Analysis
-
max time kernel
122s -
max time network
135s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 04:38
Static task
static1
Behavioral task
behavioral1
Sample
14ee479c6330bd4b9a16ab07de3b91bb5071b2d7c0ebe1cfe6c53731e8ffc29f.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
14ee479c6330bd4b9a16ab07de3b91bb5071b2d7c0ebe1cfe6c53731e8ffc29f.exe
Resource
win10v2004-en-20220113
General
-
Target
14ee479c6330bd4b9a16ab07de3b91bb5071b2d7c0ebe1cfe6c53731e8ffc29f.exe
-
Size
99KB
-
MD5
36b3c2565a74b4c077f7e31d582c1491
-
SHA1
080e4ab9c0801bf1cbdbbd3a374c890375eb0f32
-
SHA256
14ee479c6330bd4b9a16ab07de3b91bb5071b2d7c0ebe1cfe6c53731e8ffc29f
-
SHA512
2e492e4385cdd59c298005a0bd7973a2406752b9bfcb6c0858069ad0a41bcc60861f403e9619409cc630b434689aad9fccfcbc79664d05c81a9eea58d3617268
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1084 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1180 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
14ee479c6330bd4b9a16ab07de3b91bb5071b2d7c0ebe1cfe6c53731e8ffc29f.exepid process 1292 14ee479c6330bd4b9a16ab07de3b91bb5071b2d7c0ebe1cfe6c53731e8ffc29f.exe 1292 14ee479c6330bd4b9a16ab07de3b91bb5071b2d7c0ebe1cfe6c53731e8ffc29f.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
14ee479c6330bd4b9a16ab07de3b91bb5071b2d7c0ebe1cfe6c53731e8ffc29f.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 14ee479c6330bd4b9a16ab07de3b91bb5071b2d7c0ebe1cfe6c53731e8ffc29f.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
14ee479c6330bd4b9a16ab07de3b91bb5071b2d7c0ebe1cfe6c53731e8ffc29f.exedescription pid process Token: SeIncBasePriorityPrivilege 1292 14ee479c6330bd4b9a16ab07de3b91bb5071b2d7c0ebe1cfe6c53731e8ffc29f.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
14ee479c6330bd4b9a16ab07de3b91bb5071b2d7c0ebe1cfe6c53731e8ffc29f.execmd.exedescription pid process target process PID 1292 wrote to memory of 1084 1292 14ee479c6330bd4b9a16ab07de3b91bb5071b2d7c0ebe1cfe6c53731e8ffc29f.exe MediaCenter.exe PID 1292 wrote to memory of 1084 1292 14ee479c6330bd4b9a16ab07de3b91bb5071b2d7c0ebe1cfe6c53731e8ffc29f.exe MediaCenter.exe PID 1292 wrote to memory of 1084 1292 14ee479c6330bd4b9a16ab07de3b91bb5071b2d7c0ebe1cfe6c53731e8ffc29f.exe MediaCenter.exe PID 1292 wrote to memory of 1084 1292 14ee479c6330bd4b9a16ab07de3b91bb5071b2d7c0ebe1cfe6c53731e8ffc29f.exe MediaCenter.exe PID 1292 wrote to memory of 1180 1292 14ee479c6330bd4b9a16ab07de3b91bb5071b2d7c0ebe1cfe6c53731e8ffc29f.exe cmd.exe PID 1292 wrote to memory of 1180 1292 14ee479c6330bd4b9a16ab07de3b91bb5071b2d7c0ebe1cfe6c53731e8ffc29f.exe cmd.exe PID 1292 wrote to memory of 1180 1292 14ee479c6330bd4b9a16ab07de3b91bb5071b2d7c0ebe1cfe6c53731e8ffc29f.exe cmd.exe PID 1292 wrote to memory of 1180 1292 14ee479c6330bd4b9a16ab07de3b91bb5071b2d7c0ebe1cfe6c53731e8ffc29f.exe cmd.exe PID 1180 wrote to memory of 1096 1180 cmd.exe PING.EXE PID 1180 wrote to memory of 1096 1180 cmd.exe PING.EXE PID 1180 wrote to memory of 1096 1180 cmd.exe PING.EXE PID 1180 wrote to memory of 1096 1180 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\14ee479c6330bd4b9a16ab07de3b91bb5071b2d7c0ebe1cfe6c53731e8ffc29f.exe"C:\Users\Admin\AppData\Local\Temp\14ee479c6330bd4b9a16ab07de3b91bb5071b2d7c0ebe1cfe6c53731e8ffc29f.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1292 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1084 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\14ee479c6330bd4b9a16ab07de3b91bb5071b2d7c0ebe1cfe6c53731e8ffc29f.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1180 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1096
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
f588a36d42f058b77c9a860e680d2d44
SHA1a65f3b0d7d5a30513de1cdb6f1e6e3c81f3f6213
SHA25651ab404fa7f4bf090ff68749a617088ee82ad71ca636c202db1c02785fc9f978
SHA5128c26fcaa01f2b049118d98073e7266885864b4cdbdb39e8ad0af8b8395855c641eae331d1b25a4a386dc232f3771cfc184fa28abc81383234223c6b2f7c54042
-
MD5
f588a36d42f058b77c9a860e680d2d44
SHA1a65f3b0d7d5a30513de1cdb6f1e6e3c81f3f6213
SHA25651ab404fa7f4bf090ff68749a617088ee82ad71ca636c202db1c02785fc9f978
SHA5128c26fcaa01f2b049118d98073e7266885864b4cdbdb39e8ad0af8b8395855c641eae331d1b25a4a386dc232f3771cfc184fa28abc81383234223c6b2f7c54042
-
MD5
f588a36d42f058b77c9a860e680d2d44
SHA1a65f3b0d7d5a30513de1cdb6f1e6e3c81f3f6213
SHA25651ab404fa7f4bf090ff68749a617088ee82ad71ca636c202db1c02785fc9f978
SHA5128c26fcaa01f2b049118d98073e7266885864b4cdbdb39e8ad0af8b8395855c641eae331d1b25a4a386dc232f3771cfc184fa28abc81383234223c6b2f7c54042