abd12741e74141804.execmd.exedescription pid process target process PID 1396 wrote to memory of 1472 1396 155dae8670dbefcd0cc855b1ee52c39ea66f23f9d68f966abd12741e74141804.exe MediaCenter.exe PID 1396 wrote to memory of 1472 1396 155dae8670dbefcd0cc855b1ee52c39ea66f23f9d68f966abd12741e74141804.exe MediaCenter.exe PID 1396 wrote to memory of 1472 1396 155dae8670dbefcd0cc855b1ee52c39ea66f23f9d68f966abd12741e74141804.exe MediaCenter.exe PID 1396 wrote to memory of 1472 1396 155dae8670dbefcd0cc855b1ee52c39ea66f23f9d68f966abd12741e74141804.exe MediaCenter.exe PID 1396 wrote to memory of 768 1396 155dae8670dbefcd0cc855b1ee52c39ea66f23f9d68f966abd12741e74141804.exe cmd.exe PID 1396 wrote to memory of 768 1396 155dae8670dbefcd0cc855b1ee52c39ea66f23f9d68f966abd12741e74141804.exe cmd.exe PID 1396 wrote to memory of 768 1396 155dae8670dbefcd0cc855b1ee52c39ea66f23f9d68f966abd12741e74141804.exe cmd.exe PID 1396 wrote to memory of 768 1396 155dae8670dbefcd0cc855b1ee52c39ea66f23f9d68f966abd12741e74141804.exe cmd.exe PID 768 wrote to memory of 1168 768 cmd.exe PING.EXE PID 768 wrote to memory of 1168 768 cmd.exe PING.EXE PID 768 wrote to memory of 1168 768 cmd.exe PING.EXE PID 768 wrote to memory of 1168 768 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\155dae8670dbefcd0cc855b1ee52c39ea66f23f9d68f966abd12741e74141804.exe"C:\Users\Admin\AppData\Local\Temp\155dae8670dbefcd0cc855b1ee52c39ea66f23f9d68f966abd12741e74141804.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1396 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1472 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\155dae8670dbefcd0cc855b1ee52c39ea66f23f9d68f966abd12741e74141804.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:768 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1168
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
0117bf94e90e83167fad9d745459a008
SHA1aa05c30a89664e8f03580a21c1269c5b296c0b0b
SHA25658c0d1317da30bebad6ee1a4b83966059bed70bc578c1f2dd83729b7818de034
SHA51219b3b4157887214c129df308916e206a30be4ee4ffab2b5ab4670d15ddb314c82a367b593b2a65ef90ffce4d81d4727b42cfecc275f74185b271b3ce7b47e430
-
MD5
0117bf94e90e83167fad9d745459a008
SHA1aa05c30a89664e8f03580a21c1269c5b296c0b0b
SHA25658c0d1317da30bebad6ee1a4b83966059bed70bc578c1f2dd83729b7818de034
SHA51219b3b4157887214c129df308916e206a30be4ee4ffab2b5ab4670d15ddb314c82a367b593b2a65ef90ffce4d81d4727b42cfecc275f74185b271b3ce7b47e430
-
MD5
0117bf94e90e83167fad9d745459a008
SHA1aa05c30a89664e8f03580a21c1269c5b296c0b0b
SHA25658c0d1317da30bebad6ee1a4b83966059bed70bc578c1f2dd83729b7818de034
SHA51219b3b4157887214c129df308916e206a30be4ee4ffab2b5ab4670d15ddb314c82a367b593b2a65ef90ffce4d81d4727b42cfecc275f74185b271b3ce7b47e430