Analysis
-
max time kernel
138s -
max time network
142s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 04:24
Static task
static1
Behavioral task
behavioral1
Sample
1559a6dfd08f3cce1c6bc2fa520ef8750b868f14951ff10d4c6038e0940da023.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
1559a6dfd08f3cce1c6bc2fa520ef8750b868f14951ff10d4c6038e0940da023.exe
Resource
win10v2004-en-20220112
General
-
Target
1559a6dfd08f3cce1c6bc2fa520ef8750b868f14951ff10d4c6038e0940da023.exe
-
Size
216KB
-
MD5
5f70b4b2ec4e7e912361b1953e7ceee3
-
SHA1
9b3a5c74058347287b8d282af16309c7480ad317
-
SHA256
1559a6dfd08f3cce1c6bc2fa520ef8750b868f14951ff10d4c6038e0940da023
-
SHA512
4e7f654449c5060a7c08a8a81d2144e41010b6135eb5760470b1e6ec8763ea87d967fff817060ae2b8bcf3dd5fa1dd81c62e1bd0c28718a416e4a887611f14b4
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral1/memory/800-58-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral1/memory/1180-59-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1180 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1316 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
1559a6dfd08f3cce1c6bc2fa520ef8750b868f14951ff10d4c6038e0940da023.exepid process 800 1559a6dfd08f3cce1c6bc2fa520ef8750b868f14951ff10d4c6038e0940da023.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
1559a6dfd08f3cce1c6bc2fa520ef8750b868f14951ff10d4c6038e0940da023.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 1559a6dfd08f3cce1c6bc2fa520ef8750b868f14951ff10d4c6038e0940da023.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
1559a6dfd08f3cce1c6bc2fa520ef8750b868f14951ff10d4c6038e0940da023.exedescription pid process Token: SeIncBasePriorityPrivilege 800 1559a6dfd08f3cce1c6bc2fa520ef8750b868f14951ff10d4c6038e0940da023.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
1559a6dfd08f3cce1c6bc2fa520ef8750b868f14951ff10d4c6038e0940da023.execmd.exedescription pid process target process PID 800 wrote to memory of 1180 800 1559a6dfd08f3cce1c6bc2fa520ef8750b868f14951ff10d4c6038e0940da023.exe MediaCenter.exe PID 800 wrote to memory of 1180 800 1559a6dfd08f3cce1c6bc2fa520ef8750b868f14951ff10d4c6038e0940da023.exe MediaCenter.exe PID 800 wrote to memory of 1180 800 1559a6dfd08f3cce1c6bc2fa520ef8750b868f14951ff10d4c6038e0940da023.exe MediaCenter.exe PID 800 wrote to memory of 1180 800 1559a6dfd08f3cce1c6bc2fa520ef8750b868f14951ff10d4c6038e0940da023.exe MediaCenter.exe PID 800 wrote to memory of 1316 800 1559a6dfd08f3cce1c6bc2fa520ef8750b868f14951ff10d4c6038e0940da023.exe cmd.exe PID 800 wrote to memory of 1316 800 1559a6dfd08f3cce1c6bc2fa520ef8750b868f14951ff10d4c6038e0940da023.exe cmd.exe PID 800 wrote to memory of 1316 800 1559a6dfd08f3cce1c6bc2fa520ef8750b868f14951ff10d4c6038e0940da023.exe cmd.exe PID 800 wrote to memory of 1316 800 1559a6dfd08f3cce1c6bc2fa520ef8750b868f14951ff10d4c6038e0940da023.exe cmd.exe PID 1316 wrote to memory of 1208 1316 cmd.exe PING.EXE PID 1316 wrote to memory of 1208 1316 cmd.exe PING.EXE PID 1316 wrote to memory of 1208 1316 cmd.exe PING.EXE PID 1316 wrote to memory of 1208 1316 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\1559a6dfd08f3cce1c6bc2fa520ef8750b868f14951ff10d4c6038e0940da023.exe"C:\Users\Admin\AppData\Local\Temp\1559a6dfd08f3cce1c6bc2fa520ef8750b868f14951ff10d4c6038e0940da023.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:800 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1180 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\1559a6dfd08f3cce1c6bc2fa520ef8750b868f14951ff10d4c6038e0940da023.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1316 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1208
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
c86fc012cdfb9ae0aa119b548892d31d
SHA16240bf0163f0f24a33e9d7175833ef8b3350cf0b
SHA256b184cf0a73db415c934456244fb093d6a06d14b87ced5651871d9d9543aa2f0a
SHA5122c1924de27df46e43ccd71e9653e185ee766153493aa772b64efa6fd8f6b6c2a8afe5db3d55474bf09659c78f53df595688049a30acb2c055689f480b1ab1ea0
-
MD5
c86fc012cdfb9ae0aa119b548892d31d
SHA16240bf0163f0f24a33e9d7175833ef8b3350cf0b
SHA256b184cf0a73db415c934456244fb093d6a06d14b87ced5651871d9d9543aa2f0a
SHA5122c1924de27df46e43ccd71e9653e185ee766153493aa772b64efa6fd8f6b6c2a8afe5db3d55474bf09659c78f53df595688049a30acb2c055689f480b1ab1ea0