Analysis
-
max time kernel
134s -
max time network
149s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 04:32
Static task
static1
Behavioral task
behavioral1
Sample
1539130fe2b47bb32a249080486660410041ca5bdeedec9fb4eb7f8bbcd352d3.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
1539130fe2b47bb32a249080486660410041ca5bdeedec9fb4eb7f8bbcd352d3.exe
Resource
win10v2004-en-20220112
General
-
Target
1539130fe2b47bb32a249080486660410041ca5bdeedec9fb4eb7f8bbcd352d3.exe
-
Size
101KB
-
MD5
f144973672b7ab5a353891f831f4fc90
-
SHA1
d7a211c65e8ab611cadbc5a1330188b29791959f
-
SHA256
1539130fe2b47bb32a249080486660410041ca5bdeedec9fb4eb7f8bbcd352d3
-
SHA512
1b8de4a4725619530af7c0ab04963b7fb4a205fbb20d827ee5bcb7296f0ae8e8d9c98035cacfacf66369b7e40041e053a417ccba72c3b0beae5c9e133380c552
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1532 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1072 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
1539130fe2b47bb32a249080486660410041ca5bdeedec9fb4eb7f8bbcd352d3.exepid process 1728 1539130fe2b47bb32a249080486660410041ca5bdeedec9fb4eb7f8bbcd352d3.exe 1728 1539130fe2b47bb32a249080486660410041ca5bdeedec9fb4eb7f8bbcd352d3.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
1539130fe2b47bb32a249080486660410041ca5bdeedec9fb4eb7f8bbcd352d3.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 1539130fe2b47bb32a249080486660410041ca5bdeedec9fb4eb7f8bbcd352d3.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
1539130fe2b47bb32a249080486660410041ca5bdeedec9fb4eb7f8bbcd352d3.exedescription pid process Token: SeIncBasePriorityPrivilege 1728 1539130fe2b47bb32a249080486660410041ca5bdeedec9fb4eb7f8bbcd352d3.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
1539130fe2b47bb32a249080486660410041ca5bdeedec9fb4eb7f8bbcd352d3.execmd.exedescription pid process target process PID 1728 wrote to memory of 1532 1728 1539130fe2b47bb32a249080486660410041ca5bdeedec9fb4eb7f8bbcd352d3.exe MediaCenter.exe PID 1728 wrote to memory of 1532 1728 1539130fe2b47bb32a249080486660410041ca5bdeedec9fb4eb7f8bbcd352d3.exe MediaCenter.exe PID 1728 wrote to memory of 1532 1728 1539130fe2b47bb32a249080486660410041ca5bdeedec9fb4eb7f8bbcd352d3.exe MediaCenter.exe PID 1728 wrote to memory of 1532 1728 1539130fe2b47bb32a249080486660410041ca5bdeedec9fb4eb7f8bbcd352d3.exe MediaCenter.exe PID 1728 wrote to memory of 1072 1728 1539130fe2b47bb32a249080486660410041ca5bdeedec9fb4eb7f8bbcd352d3.exe cmd.exe PID 1728 wrote to memory of 1072 1728 1539130fe2b47bb32a249080486660410041ca5bdeedec9fb4eb7f8bbcd352d3.exe cmd.exe PID 1728 wrote to memory of 1072 1728 1539130fe2b47bb32a249080486660410041ca5bdeedec9fb4eb7f8bbcd352d3.exe cmd.exe PID 1728 wrote to memory of 1072 1728 1539130fe2b47bb32a249080486660410041ca5bdeedec9fb4eb7f8bbcd352d3.exe cmd.exe PID 1072 wrote to memory of 540 1072 cmd.exe PING.EXE PID 1072 wrote to memory of 540 1072 cmd.exe PING.EXE PID 1072 wrote to memory of 540 1072 cmd.exe PING.EXE PID 1072 wrote to memory of 540 1072 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\1539130fe2b47bb32a249080486660410041ca5bdeedec9fb4eb7f8bbcd352d3.exe"C:\Users\Admin\AppData\Local\Temp\1539130fe2b47bb32a249080486660410041ca5bdeedec9fb4eb7f8bbcd352d3.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1532 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\1539130fe2b47bb32a249080486660410041ca5bdeedec9fb4eb7f8bbcd352d3.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1072 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:540
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
180a15f29d1e8406e0b50f56f23e14e7
SHA1e9941af1a1c7c1e7b444eac2d83c88801c893f41
SHA25608f4f0fbf4c3917e17ca2c2d2b69c0ec5f0e16635763cd617842a9d65afab647
SHA512508d822ad0815d4f4d71244d758ad992b65b97d905cc06f4aaa8b3ef9feb816e31709ba58f6d08913302bc57d1e4a7203ca570d7617ace68971d455f5517e85d
-
MD5
180a15f29d1e8406e0b50f56f23e14e7
SHA1e9941af1a1c7c1e7b444eac2d83c88801c893f41
SHA25608f4f0fbf4c3917e17ca2c2d2b69c0ec5f0e16635763cd617842a9d65afab647
SHA512508d822ad0815d4f4d71244d758ad992b65b97d905cc06f4aaa8b3ef9feb816e31709ba58f6d08913302bc57d1e4a7203ca570d7617ace68971d455f5517e85d
-
MD5
180a15f29d1e8406e0b50f56f23e14e7
SHA1e9941af1a1c7c1e7b444eac2d83c88801c893f41
SHA25608f4f0fbf4c3917e17ca2c2d2b69c0ec5f0e16635763cd617842a9d65afab647
SHA512508d822ad0815d4f4d71244d758ad992b65b97d905cc06f4aaa8b3ef9feb816e31709ba58f6d08913302bc57d1e4a7203ca570d7617ace68971d455f5517e85d