Analysis
-
max time kernel
140s -
max time network
170s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 04:00
Static task
static1
Behavioral task
behavioral1
Sample
164fbc01f90db85a5f95d6f0454af27ba10ec43b8df67857923275a4911e13d6.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
164fbc01f90db85a5f95d6f0454af27ba10ec43b8df67857923275a4911e13d6.exe
Resource
win10v2004-en-20220113
General
-
Target
164fbc01f90db85a5f95d6f0454af27ba10ec43b8df67857923275a4911e13d6.exe
-
Size
192KB
-
MD5
1a4fdecea93ac01fc4af09a65d1e88c7
-
SHA1
b1290f06eb5defa26e4ff6d54204946b2db5d903
-
SHA256
164fbc01f90db85a5f95d6f0454af27ba10ec43b8df67857923275a4911e13d6
-
SHA512
e40332bbfc4c002323ead3bf7a164a000b4970c5e7d7070413c6ae83c00df1eafe2f780c4095aa76b3974e6d87f4e63d800bf4bbc04c76474b068dabc88ecd0a
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1656 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 960 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
164fbc01f90db85a5f95d6f0454af27ba10ec43b8df67857923275a4911e13d6.exepid process 1628 164fbc01f90db85a5f95d6f0454af27ba10ec43b8df67857923275a4911e13d6.exe 1628 164fbc01f90db85a5f95d6f0454af27ba10ec43b8df67857923275a4911e13d6.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
164fbc01f90db85a5f95d6f0454af27ba10ec43b8df67857923275a4911e13d6.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 164fbc01f90db85a5f95d6f0454af27ba10ec43b8df67857923275a4911e13d6.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
164fbc01f90db85a5f95d6f0454af27ba10ec43b8df67857923275a4911e13d6.exedescription pid process Token: SeIncBasePriorityPrivilege 1628 164fbc01f90db85a5f95d6f0454af27ba10ec43b8df67857923275a4911e13d6.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
164fbc01f90db85a5f95d6f0454af27ba10ec43b8df67857923275a4911e13d6.execmd.exedescription pid process target process PID 1628 wrote to memory of 1656 1628 164fbc01f90db85a5f95d6f0454af27ba10ec43b8df67857923275a4911e13d6.exe MediaCenter.exe PID 1628 wrote to memory of 1656 1628 164fbc01f90db85a5f95d6f0454af27ba10ec43b8df67857923275a4911e13d6.exe MediaCenter.exe PID 1628 wrote to memory of 1656 1628 164fbc01f90db85a5f95d6f0454af27ba10ec43b8df67857923275a4911e13d6.exe MediaCenter.exe PID 1628 wrote to memory of 1656 1628 164fbc01f90db85a5f95d6f0454af27ba10ec43b8df67857923275a4911e13d6.exe MediaCenter.exe PID 1628 wrote to memory of 960 1628 164fbc01f90db85a5f95d6f0454af27ba10ec43b8df67857923275a4911e13d6.exe cmd.exe PID 1628 wrote to memory of 960 1628 164fbc01f90db85a5f95d6f0454af27ba10ec43b8df67857923275a4911e13d6.exe cmd.exe PID 1628 wrote to memory of 960 1628 164fbc01f90db85a5f95d6f0454af27ba10ec43b8df67857923275a4911e13d6.exe cmd.exe PID 1628 wrote to memory of 960 1628 164fbc01f90db85a5f95d6f0454af27ba10ec43b8df67857923275a4911e13d6.exe cmd.exe PID 960 wrote to memory of 452 960 cmd.exe PING.EXE PID 960 wrote to memory of 452 960 cmd.exe PING.EXE PID 960 wrote to memory of 452 960 cmd.exe PING.EXE PID 960 wrote to memory of 452 960 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\164fbc01f90db85a5f95d6f0454af27ba10ec43b8df67857923275a4911e13d6.exe"C:\Users\Admin\AppData\Local\Temp\164fbc01f90db85a5f95d6f0454af27ba10ec43b8df67857923275a4911e13d6.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1628 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1656 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\164fbc01f90db85a5f95d6f0454af27ba10ec43b8df67857923275a4911e13d6.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:960 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:452
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
3236c1b0b60ba59c7707799a787d6d63
SHA15d1d746160edc5484cf602d6c925e01b48bff3a3
SHA256c7d0633835419d83752074a4dff4bbd9479c7f681197416b23d421515ab35ff4
SHA512e40e04e179b3bb831f1073bce7c7d2ad95cc805fd67174825f130f13f016943fad779a1af3de2a22ec2007fb0a5a37649cbc76162f7c9e77ee807b3505567a24
-
MD5
3236c1b0b60ba59c7707799a787d6d63
SHA15d1d746160edc5484cf602d6c925e01b48bff3a3
SHA256c7d0633835419d83752074a4dff4bbd9479c7f681197416b23d421515ab35ff4
SHA512e40e04e179b3bb831f1073bce7c7d2ad95cc805fd67174825f130f13f016943fad779a1af3de2a22ec2007fb0a5a37649cbc76162f7c9e77ee807b3505567a24
-
MD5
3236c1b0b60ba59c7707799a787d6d63
SHA15d1d746160edc5484cf602d6c925e01b48bff3a3
SHA256c7d0633835419d83752074a4dff4bbd9479c7f681197416b23d421515ab35ff4
SHA512e40e04e179b3bb831f1073bce7c7d2ad95cc805fd67174825f130f13f016943fad779a1af3de2a22ec2007fb0a5a37649cbc76162f7c9e77ee807b3505567a24