Analysis
-
max time kernel
118s -
max time network
137s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 03:55
Static task
static1
Behavioral task
behavioral1
Sample
1675ae7b61ecf82d260ecababd2e7cef19cf562b6c95d19ef4169e89c6abe54f.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
1675ae7b61ecf82d260ecababd2e7cef19cf562b6c95d19ef4169e89c6abe54f.exe
Resource
win10v2004-en-20220113
General
-
Target
1675ae7b61ecf82d260ecababd2e7cef19cf562b6c95d19ef4169e89c6abe54f.exe
-
Size
79KB
-
MD5
8d0371d07a7c96cb75280a6d370ef424
-
SHA1
62cb6ef04073891ba50e051a93ce9fb36e4f97dd
-
SHA256
1675ae7b61ecf82d260ecababd2e7cef19cf562b6c95d19ef4169e89c6abe54f
-
SHA512
311184da8f7f7ee4cbde8498634b453a953892189357f522beb6ba9ad7acb8a43994e4602c238eb8bdb00032d1014fa1317e624fe423b2e825299d7fc6bc8954
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 876 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 624 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
1675ae7b61ecf82d260ecababd2e7cef19cf562b6c95d19ef4169e89c6abe54f.exepid process 1516 1675ae7b61ecf82d260ecababd2e7cef19cf562b6c95d19ef4169e89c6abe54f.exe 1516 1675ae7b61ecf82d260ecababd2e7cef19cf562b6c95d19ef4169e89c6abe54f.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
1675ae7b61ecf82d260ecababd2e7cef19cf562b6c95d19ef4169e89c6abe54f.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 1675ae7b61ecf82d260ecababd2e7cef19cf562b6c95d19ef4169e89c6abe54f.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
1675ae7b61ecf82d260ecababd2e7cef19cf562b6c95d19ef4169e89c6abe54f.exedescription pid process Token: SeIncBasePriorityPrivilege 1516 1675ae7b61ecf82d260ecababd2e7cef19cf562b6c95d19ef4169e89c6abe54f.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
1675ae7b61ecf82d260ecababd2e7cef19cf562b6c95d19ef4169e89c6abe54f.execmd.exedescription pid process target process PID 1516 wrote to memory of 876 1516 1675ae7b61ecf82d260ecababd2e7cef19cf562b6c95d19ef4169e89c6abe54f.exe MediaCenter.exe PID 1516 wrote to memory of 876 1516 1675ae7b61ecf82d260ecababd2e7cef19cf562b6c95d19ef4169e89c6abe54f.exe MediaCenter.exe PID 1516 wrote to memory of 876 1516 1675ae7b61ecf82d260ecababd2e7cef19cf562b6c95d19ef4169e89c6abe54f.exe MediaCenter.exe PID 1516 wrote to memory of 876 1516 1675ae7b61ecf82d260ecababd2e7cef19cf562b6c95d19ef4169e89c6abe54f.exe MediaCenter.exe PID 1516 wrote to memory of 624 1516 1675ae7b61ecf82d260ecababd2e7cef19cf562b6c95d19ef4169e89c6abe54f.exe cmd.exe PID 1516 wrote to memory of 624 1516 1675ae7b61ecf82d260ecababd2e7cef19cf562b6c95d19ef4169e89c6abe54f.exe cmd.exe PID 1516 wrote to memory of 624 1516 1675ae7b61ecf82d260ecababd2e7cef19cf562b6c95d19ef4169e89c6abe54f.exe cmd.exe PID 1516 wrote to memory of 624 1516 1675ae7b61ecf82d260ecababd2e7cef19cf562b6c95d19ef4169e89c6abe54f.exe cmd.exe PID 624 wrote to memory of 1628 624 cmd.exe PING.EXE PID 624 wrote to memory of 1628 624 cmd.exe PING.EXE PID 624 wrote to memory of 1628 624 cmd.exe PING.EXE PID 624 wrote to memory of 1628 624 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\1675ae7b61ecf82d260ecababd2e7cef19cf562b6c95d19ef4169e89c6abe54f.exe"C:\Users\Admin\AppData\Local\Temp\1675ae7b61ecf82d260ecababd2e7cef19cf562b6c95d19ef4169e89c6abe54f.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1516 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:876 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\1675ae7b61ecf82d260ecababd2e7cef19cf562b6c95d19ef4169e89c6abe54f.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:624 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1628
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
c8f617fd2f579b8bb9d3727c1cff7485
SHA1d6655a5f8ab147aaf75f1b5a7037d7796beb77c2
SHA25648a8b4c2011335b3805fe05e5dfac9ab905ca7909efed739acef7a980db585a8
SHA512e64de5a802efa2158d96e0a87d2dcb005b1ab1c2f1beab1de9aafe9ac186bac618981242eaf6037b3c98dd4a3d9fed7998c33476eb6a6692b32ec6609c23fe8b
-
MD5
c8f617fd2f579b8bb9d3727c1cff7485
SHA1d6655a5f8ab147aaf75f1b5a7037d7796beb77c2
SHA25648a8b4c2011335b3805fe05e5dfac9ab905ca7909efed739acef7a980db585a8
SHA512e64de5a802efa2158d96e0a87d2dcb005b1ab1c2f1beab1de9aafe9ac186bac618981242eaf6037b3c98dd4a3d9fed7998c33476eb6a6692b32ec6609c23fe8b
-
MD5
c8f617fd2f579b8bb9d3727c1cff7485
SHA1d6655a5f8ab147aaf75f1b5a7037d7796beb77c2
SHA25648a8b4c2011335b3805fe05e5dfac9ab905ca7909efed739acef7a980db585a8
SHA512e64de5a802efa2158d96e0a87d2dcb005b1ab1c2f1beab1de9aafe9ac186bac618981242eaf6037b3c98dd4a3d9fed7998c33476eb6a6692b32ec6609c23fe8b