Analysis
-
max time kernel
137s -
max time network
159s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 04:35
Static task
static1
Behavioral task
behavioral1
Sample
1512ba23e01f48e3e28b7dcd9f9baba8bda3ac39143c58bbbfb9691f13680cb7.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
1512ba23e01f48e3e28b7dcd9f9baba8bda3ac39143c58bbbfb9691f13680cb7.exe
Resource
win10v2004-en-20220113
General
-
Target
1512ba23e01f48e3e28b7dcd9f9baba8bda3ac39143c58bbbfb9691f13680cb7.exe
-
Size
99KB
-
MD5
93dac57721ec97ebcedc31cd5d81cc7d
-
SHA1
7372a3fbb8b92b5e70165ae2fa47f121975d0b9e
-
SHA256
1512ba23e01f48e3e28b7dcd9f9baba8bda3ac39143c58bbbfb9691f13680cb7
-
SHA512
8c11a54494c5e266bfdd91d0f622d2f8fd8ccdb0c96330310e5bee9ab5e5aafdea5a794086701e80d522b452d2d0b30ed3c20c11aa340e08aac825c070b1ecf2
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1088 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1032 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
1512ba23e01f48e3e28b7dcd9f9baba8bda3ac39143c58bbbfb9691f13680cb7.exepid process 1668 1512ba23e01f48e3e28b7dcd9f9baba8bda3ac39143c58bbbfb9691f13680cb7.exe 1668 1512ba23e01f48e3e28b7dcd9f9baba8bda3ac39143c58bbbfb9691f13680cb7.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
1512ba23e01f48e3e28b7dcd9f9baba8bda3ac39143c58bbbfb9691f13680cb7.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 1512ba23e01f48e3e28b7dcd9f9baba8bda3ac39143c58bbbfb9691f13680cb7.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
1512ba23e01f48e3e28b7dcd9f9baba8bda3ac39143c58bbbfb9691f13680cb7.exedescription pid process Token: SeIncBasePriorityPrivilege 1668 1512ba23e01f48e3e28b7dcd9f9baba8bda3ac39143c58bbbfb9691f13680cb7.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
1512ba23e01f48e3e28b7dcd9f9baba8bda3ac39143c58bbbfb9691f13680cb7.execmd.exedescription pid process target process PID 1668 wrote to memory of 1088 1668 1512ba23e01f48e3e28b7dcd9f9baba8bda3ac39143c58bbbfb9691f13680cb7.exe MediaCenter.exe PID 1668 wrote to memory of 1088 1668 1512ba23e01f48e3e28b7dcd9f9baba8bda3ac39143c58bbbfb9691f13680cb7.exe MediaCenter.exe PID 1668 wrote to memory of 1088 1668 1512ba23e01f48e3e28b7dcd9f9baba8bda3ac39143c58bbbfb9691f13680cb7.exe MediaCenter.exe PID 1668 wrote to memory of 1088 1668 1512ba23e01f48e3e28b7dcd9f9baba8bda3ac39143c58bbbfb9691f13680cb7.exe MediaCenter.exe PID 1668 wrote to memory of 1032 1668 1512ba23e01f48e3e28b7dcd9f9baba8bda3ac39143c58bbbfb9691f13680cb7.exe cmd.exe PID 1668 wrote to memory of 1032 1668 1512ba23e01f48e3e28b7dcd9f9baba8bda3ac39143c58bbbfb9691f13680cb7.exe cmd.exe PID 1668 wrote to memory of 1032 1668 1512ba23e01f48e3e28b7dcd9f9baba8bda3ac39143c58bbbfb9691f13680cb7.exe cmd.exe PID 1668 wrote to memory of 1032 1668 1512ba23e01f48e3e28b7dcd9f9baba8bda3ac39143c58bbbfb9691f13680cb7.exe cmd.exe PID 1032 wrote to memory of 1540 1032 cmd.exe PING.EXE PID 1032 wrote to memory of 1540 1032 cmd.exe PING.EXE PID 1032 wrote to memory of 1540 1032 cmd.exe PING.EXE PID 1032 wrote to memory of 1540 1032 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\1512ba23e01f48e3e28b7dcd9f9baba8bda3ac39143c58bbbfb9691f13680cb7.exe"C:\Users\Admin\AppData\Local\Temp\1512ba23e01f48e3e28b7dcd9f9baba8bda3ac39143c58bbbfb9691f13680cb7.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1668 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1088 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\1512ba23e01f48e3e28b7dcd9f9baba8bda3ac39143c58bbbfb9691f13680cb7.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1032 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1540
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
dbc61271222fb5906f85255c4ad3d904
SHA1c85b4e44c62fff7b04e3317b3699b1b5064138f3
SHA256f31a4a128492c17abd1c44def12ed4dbf943df28072913403f4cafcefa786f9b
SHA512e0f7cfc2adf22006d0b3290ef3fac2f52654d4d5c61fce49fc88ce4f155ace2aa568956b12f92103126140751f91680eb0ce78dcaba69aa79b2548ef631308ed
-
MD5
dbc61271222fb5906f85255c4ad3d904
SHA1c85b4e44c62fff7b04e3317b3699b1b5064138f3
SHA256f31a4a128492c17abd1c44def12ed4dbf943df28072913403f4cafcefa786f9b
SHA512e0f7cfc2adf22006d0b3290ef3fac2f52654d4d5c61fce49fc88ce4f155ace2aa568956b12f92103126140751f91680eb0ce78dcaba69aa79b2548ef631308ed
-
MD5
dbc61271222fb5906f85255c4ad3d904
SHA1c85b4e44c62fff7b04e3317b3699b1b5064138f3
SHA256f31a4a128492c17abd1c44def12ed4dbf943df28072913403f4cafcefa786f9b
SHA512e0f7cfc2adf22006d0b3290ef3fac2f52654d4d5c61fce49fc88ce4f155ace2aa568956b12f92103126140751f91680eb0ce78dcaba69aa79b2548ef631308ed