Analysis
-
max time kernel
146s -
max time network
158s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 04:38
Static task
static1
Behavioral task
behavioral1
Sample
14e744c9759714fd03ae78d429533bf6b713070c99521a9e07078b4caeb0fc70.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
14e744c9759714fd03ae78d429533bf6b713070c99521a9e07078b4caeb0fc70.exe
Resource
win10v2004-en-20220113
General
-
Target
14e744c9759714fd03ae78d429533bf6b713070c99521a9e07078b4caeb0fc70.exe
-
Size
80KB
-
MD5
c0d47c2a5429038de9451d5889273865
-
SHA1
57c45960d162a747a1832acede69a995dc71a43a
-
SHA256
14e744c9759714fd03ae78d429533bf6b713070c99521a9e07078b4caeb0fc70
-
SHA512
de88995e06486cea8cca5655f03c4a58146f12c532ce5de650ad1beb722217f3b77555be50887d8ee0f07f98a324c474b5cb0f86443b82dcab109f7410d1fece
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1480 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1788 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
14e744c9759714fd03ae78d429533bf6b713070c99521a9e07078b4caeb0fc70.exepid process 780 14e744c9759714fd03ae78d429533bf6b713070c99521a9e07078b4caeb0fc70.exe 780 14e744c9759714fd03ae78d429533bf6b713070c99521a9e07078b4caeb0fc70.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
14e744c9759714fd03ae78d429533bf6b713070c99521a9e07078b4caeb0fc70.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 14e744c9759714fd03ae78d429533bf6b713070c99521a9e07078b4caeb0fc70.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
14e744c9759714fd03ae78d429533bf6b713070c99521a9e07078b4caeb0fc70.exedescription pid process Token: SeIncBasePriorityPrivilege 780 14e744c9759714fd03ae78d429533bf6b713070c99521a9e07078b4caeb0fc70.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
14e744c9759714fd03ae78d429533bf6b713070c99521a9e07078b4caeb0fc70.execmd.exedescription pid process target process PID 780 wrote to memory of 1480 780 14e744c9759714fd03ae78d429533bf6b713070c99521a9e07078b4caeb0fc70.exe MediaCenter.exe PID 780 wrote to memory of 1480 780 14e744c9759714fd03ae78d429533bf6b713070c99521a9e07078b4caeb0fc70.exe MediaCenter.exe PID 780 wrote to memory of 1480 780 14e744c9759714fd03ae78d429533bf6b713070c99521a9e07078b4caeb0fc70.exe MediaCenter.exe PID 780 wrote to memory of 1480 780 14e744c9759714fd03ae78d429533bf6b713070c99521a9e07078b4caeb0fc70.exe MediaCenter.exe PID 780 wrote to memory of 1788 780 14e744c9759714fd03ae78d429533bf6b713070c99521a9e07078b4caeb0fc70.exe cmd.exe PID 780 wrote to memory of 1788 780 14e744c9759714fd03ae78d429533bf6b713070c99521a9e07078b4caeb0fc70.exe cmd.exe PID 780 wrote to memory of 1788 780 14e744c9759714fd03ae78d429533bf6b713070c99521a9e07078b4caeb0fc70.exe cmd.exe PID 780 wrote to memory of 1788 780 14e744c9759714fd03ae78d429533bf6b713070c99521a9e07078b4caeb0fc70.exe cmd.exe PID 1788 wrote to memory of 1524 1788 cmd.exe PING.EXE PID 1788 wrote to memory of 1524 1788 cmd.exe PING.EXE PID 1788 wrote to memory of 1524 1788 cmd.exe PING.EXE PID 1788 wrote to memory of 1524 1788 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\14e744c9759714fd03ae78d429533bf6b713070c99521a9e07078b4caeb0fc70.exe"C:\Users\Admin\AppData\Local\Temp\14e744c9759714fd03ae78d429533bf6b713070c99521a9e07078b4caeb0fc70.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:780 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1480 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\14e744c9759714fd03ae78d429533bf6b713070c99521a9e07078b4caeb0fc70.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1788 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1524
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
3048cb7f195e84f69dea7c8de90e17c5
SHA153e88692cf72ef5d790f784ee99a5530531e126b
SHA2565032a81862e81f8f4fcd5cdc5f0b472deb234374ce5e4a837b51f48ba8230cc6
SHA512a46a5327dfe7f307b764f479c23a0cd3e4fa65698ccb58e698f5b9e104c8fd1abd1ce43effdbbfe5d0b46e0345f01763e8ef6d3c9769476cdeaff66e83dddcf6
-
MD5
3048cb7f195e84f69dea7c8de90e17c5
SHA153e88692cf72ef5d790f784ee99a5530531e126b
SHA2565032a81862e81f8f4fcd5cdc5f0b472deb234374ce5e4a837b51f48ba8230cc6
SHA512a46a5327dfe7f307b764f479c23a0cd3e4fa65698ccb58e698f5b9e104c8fd1abd1ce43effdbbfe5d0b46e0345f01763e8ef6d3c9769476cdeaff66e83dddcf6
-
MD5
3048cb7f195e84f69dea7c8de90e17c5
SHA153e88692cf72ef5d790f784ee99a5530531e126b
SHA2565032a81862e81f8f4fcd5cdc5f0b472deb234374ce5e4a837b51f48ba8230cc6
SHA512a46a5327dfe7f307b764f479c23a0cd3e4fa65698ccb58e698f5b9e104c8fd1abd1ce43effdbbfe5d0b46e0345f01763e8ef6d3c9769476cdeaff66e83dddcf6