Analysis
-
max time kernel
141s -
max time network
148s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 04:26
Static task
static1
Behavioral task
behavioral1
Sample
154da4ea1651f37763371e91f879844420ed1c252d6a561f9e3244056ae4df4e.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
154da4ea1651f37763371e91f879844420ed1c252d6a561f9e3244056ae4df4e.exe
Resource
win10v2004-en-20220112
General
-
Target
154da4ea1651f37763371e91f879844420ed1c252d6a561f9e3244056ae4df4e.exe
-
Size
92KB
-
MD5
87c2658bb8060bcc08f026bc42a3e534
-
SHA1
d07cc63b2ef637071d3270a0bd75fce14479a3c6
-
SHA256
154da4ea1651f37763371e91f879844420ed1c252d6a561f9e3244056ae4df4e
-
SHA512
7a0283aa9ac20f893cbd3d09244aac0e180b9345b15b36887f7abe30c8facf8c7335461ee9306d7d79f08e4583a9b45453eb5e1733cc26eefa15632685986d69
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1032 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1876 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
154da4ea1651f37763371e91f879844420ed1c252d6a561f9e3244056ae4df4e.exepid process 1588 154da4ea1651f37763371e91f879844420ed1c252d6a561f9e3244056ae4df4e.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
154da4ea1651f37763371e91f879844420ed1c252d6a561f9e3244056ae4df4e.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 154da4ea1651f37763371e91f879844420ed1c252d6a561f9e3244056ae4df4e.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
154da4ea1651f37763371e91f879844420ed1c252d6a561f9e3244056ae4df4e.exedescription pid process Token: SeIncBasePriorityPrivilege 1588 154da4ea1651f37763371e91f879844420ed1c252d6a561f9e3244056ae4df4e.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
154da4ea1651f37763371e91f879844420ed1c252d6a561f9e3244056ae4df4e.execmd.exedescription pid process target process PID 1588 wrote to memory of 1032 1588 154da4ea1651f37763371e91f879844420ed1c252d6a561f9e3244056ae4df4e.exe MediaCenter.exe PID 1588 wrote to memory of 1032 1588 154da4ea1651f37763371e91f879844420ed1c252d6a561f9e3244056ae4df4e.exe MediaCenter.exe PID 1588 wrote to memory of 1032 1588 154da4ea1651f37763371e91f879844420ed1c252d6a561f9e3244056ae4df4e.exe MediaCenter.exe PID 1588 wrote to memory of 1032 1588 154da4ea1651f37763371e91f879844420ed1c252d6a561f9e3244056ae4df4e.exe MediaCenter.exe PID 1588 wrote to memory of 1876 1588 154da4ea1651f37763371e91f879844420ed1c252d6a561f9e3244056ae4df4e.exe cmd.exe PID 1588 wrote to memory of 1876 1588 154da4ea1651f37763371e91f879844420ed1c252d6a561f9e3244056ae4df4e.exe cmd.exe PID 1588 wrote to memory of 1876 1588 154da4ea1651f37763371e91f879844420ed1c252d6a561f9e3244056ae4df4e.exe cmd.exe PID 1588 wrote to memory of 1876 1588 154da4ea1651f37763371e91f879844420ed1c252d6a561f9e3244056ae4df4e.exe cmd.exe PID 1876 wrote to memory of 1784 1876 cmd.exe PING.EXE PID 1876 wrote to memory of 1784 1876 cmd.exe PING.EXE PID 1876 wrote to memory of 1784 1876 cmd.exe PING.EXE PID 1876 wrote to memory of 1784 1876 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\154da4ea1651f37763371e91f879844420ed1c252d6a561f9e3244056ae4df4e.exe"C:\Users\Admin\AppData\Local\Temp\154da4ea1651f37763371e91f879844420ed1c252d6a561f9e3244056ae4df4e.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1588 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1032 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\154da4ea1651f37763371e91f879844420ed1c252d6a561f9e3244056ae4df4e.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1876 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1784
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
23c6de9c982c11c746b64382c2f1712c
SHA193ebf68de0cd90b101643fc7973688d9aad25d8f
SHA25616d48e8abd5461f5e8e82021db4a85fae439ca8cb3b1228661695c4e256e719c
SHA512204ce1d66030272e01c12235662eccd369dc38f1bed8a1a5fdae544b9dc9b8675d1171e664a341bd5751f52996c6f705e9f99530737d60a46620c320afcdd961
-
MD5
23c6de9c982c11c746b64382c2f1712c
SHA193ebf68de0cd90b101643fc7973688d9aad25d8f
SHA25616d48e8abd5461f5e8e82021db4a85fae439ca8cb3b1228661695c4e256e719c
SHA512204ce1d66030272e01c12235662eccd369dc38f1bed8a1a5fdae544b9dc9b8675d1171e664a341bd5751f52996c6f705e9f99530737d60a46620c320afcdd961