Analysis
-
max time kernel
119s -
max time network
128s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 04:34
Static task
static1
Behavioral task
behavioral1
Sample
15278a44d499d78e01476b832cf58f52bb695e60868ffb3b68073aa66def4791.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
15278a44d499d78e01476b832cf58f52bb695e60868ffb3b68073aa66def4791.exe
Resource
win10v2004-en-20220113
General
-
Target
15278a44d499d78e01476b832cf58f52bb695e60868ffb3b68073aa66def4791.exe
-
Size
79KB
-
MD5
f5cc0e973c02c8c642354b22cfa6a50f
-
SHA1
6d4e2d28c27e21530144f5b146606c52562ec967
-
SHA256
15278a44d499d78e01476b832cf58f52bb695e60868ffb3b68073aa66def4791
-
SHA512
9209901dcdde7ef39f755a1815e30f5d2dacb0cbb0cfb418fa8fba3c173226be572f019d4185eb2ea83b8b33ea629374dccccd512c0d418645d42f3d694273d2
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 268 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2016 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
15278a44d499d78e01476b832cf58f52bb695e60868ffb3b68073aa66def4791.exepid process 1860 15278a44d499d78e01476b832cf58f52bb695e60868ffb3b68073aa66def4791.exe 1860 15278a44d499d78e01476b832cf58f52bb695e60868ffb3b68073aa66def4791.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
15278a44d499d78e01476b832cf58f52bb695e60868ffb3b68073aa66def4791.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 15278a44d499d78e01476b832cf58f52bb695e60868ffb3b68073aa66def4791.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
15278a44d499d78e01476b832cf58f52bb695e60868ffb3b68073aa66def4791.exedescription pid process Token: SeIncBasePriorityPrivilege 1860 15278a44d499d78e01476b832cf58f52bb695e60868ffb3b68073aa66def4791.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
15278a44d499d78e01476b832cf58f52bb695e60868ffb3b68073aa66def4791.execmd.exedescription pid process target process PID 1860 wrote to memory of 268 1860 15278a44d499d78e01476b832cf58f52bb695e60868ffb3b68073aa66def4791.exe MediaCenter.exe PID 1860 wrote to memory of 268 1860 15278a44d499d78e01476b832cf58f52bb695e60868ffb3b68073aa66def4791.exe MediaCenter.exe PID 1860 wrote to memory of 268 1860 15278a44d499d78e01476b832cf58f52bb695e60868ffb3b68073aa66def4791.exe MediaCenter.exe PID 1860 wrote to memory of 268 1860 15278a44d499d78e01476b832cf58f52bb695e60868ffb3b68073aa66def4791.exe MediaCenter.exe PID 1860 wrote to memory of 2016 1860 15278a44d499d78e01476b832cf58f52bb695e60868ffb3b68073aa66def4791.exe cmd.exe PID 1860 wrote to memory of 2016 1860 15278a44d499d78e01476b832cf58f52bb695e60868ffb3b68073aa66def4791.exe cmd.exe PID 1860 wrote to memory of 2016 1860 15278a44d499d78e01476b832cf58f52bb695e60868ffb3b68073aa66def4791.exe cmd.exe PID 1860 wrote to memory of 2016 1860 15278a44d499d78e01476b832cf58f52bb695e60868ffb3b68073aa66def4791.exe cmd.exe PID 2016 wrote to memory of 1968 2016 cmd.exe PING.EXE PID 2016 wrote to memory of 1968 2016 cmd.exe PING.EXE PID 2016 wrote to memory of 1968 2016 cmd.exe PING.EXE PID 2016 wrote to memory of 1968 2016 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\15278a44d499d78e01476b832cf58f52bb695e60868ffb3b68073aa66def4791.exe"C:\Users\Admin\AppData\Local\Temp\15278a44d499d78e01476b832cf58f52bb695e60868ffb3b68073aa66def4791.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1860 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:268 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\15278a44d499d78e01476b832cf58f52bb695e60868ffb3b68073aa66def4791.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1968
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
064333aa2899051c0b31cb11c0d090b7
SHA1f8ab3168ae8cb3b6882203579a55430640b54c77
SHA2568b838b9b4a3cd1ac0bc3f6d007819739459134a7e8aa080c369d9397b9a77d87
SHA512ceeb3b0dc4feaf0c4f6c4ee966e403906951a4ac8ff4e4a7792168d333528b993191124c06181ff9d03a38af64a5c1623a2479cf5fc799ba4cf045e79a288dd8
-
MD5
064333aa2899051c0b31cb11c0d090b7
SHA1f8ab3168ae8cb3b6882203579a55430640b54c77
SHA2568b838b9b4a3cd1ac0bc3f6d007819739459134a7e8aa080c369d9397b9a77d87
SHA512ceeb3b0dc4feaf0c4f6c4ee966e403906951a4ac8ff4e4a7792168d333528b993191124c06181ff9d03a38af64a5c1623a2479cf5fc799ba4cf045e79a288dd8
-
MD5
064333aa2899051c0b31cb11c0d090b7
SHA1f8ab3168ae8cb3b6882203579a55430640b54c77
SHA2568b838b9b4a3cd1ac0bc3f6d007819739459134a7e8aa080c369d9397b9a77d87
SHA512ceeb3b0dc4feaf0c4f6c4ee966e403906951a4ac8ff4e4a7792168d333528b993191124c06181ff9d03a38af64a5c1623a2479cf5fc799ba4cf045e79a288dd8