Analysis
-
max time kernel
149s -
max time network
170s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 04:27
Static task
static1
Behavioral task
behavioral1
Sample
153f7d6faeb3e9b2e13e84a4cfe12f84405bcdf81b98e047b20cfb68e50e4a04.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
153f7d6faeb3e9b2e13e84a4cfe12f84405bcdf81b98e047b20cfb68e50e4a04.exe
Resource
win10v2004-en-20220113
General
-
Target
153f7d6faeb3e9b2e13e84a4cfe12f84405bcdf81b98e047b20cfb68e50e4a04.exe
-
Size
176KB
-
MD5
aed74dd725e4881caaef645a084da004
-
SHA1
6297f56b4ecca15c5533a97b2c0f539274e56032
-
SHA256
153f7d6faeb3e9b2e13e84a4cfe12f84405bcdf81b98e047b20cfb68e50e4a04
-
SHA512
0f35da1a82e3ca945b6e400d3adfaf711a480f813f088da663248bdc17aae352e0f9583a91685e1c571f372840ed345f3783244a9954dcaa5f4362c7101d8789
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral1/memory/1540-59-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral1/memory/1288-60-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1288 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1208 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
153f7d6faeb3e9b2e13e84a4cfe12f84405bcdf81b98e047b20cfb68e50e4a04.exepid process 1540 153f7d6faeb3e9b2e13e84a4cfe12f84405bcdf81b98e047b20cfb68e50e4a04.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
153f7d6faeb3e9b2e13e84a4cfe12f84405bcdf81b98e047b20cfb68e50e4a04.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 153f7d6faeb3e9b2e13e84a4cfe12f84405bcdf81b98e047b20cfb68e50e4a04.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
153f7d6faeb3e9b2e13e84a4cfe12f84405bcdf81b98e047b20cfb68e50e4a04.exedescription pid process Token: SeIncBasePriorityPrivilege 1540 153f7d6faeb3e9b2e13e84a4cfe12f84405bcdf81b98e047b20cfb68e50e4a04.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
153f7d6faeb3e9b2e13e84a4cfe12f84405bcdf81b98e047b20cfb68e50e4a04.execmd.exedescription pid process target process PID 1540 wrote to memory of 1288 1540 153f7d6faeb3e9b2e13e84a4cfe12f84405bcdf81b98e047b20cfb68e50e4a04.exe MediaCenter.exe PID 1540 wrote to memory of 1288 1540 153f7d6faeb3e9b2e13e84a4cfe12f84405bcdf81b98e047b20cfb68e50e4a04.exe MediaCenter.exe PID 1540 wrote to memory of 1288 1540 153f7d6faeb3e9b2e13e84a4cfe12f84405bcdf81b98e047b20cfb68e50e4a04.exe MediaCenter.exe PID 1540 wrote to memory of 1288 1540 153f7d6faeb3e9b2e13e84a4cfe12f84405bcdf81b98e047b20cfb68e50e4a04.exe MediaCenter.exe PID 1540 wrote to memory of 1208 1540 153f7d6faeb3e9b2e13e84a4cfe12f84405bcdf81b98e047b20cfb68e50e4a04.exe cmd.exe PID 1540 wrote to memory of 1208 1540 153f7d6faeb3e9b2e13e84a4cfe12f84405bcdf81b98e047b20cfb68e50e4a04.exe cmd.exe PID 1540 wrote to memory of 1208 1540 153f7d6faeb3e9b2e13e84a4cfe12f84405bcdf81b98e047b20cfb68e50e4a04.exe cmd.exe PID 1540 wrote to memory of 1208 1540 153f7d6faeb3e9b2e13e84a4cfe12f84405bcdf81b98e047b20cfb68e50e4a04.exe cmd.exe PID 1208 wrote to memory of 432 1208 cmd.exe PING.EXE PID 1208 wrote to memory of 432 1208 cmd.exe PING.EXE PID 1208 wrote to memory of 432 1208 cmd.exe PING.EXE PID 1208 wrote to memory of 432 1208 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\153f7d6faeb3e9b2e13e84a4cfe12f84405bcdf81b98e047b20cfb68e50e4a04.exe"C:\Users\Admin\AppData\Local\Temp\153f7d6faeb3e9b2e13e84a4cfe12f84405bcdf81b98e047b20cfb68e50e4a04.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1540 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1288 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\153f7d6faeb3e9b2e13e84a4cfe12f84405bcdf81b98e047b20cfb68e50e4a04.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1208 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:432
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
efbbd100650ff384bcff92b3abefd5f6
SHA135a0a9516915e834cbeb43c2a9c85ce783dedad4
SHA25601f18aa9f6a6355b93f93685392e3a869ef6efe358afe203f5cd2592b2d0c0cc
SHA512c13ed6c11e754d2482ee66ae4f18551b17c4c4f85f6b6cca8e485a27617fd1ac3671a878c1e0c5cdda0dd72bad8ba31d851f81e84d383fddd4e14ccaa22960de
-
MD5
efbbd100650ff384bcff92b3abefd5f6
SHA135a0a9516915e834cbeb43c2a9c85ce783dedad4
SHA25601f18aa9f6a6355b93f93685392e3a869ef6efe358afe203f5cd2592b2d0c0cc
SHA512c13ed6c11e754d2482ee66ae4f18551b17c4c4f85f6b6cca8e485a27617fd1ac3671a878c1e0c5cdda0dd72bad8ba31d851f81e84d383fddd4e14ccaa22960de