Analysis
-
max time kernel
132s -
max time network
141s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 04:25
Static task
static1
Behavioral task
behavioral1
Sample
1558f70cd6aa9d0e194226793357d3e5f6a53982996666edc50d4ffd4f73b98c.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
1558f70cd6aa9d0e194226793357d3e5f6a53982996666edc50d4ffd4f73b98c.exe
Resource
win10v2004-en-20220113
General
-
Target
1558f70cd6aa9d0e194226793357d3e5f6a53982996666edc50d4ffd4f73b98c.exe
-
Size
92KB
-
MD5
37bf445c001e566c0d89e0bb5b60bae5
-
SHA1
f1aed4e1afb8cfec2cf3f856e48613fccde3c4a0
-
SHA256
1558f70cd6aa9d0e194226793357d3e5f6a53982996666edc50d4ffd4f73b98c
-
SHA512
1a1a87b2ddd78db27e1edf285bd4d7046ec07b3aa34dac3c0cba72b25ca193698c3081897d7162565261de43dc0b65e40b972f9a4123aca4c33f50902dfa2613
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1156 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1052 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
1558f70cd6aa9d0e194226793357d3e5f6a53982996666edc50d4ffd4f73b98c.exepid process 1532 1558f70cd6aa9d0e194226793357d3e5f6a53982996666edc50d4ffd4f73b98c.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
1558f70cd6aa9d0e194226793357d3e5f6a53982996666edc50d4ffd4f73b98c.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 1558f70cd6aa9d0e194226793357d3e5f6a53982996666edc50d4ffd4f73b98c.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
1558f70cd6aa9d0e194226793357d3e5f6a53982996666edc50d4ffd4f73b98c.exedescription pid process Token: SeIncBasePriorityPrivilege 1532 1558f70cd6aa9d0e194226793357d3e5f6a53982996666edc50d4ffd4f73b98c.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
1558f70cd6aa9d0e194226793357d3e5f6a53982996666edc50d4ffd4f73b98c.execmd.exedescription pid process target process PID 1532 wrote to memory of 1156 1532 1558f70cd6aa9d0e194226793357d3e5f6a53982996666edc50d4ffd4f73b98c.exe MediaCenter.exe PID 1532 wrote to memory of 1156 1532 1558f70cd6aa9d0e194226793357d3e5f6a53982996666edc50d4ffd4f73b98c.exe MediaCenter.exe PID 1532 wrote to memory of 1156 1532 1558f70cd6aa9d0e194226793357d3e5f6a53982996666edc50d4ffd4f73b98c.exe MediaCenter.exe PID 1532 wrote to memory of 1156 1532 1558f70cd6aa9d0e194226793357d3e5f6a53982996666edc50d4ffd4f73b98c.exe MediaCenter.exe PID 1532 wrote to memory of 1052 1532 1558f70cd6aa9d0e194226793357d3e5f6a53982996666edc50d4ffd4f73b98c.exe cmd.exe PID 1532 wrote to memory of 1052 1532 1558f70cd6aa9d0e194226793357d3e5f6a53982996666edc50d4ffd4f73b98c.exe cmd.exe PID 1532 wrote to memory of 1052 1532 1558f70cd6aa9d0e194226793357d3e5f6a53982996666edc50d4ffd4f73b98c.exe cmd.exe PID 1532 wrote to memory of 1052 1532 1558f70cd6aa9d0e194226793357d3e5f6a53982996666edc50d4ffd4f73b98c.exe cmd.exe PID 1052 wrote to memory of 1100 1052 cmd.exe PING.EXE PID 1052 wrote to memory of 1100 1052 cmd.exe PING.EXE PID 1052 wrote to memory of 1100 1052 cmd.exe PING.EXE PID 1052 wrote to memory of 1100 1052 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\1558f70cd6aa9d0e194226793357d3e5f6a53982996666edc50d4ffd4f73b98c.exe"C:\Users\Admin\AppData\Local\Temp\1558f70cd6aa9d0e194226793357d3e5f6a53982996666edc50d4ffd4f73b98c.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1532 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1156 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\1558f70cd6aa9d0e194226793357d3e5f6a53982996666edc50d4ffd4f73b98c.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1052 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1100
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
c0a3043b983c8b65a698402d7ca73c82
SHA193c2b5d3c9ac15bec1ca27b5c20783f52ff6d10a
SHA2561c27fd59e9d881935071780767cdfbacba8c661aae6a516867964e29c9b37e01
SHA512fdb7ab744c5fa911447a0016eae4fb6bddebe08a928c0ef1f6a03b2a0fd5e9856776a0722c52a78950f011b50e98c28f43d6464a8d927cd5d0e5e600b8c0a4a8
-
MD5
c0a3043b983c8b65a698402d7ca73c82
SHA193c2b5d3c9ac15bec1ca27b5c20783f52ff6d10a
SHA2561c27fd59e9d881935071780767cdfbacba8c661aae6a516867964e29c9b37e01
SHA512fdb7ab744c5fa911447a0016eae4fb6bddebe08a928c0ef1f6a03b2a0fd5e9856776a0722c52a78950f011b50e98c28f43d6464a8d927cd5d0e5e600b8c0a4a8