Analysis
-
max time kernel
151s -
max time network
172s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 04:34
Static task
static1
Behavioral task
behavioral1
Sample
1527bff07bff053669e60629577807db84aa1c7e029f56f3a2ba50952fd54ce8.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
1527bff07bff053669e60629577807db84aa1c7e029f56f3a2ba50952fd54ce8.exe
Resource
win10v2004-en-20220113
General
-
Target
1527bff07bff053669e60629577807db84aa1c7e029f56f3a2ba50952fd54ce8.exe
-
Size
100KB
-
MD5
44130c9141ab4240c90a6409ef3bc6f6
-
SHA1
9b226c997b72a653e5258b50ae1d42c521b59587
-
SHA256
1527bff07bff053669e60629577807db84aa1c7e029f56f3a2ba50952fd54ce8
-
SHA512
c93de25ff9a5ebb97f9e6e546f7a04a2be257a1b63ad9c3e8d13636c570231fec3e939ffbc46d2fdb8387923af0afc3297fe3449f7bb535aa3b97fbc07b9430f
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1288 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1116 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
1527bff07bff053669e60629577807db84aa1c7e029f56f3a2ba50952fd54ce8.exepid process 1540 1527bff07bff053669e60629577807db84aa1c7e029f56f3a2ba50952fd54ce8.exe 1540 1527bff07bff053669e60629577807db84aa1c7e029f56f3a2ba50952fd54ce8.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
1527bff07bff053669e60629577807db84aa1c7e029f56f3a2ba50952fd54ce8.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 1527bff07bff053669e60629577807db84aa1c7e029f56f3a2ba50952fd54ce8.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
1527bff07bff053669e60629577807db84aa1c7e029f56f3a2ba50952fd54ce8.exedescription pid process Token: SeIncBasePriorityPrivilege 1540 1527bff07bff053669e60629577807db84aa1c7e029f56f3a2ba50952fd54ce8.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
1527bff07bff053669e60629577807db84aa1c7e029f56f3a2ba50952fd54ce8.execmd.exedescription pid process target process PID 1540 wrote to memory of 1288 1540 1527bff07bff053669e60629577807db84aa1c7e029f56f3a2ba50952fd54ce8.exe MediaCenter.exe PID 1540 wrote to memory of 1288 1540 1527bff07bff053669e60629577807db84aa1c7e029f56f3a2ba50952fd54ce8.exe MediaCenter.exe PID 1540 wrote to memory of 1288 1540 1527bff07bff053669e60629577807db84aa1c7e029f56f3a2ba50952fd54ce8.exe MediaCenter.exe PID 1540 wrote to memory of 1288 1540 1527bff07bff053669e60629577807db84aa1c7e029f56f3a2ba50952fd54ce8.exe MediaCenter.exe PID 1540 wrote to memory of 1116 1540 1527bff07bff053669e60629577807db84aa1c7e029f56f3a2ba50952fd54ce8.exe cmd.exe PID 1540 wrote to memory of 1116 1540 1527bff07bff053669e60629577807db84aa1c7e029f56f3a2ba50952fd54ce8.exe cmd.exe PID 1540 wrote to memory of 1116 1540 1527bff07bff053669e60629577807db84aa1c7e029f56f3a2ba50952fd54ce8.exe cmd.exe PID 1540 wrote to memory of 1116 1540 1527bff07bff053669e60629577807db84aa1c7e029f56f3a2ba50952fd54ce8.exe cmd.exe PID 1116 wrote to memory of 1048 1116 cmd.exe PING.EXE PID 1116 wrote to memory of 1048 1116 cmd.exe PING.EXE PID 1116 wrote to memory of 1048 1116 cmd.exe PING.EXE PID 1116 wrote to memory of 1048 1116 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\1527bff07bff053669e60629577807db84aa1c7e029f56f3a2ba50952fd54ce8.exe"C:\Users\Admin\AppData\Local\Temp\1527bff07bff053669e60629577807db84aa1c7e029f56f3a2ba50952fd54ce8.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1540 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1288 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\1527bff07bff053669e60629577807db84aa1c7e029f56f3a2ba50952fd54ce8.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1116 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1048
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
25ae0e2f5ca3763b3ab9a08ef1be3991
SHA1b4b3d3eaba984bdd280721accf5f615527f45354
SHA256607d5c2a3d7e1095ac567c7158f72b5cfb3e13e0371713e36ba30ca9610118b9
SHA512c185837f740a6b3ef78eaf9cbc714ba1def927e23af45659b90973396c94a0ae69182d51d5a175c36ecfc992c3fdbc17ba4bf91ddb6185711388c21e85a089a3
-
MD5
25ae0e2f5ca3763b3ab9a08ef1be3991
SHA1b4b3d3eaba984bdd280721accf5f615527f45354
SHA256607d5c2a3d7e1095ac567c7158f72b5cfb3e13e0371713e36ba30ca9610118b9
SHA512c185837f740a6b3ef78eaf9cbc714ba1def927e23af45659b90973396c94a0ae69182d51d5a175c36ecfc992c3fdbc17ba4bf91ddb6185711388c21e85a089a3
-
MD5
25ae0e2f5ca3763b3ab9a08ef1be3991
SHA1b4b3d3eaba984bdd280721accf5f615527f45354
SHA256607d5c2a3d7e1095ac567c7158f72b5cfb3e13e0371713e36ba30ca9610118b9
SHA512c185837f740a6b3ef78eaf9cbc714ba1def927e23af45659b90973396c94a0ae69182d51d5a175c36ecfc992c3fdbc17ba4bf91ddb6185711388c21e85a089a3