Analysis
-
max time kernel
126s -
max time network
131s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 04:33
Static task
static1
Behavioral task
behavioral1
Sample
15315ad1a1c64f20851edc4d18f7d3003e64b5fba4d53d23453af9f58b54ff71.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
15315ad1a1c64f20851edc4d18f7d3003e64b5fba4d53d23453af9f58b54ff71.exe
Resource
win10v2004-en-20220113
General
-
Target
15315ad1a1c64f20851edc4d18f7d3003e64b5fba4d53d23453af9f58b54ff71.exe
-
Size
92KB
-
MD5
457768975bbbc2ef2034824dde96a009
-
SHA1
0a0e85f9231480c47f23bbc469d94176fdeed67d
-
SHA256
15315ad1a1c64f20851edc4d18f7d3003e64b5fba4d53d23453af9f58b54ff71
-
SHA512
afc93c82a8b366272a49b734a488c00c1f8edd789cd64b348e2b44df9301afd54379f220cbde4790a1ef56491d781bccad4d54dea0d785b11c414b689fa4f7ce
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1568 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 392 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
15315ad1a1c64f20851edc4d18f7d3003e64b5fba4d53d23453af9f58b54ff71.exepid process 1308 15315ad1a1c64f20851edc4d18f7d3003e64b5fba4d53d23453af9f58b54ff71.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
15315ad1a1c64f20851edc4d18f7d3003e64b5fba4d53d23453af9f58b54ff71.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 15315ad1a1c64f20851edc4d18f7d3003e64b5fba4d53d23453af9f58b54ff71.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
15315ad1a1c64f20851edc4d18f7d3003e64b5fba4d53d23453af9f58b54ff71.exedescription pid process Token: SeIncBasePriorityPrivilege 1308 15315ad1a1c64f20851edc4d18f7d3003e64b5fba4d53d23453af9f58b54ff71.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
15315ad1a1c64f20851edc4d18f7d3003e64b5fba4d53d23453af9f58b54ff71.execmd.exedescription pid process target process PID 1308 wrote to memory of 1568 1308 15315ad1a1c64f20851edc4d18f7d3003e64b5fba4d53d23453af9f58b54ff71.exe MediaCenter.exe PID 1308 wrote to memory of 1568 1308 15315ad1a1c64f20851edc4d18f7d3003e64b5fba4d53d23453af9f58b54ff71.exe MediaCenter.exe PID 1308 wrote to memory of 1568 1308 15315ad1a1c64f20851edc4d18f7d3003e64b5fba4d53d23453af9f58b54ff71.exe MediaCenter.exe PID 1308 wrote to memory of 1568 1308 15315ad1a1c64f20851edc4d18f7d3003e64b5fba4d53d23453af9f58b54ff71.exe MediaCenter.exe PID 1308 wrote to memory of 392 1308 15315ad1a1c64f20851edc4d18f7d3003e64b5fba4d53d23453af9f58b54ff71.exe cmd.exe PID 1308 wrote to memory of 392 1308 15315ad1a1c64f20851edc4d18f7d3003e64b5fba4d53d23453af9f58b54ff71.exe cmd.exe PID 1308 wrote to memory of 392 1308 15315ad1a1c64f20851edc4d18f7d3003e64b5fba4d53d23453af9f58b54ff71.exe cmd.exe PID 1308 wrote to memory of 392 1308 15315ad1a1c64f20851edc4d18f7d3003e64b5fba4d53d23453af9f58b54ff71.exe cmd.exe PID 392 wrote to memory of 784 392 cmd.exe PING.EXE PID 392 wrote to memory of 784 392 cmd.exe PING.EXE PID 392 wrote to memory of 784 392 cmd.exe PING.EXE PID 392 wrote to memory of 784 392 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\15315ad1a1c64f20851edc4d18f7d3003e64b5fba4d53d23453af9f58b54ff71.exe"C:\Users\Admin\AppData\Local\Temp\15315ad1a1c64f20851edc4d18f7d3003e64b5fba4d53d23453af9f58b54ff71.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1308 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1568 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\15315ad1a1c64f20851edc4d18f7d3003e64b5fba4d53d23453af9f58b54ff71.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:392 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:784
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
f613ba8685b8129d19a716b31b327a03
SHA1be54659e28a83295dbd6310687a075e6398a9afe
SHA25611ccfb8076c1a75f59a74cbeb663040737dc2a8d8b6ad8a82a41ea0f48e56b8d
SHA51204a1afc7ec817705b376432b81d6f386af77cb901d3a78ab98b548f4bcb344ac7adaad9f7a8237f4a5a0f0b9644f31bad8bb9bf9325745d93a2e6994991c0c65
-
MD5
f613ba8685b8129d19a716b31b327a03
SHA1be54659e28a83295dbd6310687a075e6398a9afe
SHA25611ccfb8076c1a75f59a74cbeb663040737dc2a8d8b6ad8a82a41ea0f48e56b8d
SHA51204a1afc7ec817705b376432b81d6f386af77cb901d3a78ab98b548f4bcb344ac7adaad9f7a8237f4a5a0f0b9644f31bad8bb9bf9325745d93a2e6994991c0c65