Analysis
-
max time kernel
137s -
max time network
155s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 04:02
Static task
static1
Behavioral task
behavioral1
Sample
1629405d508628d19523052aaca56bf0edee722f091434367401061d92a901b2.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
1629405d508628d19523052aaca56bf0edee722f091434367401061d92a901b2.exe
Resource
win10v2004-en-20220113
General
-
Target
1629405d508628d19523052aaca56bf0edee722f091434367401061d92a901b2.exe
-
Size
100KB
-
MD5
90c02f1a619ce3d49b0dd8bb4b77d58f
-
SHA1
49aa1e8b7ad0a693e0a7ddd6e95cdc4f8329bfd6
-
SHA256
1629405d508628d19523052aaca56bf0edee722f091434367401061d92a901b2
-
SHA512
1fbe9ea4a4c92391916c2b6f228b9083a440ff612eeb0515e07f074bc9b949dfe647d52bab2b5782f4d4500c48b8906276754bd10227b7475d7bf287e442b3f3
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1760 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1324 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
1629405d508628d19523052aaca56bf0edee722f091434367401061d92a901b2.exepid process 1088 1629405d508628d19523052aaca56bf0edee722f091434367401061d92a901b2.exe 1088 1629405d508628d19523052aaca56bf0edee722f091434367401061d92a901b2.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
1629405d508628d19523052aaca56bf0edee722f091434367401061d92a901b2.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 1629405d508628d19523052aaca56bf0edee722f091434367401061d92a901b2.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
1629405d508628d19523052aaca56bf0edee722f091434367401061d92a901b2.exedescription pid process Token: SeIncBasePriorityPrivilege 1088 1629405d508628d19523052aaca56bf0edee722f091434367401061d92a901b2.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
1629405d508628d19523052aaca56bf0edee722f091434367401061d92a901b2.execmd.exedescription pid process target process PID 1088 wrote to memory of 1760 1088 1629405d508628d19523052aaca56bf0edee722f091434367401061d92a901b2.exe MediaCenter.exe PID 1088 wrote to memory of 1760 1088 1629405d508628d19523052aaca56bf0edee722f091434367401061d92a901b2.exe MediaCenter.exe PID 1088 wrote to memory of 1760 1088 1629405d508628d19523052aaca56bf0edee722f091434367401061d92a901b2.exe MediaCenter.exe PID 1088 wrote to memory of 1760 1088 1629405d508628d19523052aaca56bf0edee722f091434367401061d92a901b2.exe MediaCenter.exe PID 1088 wrote to memory of 1324 1088 1629405d508628d19523052aaca56bf0edee722f091434367401061d92a901b2.exe cmd.exe PID 1088 wrote to memory of 1324 1088 1629405d508628d19523052aaca56bf0edee722f091434367401061d92a901b2.exe cmd.exe PID 1088 wrote to memory of 1324 1088 1629405d508628d19523052aaca56bf0edee722f091434367401061d92a901b2.exe cmd.exe PID 1088 wrote to memory of 1324 1088 1629405d508628d19523052aaca56bf0edee722f091434367401061d92a901b2.exe cmd.exe PID 1324 wrote to memory of 1992 1324 cmd.exe PING.EXE PID 1324 wrote to memory of 1992 1324 cmd.exe PING.EXE PID 1324 wrote to memory of 1992 1324 cmd.exe PING.EXE PID 1324 wrote to memory of 1992 1324 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\1629405d508628d19523052aaca56bf0edee722f091434367401061d92a901b2.exe"C:\Users\Admin\AppData\Local\Temp\1629405d508628d19523052aaca56bf0edee722f091434367401061d92a901b2.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1088 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1760 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\1629405d508628d19523052aaca56bf0edee722f091434367401061d92a901b2.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1324 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1992
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
db4d105eae279306846340ef44bc9323
SHA191fb7f1187f4c63635116309d62d0ec4fa4587a6
SHA256637fe92bdbab9f3d432e1c236c66d57d954e007aaa2556a75e192daa807c5bfb
SHA5127a62ab8f6e5ce5d49ce63c20373347ec74623dda2aa4cdb0924c3c691b4f3290417aaf18e32edf6b908a11e7a7e395f94d7e33565797f5051b984a58c6165a70
-
MD5
db4d105eae279306846340ef44bc9323
SHA191fb7f1187f4c63635116309d62d0ec4fa4587a6
SHA256637fe92bdbab9f3d432e1c236c66d57d954e007aaa2556a75e192daa807c5bfb
SHA5127a62ab8f6e5ce5d49ce63c20373347ec74623dda2aa4cdb0924c3c691b4f3290417aaf18e32edf6b908a11e7a7e395f94d7e33565797f5051b984a58c6165a70
-
MD5
db4d105eae279306846340ef44bc9323
SHA191fb7f1187f4c63635116309d62d0ec4fa4587a6
SHA256637fe92bdbab9f3d432e1c236c66d57d954e007aaa2556a75e192daa807c5bfb
SHA5127a62ab8f6e5ce5d49ce63c20373347ec74623dda2aa4cdb0924c3c691b4f3290417aaf18e32edf6b908a11e7a7e395f94d7e33565797f5051b984a58c6165a70