Analysis
-
max time kernel
122s -
max time network
134s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 04:34
Static task
static1
Behavioral task
behavioral1
Sample
152a4393e9d44e487fba5d44d14a52b0b9696f393e083d428d5bc23fe4e112a3.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
152a4393e9d44e487fba5d44d14a52b0b9696f393e083d428d5bc23fe4e112a3.exe
Resource
win10v2004-en-20220113
General
-
Target
152a4393e9d44e487fba5d44d14a52b0b9696f393e083d428d5bc23fe4e112a3.exe
-
Size
101KB
-
MD5
178c14d22d7c3b7227e1a30bbedd3058
-
SHA1
83699c94fe4f326c0075d3fe9a497e0edc3aa044
-
SHA256
152a4393e9d44e487fba5d44d14a52b0b9696f393e083d428d5bc23fe4e112a3
-
SHA512
f0ce559a4aff9207554cea824e374412c523c200d48079869a52603145769ddd83dae00c013ff48cd40bab80f555637743a2241944062190ac5cbc8e8e018a66
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1668 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 336 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
152a4393e9d44e487fba5d44d14a52b0b9696f393e083d428d5bc23fe4e112a3.exepid process 1500 152a4393e9d44e487fba5d44d14a52b0b9696f393e083d428d5bc23fe4e112a3.exe 1500 152a4393e9d44e487fba5d44d14a52b0b9696f393e083d428d5bc23fe4e112a3.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
152a4393e9d44e487fba5d44d14a52b0b9696f393e083d428d5bc23fe4e112a3.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 152a4393e9d44e487fba5d44d14a52b0b9696f393e083d428d5bc23fe4e112a3.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
152a4393e9d44e487fba5d44d14a52b0b9696f393e083d428d5bc23fe4e112a3.exedescription pid process Token: SeIncBasePriorityPrivilege 1500 152a4393e9d44e487fba5d44d14a52b0b9696f393e083d428d5bc23fe4e112a3.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
152a4393e9d44e487fba5d44d14a52b0b9696f393e083d428d5bc23fe4e112a3.execmd.exedescription pid process target process PID 1500 wrote to memory of 1668 1500 152a4393e9d44e487fba5d44d14a52b0b9696f393e083d428d5bc23fe4e112a3.exe MediaCenter.exe PID 1500 wrote to memory of 1668 1500 152a4393e9d44e487fba5d44d14a52b0b9696f393e083d428d5bc23fe4e112a3.exe MediaCenter.exe PID 1500 wrote to memory of 1668 1500 152a4393e9d44e487fba5d44d14a52b0b9696f393e083d428d5bc23fe4e112a3.exe MediaCenter.exe PID 1500 wrote to memory of 1668 1500 152a4393e9d44e487fba5d44d14a52b0b9696f393e083d428d5bc23fe4e112a3.exe MediaCenter.exe PID 1500 wrote to memory of 336 1500 152a4393e9d44e487fba5d44d14a52b0b9696f393e083d428d5bc23fe4e112a3.exe cmd.exe PID 1500 wrote to memory of 336 1500 152a4393e9d44e487fba5d44d14a52b0b9696f393e083d428d5bc23fe4e112a3.exe cmd.exe PID 1500 wrote to memory of 336 1500 152a4393e9d44e487fba5d44d14a52b0b9696f393e083d428d5bc23fe4e112a3.exe cmd.exe PID 1500 wrote to memory of 336 1500 152a4393e9d44e487fba5d44d14a52b0b9696f393e083d428d5bc23fe4e112a3.exe cmd.exe PID 336 wrote to memory of 788 336 cmd.exe PING.EXE PID 336 wrote to memory of 788 336 cmd.exe PING.EXE PID 336 wrote to memory of 788 336 cmd.exe PING.EXE PID 336 wrote to memory of 788 336 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\152a4393e9d44e487fba5d44d14a52b0b9696f393e083d428d5bc23fe4e112a3.exe"C:\Users\Admin\AppData\Local\Temp\152a4393e9d44e487fba5d44d14a52b0b9696f393e083d428d5bc23fe4e112a3.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1500 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1668 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\152a4393e9d44e487fba5d44d14a52b0b9696f393e083d428d5bc23fe4e112a3.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:336 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:788
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
50acc9251a1e3b11af6878b776a6b725
SHA174f2a4767d8e16a92aa92150ccca00517dbd44be
SHA2563ab2e6b5e3c329504d36c301635034b42cbdbae17d09975818599d3e52303150
SHA5120ce056b518d4f733a42ba274f4b0c37c95e6b7c4404033ab255240a4cc5c3cb2557430ca7a8df5c4a7d207d1510851396e4b39eca755a55dbf3b017dc76ed393
-
MD5
50acc9251a1e3b11af6878b776a6b725
SHA174f2a4767d8e16a92aa92150ccca00517dbd44be
SHA2563ab2e6b5e3c329504d36c301635034b42cbdbae17d09975818599d3e52303150
SHA5120ce056b518d4f733a42ba274f4b0c37c95e6b7c4404033ab255240a4cc5c3cb2557430ca7a8df5c4a7d207d1510851396e4b39eca755a55dbf3b017dc76ed393
-
MD5
50acc9251a1e3b11af6878b776a6b725
SHA174f2a4767d8e16a92aa92150ccca00517dbd44be
SHA2563ab2e6b5e3c329504d36c301635034b42cbdbae17d09975818599d3e52303150
SHA5120ce056b518d4f733a42ba274f4b0c37c95e6b7c4404033ab255240a4cc5c3cb2557430ca7a8df5c4a7d207d1510851396e4b39eca755a55dbf3b017dc76ed393