Analysis
-
max time kernel
149s -
max time network
166s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 03:53
Static task
static1
Behavioral task
behavioral1
Sample
1696ea1d31ce90bfed3b8781ae25921b7f464cee7a980306303cf3f052f2bdf3.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
1696ea1d31ce90bfed3b8781ae25921b7f464cee7a980306303cf3f052f2bdf3.exe
Resource
win10v2004-en-20220113
General
-
Target
1696ea1d31ce90bfed3b8781ae25921b7f464cee7a980306303cf3f052f2bdf3.exe
-
Size
216KB
-
MD5
565b15efd9cae3535ae9248ab8179be9
-
SHA1
b9b21ca10b7507d77dd10cc2fbd4acab4c15dc19
-
SHA256
1696ea1d31ce90bfed3b8781ae25921b7f464cee7a980306303cf3f052f2bdf3
-
SHA512
29cec2523b2fbd40cc74f8a698f0fffd78bd4d72b209e8385432d9ec0eabfafc2622e899548b70497f985e741084587b79b218cc093a927f89f0d13829ab83ff
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral1/memory/1368-59-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral1/memory/1712-60-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1712 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1096 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
1696ea1d31ce90bfed3b8781ae25921b7f464cee7a980306303cf3f052f2bdf3.exepid process 1368 1696ea1d31ce90bfed3b8781ae25921b7f464cee7a980306303cf3f052f2bdf3.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
1696ea1d31ce90bfed3b8781ae25921b7f464cee7a980306303cf3f052f2bdf3.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 1696ea1d31ce90bfed3b8781ae25921b7f464cee7a980306303cf3f052f2bdf3.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
1696ea1d31ce90bfed3b8781ae25921b7f464cee7a980306303cf3f052f2bdf3.exedescription pid process Token: SeIncBasePriorityPrivilege 1368 1696ea1d31ce90bfed3b8781ae25921b7f464cee7a980306303cf3f052f2bdf3.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
1696ea1d31ce90bfed3b8781ae25921b7f464cee7a980306303cf3f052f2bdf3.execmd.exedescription pid process target process PID 1368 wrote to memory of 1712 1368 1696ea1d31ce90bfed3b8781ae25921b7f464cee7a980306303cf3f052f2bdf3.exe MediaCenter.exe PID 1368 wrote to memory of 1712 1368 1696ea1d31ce90bfed3b8781ae25921b7f464cee7a980306303cf3f052f2bdf3.exe MediaCenter.exe PID 1368 wrote to memory of 1712 1368 1696ea1d31ce90bfed3b8781ae25921b7f464cee7a980306303cf3f052f2bdf3.exe MediaCenter.exe PID 1368 wrote to memory of 1712 1368 1696ea1d31ce90bfed3b8781ae25921b7f464cee7a980306303cf3f052f2bdf3.exe MediaCenter.exe PID 1368 wrote to memory of 1096 1368 1696ea1d31ce90bfed3b8781ae25921b7f464cee7a980306303cf3f052f2bdf3.exe cmd.exe PID 1368 wrote to memory of 1096 1368 1696ea1d31ce90bfed3b8781ae25921b7f464cee7a980306303cf3f052f2bdf3.exe cmd.exe PID 1368 wrote to memory of 1096 1368 1696ea1d31ce90bfed3b8781ae25921b7f464cee7a980306303cf3f052f2bdf3.exe cmd.exe PID 1368 wrote to memory of 1096 1368 1696ea1d31ce90bfed3b8781ae25921b7f464cee7a980306303cf3f052f2bdf3.exe cmd.exe PID 1096 wrote to memory of 1056 1096 cmd.exe PING.EXE PID 1096 wrote to memory of 1056 1096 cmd.exe PING.EXE PID 1096 wrote to memory of 1056 1096 cmd.exe PING.EXE PID 1096 wrote to memory of 1056 1096 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\1696ea1d31ce90bfed3b8781ae25921b7f464cee7a980306303cf3f052f2bdf3.exe"C:\Users\Admin\AppData\Local\Temp\1696ea1d31ce90bfed3b8781ae25921b7f464cee7a980306303cf3f052f2bdf3.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1368 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1712 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\1696ea1d31ce90bfed3b8781ae25921b7f464cee7a980306303cf3f052f2bdf3.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1096 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1056
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
2e478a4da5a99d43192f84fd6e948a35
SHA1f569e8add2847836852b14e4c2a03dda3ec604d7
SHA25618fad6d6736b94dd48db3e70262fd3208062fc35cd84a5b1a9ab707b50914653
SHA512463131f6e6dbf044c1c770d4e51ec4f2046db0e2073596227dc1cbcd70dd181eb91466c52657334c20b9a55e847d5918246e2462386dcdf624bfe46b5cc34ed9
-
MD5
2e478a4da5a99d43192f84fd6e948a35
SHA1f569e8add2847836852b14e4c2a03dda3ec604d7
SHA25618fad6d6736b94dd48db3e70262fd3208062fc35cd84a5b1a9ab707b50914653
SHA512463131f6e6dbf044c1c770d4e51ec4f2046db0e2073596227dc1cbcd70dd181eb91466c52657334c20b9a55e847d5918246e2462386dcdf624bfe46b5cc34ed9