Analysis
-
max time kernel
152s -
max time network
169s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 04:36
Static task
static1
Behavioral task
behavioral1
Sample
150bc2583b8549c4f3d2e44fc61e954bc3e96f76042c6d423850c547d79a7d51.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
150bc2583b8549c4f3d2e44fc61e954bc3e96f76042c6d423850c547d79a7d51.exe
Resource
win10v2004-en-20220113
General
-
Target
150bc2583b8549c4f3d2e44fc61e954bc3e96f76042c6d423850c547d79a7d51.exe
-
Size
99KB
-
MD5
322ede0568168c9c86e91624dd80ed95
-
SHA1
6e5c2728bbcfdf239a765338bb0609d0f013f732
-
SHA256
150bc2583b8549c4f3d2e44fc61e954bc3e96f76042c6d423850c547d79a7d51
-
SHA512
ccfb6a9d6a2a996e6ac1929e51f4be8ca2462d44de24774f3cb5da12bfa33c480778ef06a2c1c9bfe059f176ad44659dc652da716bd8d3ee6c796fa7b7397eac
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 332 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1864 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
150bc2583b8549c4f3d2e44fc61e954bc3e96f76042c6d423850c547d79a7d51.exepid process 1404 150bc2583b8549c4f3d2e44fc61e954bc3e96f76042c6d423850c547d79a7d51.exe 1404 150bc2583b8549c4f3d2e44fc61e954bc3e96f76042c6d423850c547d79a7d51.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
150bc2583b8549c4f3d2e44fc61e954bc3e96f76042c6d423850c547d79a7d51.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 150bc2583b8549c4f3d2e44fc61e954bc3e96f76042c6d423850c547d79a7d51.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
150bc2583b8549c4f3d2e44fc61e954bc3e96f76042c6d423850c547d79a7d51.exedescription pid process Token: SeIncBasePriorityPrivilege 1404 150bc2583b8549c4f3d2e44fc61e954bc3e96f76042c6d423850c547d79a7d51.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
150bc2583b8549c4f3d2e44fc61e954bc3e96f76042c6d423850c547d79a7d51.execmd.exedescription pid process target process PID 1404 wrote to memory of 332 1404 150bc2583b8549c4f3d2e44fc61e954bc3e96f76042c6d423850c547d79a7d51.exe MediaCenter.exe PID 1404 wrote to memory of 332 1404 150bc2583b8549c4f3d2e44fc61e954bc3e96f76042c6d423850c547d79a7d51.exe MediaCenter.exe PID 1404 wrote to memory of 332 1404 150bc2583b8549c4f3d2e44fc61e954bc3e96f76042c6d423850c547d79a7d51.exe MediaCenter.exe PID 1404 wrote to memory of 332 1404 150bc2583b8549c4f3d2e44fc61e954bc3e96f76042c6d423850c547d79a7d51.exe MediaCenter.exe PID 1404 wrote to memory of 1864 1404 150bc2583b8549c4f3d2e44fc61e954bc3e96f76042c6d423850c547d79a7d51.exe cmd.exe PID 1404 wrote to memory of 1864 1404 150bc2583b8549c4f3d2e44fc61e954bc3e96f76042c6d423850c547d79a7d51.exe cmd.exe PID 1404 wrote to memory of 1864 1404 150bc2583b8549c4f3d2e44fc61e954bc3e96f76042c6d423850c547d79a7d51.exe cmd.exe PID 1404 wrote to memory of 1864 1404 150bc2583b8549c4f3d2e44fc61e954bc3e96f76042c6d423850c547d79a7d51.exe cmd.exe PID 1864 wrote to memory of 1948 1864 cmd.exe PING.EXE PID 1864 wrote to memory of 1948 1864 cmd.exe PING.EXE PID 1864 wrote to memory of 1948 1864 cmd.exe PING.EXE PID 1864 wrote to memory of 1948 1864 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\150bc2583b8549c4f3d2e44fc61e954bc3e96f76042c6d423850c547d79a7d51.exe"C:\Users\Admin\AppData\Local\Temp\150bc2583b8549c4f3d2e44fc61e954bc3e96f76042c6d423850c547d79a7d51.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1404 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:332 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\150bc2583b8549c4f3d2e44fc61e954bc3e96f76042c6d423850c547d79a7d51.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1864 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1948
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
f1b650c6c7b97fa86c8e61564f9b3f36
SHA1c9a18091d042ae2df983e5ca669486a16f8e5651
SHA2563f11471ff43526ca2f1f328007f3a02abb303e185254a5e0a44af05df1571ea2
SHA512767e2a2b8501a2ed6bd0f1eddf6735ffb39ff7869ec112ccc949ceaa80350798edc21b07e61364455a959396f415ed93f9956c15feeffd4b79684cacdd397b91
-
MD5
f1b650c6c7b97fa86c8e61564f9b3f36
SHA1c9a18091d042ae2df983e5ca669486a16f8e5651
SHA2563f11471ff43526ca2f1f328007f3a02abb303e185254a5e0a44af05df1571ea2
SHA512767e2a2b8501a2ed6bd0f1eddf6735ffb39ff7869ec112ccc949ceaa80350798edc21b07e61364455a959396f415ed93f9956c15feeffd4b79684cacdd397b91
-
MD5
f1b650c6c7b97fa86c8e61564f9b3f36
SHA1c9a18091d042ae2df983e5ca669486a16f8e5651
SHA2563f11471ff43526ca2f1f328007f3a02abb303e185254a5e0a44af05df1571ea2
SHA512767e2a2b8501a2ed6bd0f1eddf6735ffb39ff7869ec112ccc949ceaa80350798edc21b07e61364455a959396f415ed93f9956c15feeffd4b79684cacdd397b91