Analysis
-
max time kernel
120s -
max time network
128s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 04:01
Static task
static1
Behavioral task
behavioral1
Sample
1643e022000a980fc4198771af41bb14fd480a5d146d95a9bdb6c92952a29e85.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
1643e022000a980fc4198771af41bb14fd480a5d146d95a9bdb6c92952a29e85.exe
Resource
win10v2004-en-20220113
General
-
Target
1643e022000a980fc4198771af41bb14fd480a5d146d95a9bdb6c92952a29e85.exe
-
Size
191KB
-
MD5
49be17cf09c28c734884fb8dc73fa3b4
-
SHA1
052dfe75c8f4df9feed2e6c6f0be112f9862da5e
-
SHA256
1643e022000a980fc4198771af41bb14fd480a5d146d95a9bdb6c92952a29e85
-
SHA512
7d634987060fd72dc7a03f034a3ac7e3552cb752edf017a37757a21f8590ba98b538572bb96ba4d8b8e7267bec9f2574645aefa849ff5c92c8e76e084fca92a8
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 648 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1172 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
1643e022000a980fc4198771af41bb14fd480a5d146d95a9bdb6c92952a29e85.exepid process 1212 1643e022000a980fc4198771af41bb14fd480a5d146d95a9bdb6c92952a29e85.exe 1212 1643e022000a980fc4198771af41bb14fd480a5d146d95a9bdb6c92952a29e85.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
1643e022000a980fc4198771af41bb14fd480a5d146d95a9bdb6c92952a29e85.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 1643e022000a980fc4198771af41bb14fd480a5d146d95a9bdb6c92952a29e85.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
1643e022000a980fc4198771af41bb14fd480a5d146d95a9bdb6c92952a29e85.exedescription pid process Token: SeIncBasePriorityPrivilege 1212 1643e022000a980fc4198771af41bb14fd480a5d146d95a9bdb6c92952a29e85.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
1643e022000a980fc4198771af41bb14fd480a5d146d95a9bdb6c92952a29e85.execmd.exedescription pid process target process PID 1212 wrote to memory of 648 1212 1643e022000a980fc4198771af41bb14fd480a5d146d95a9bdb6c92952a29e85.exe MediaCenter.exe PID 1212 wrote to memory of 648 1212 1643e022000a980fc4198771af41bb14fd480a5d146d95a9bdb6c92952a29e85.exe MediaCenter.exe PID 1212 wrote to memory of 648 1212 1643e022000a980fc4198771af41bb14fd480a5d146d95a9bdb6c92952a29e85.exe MediaCenter.exe PID 1212 wrote to memory of 648 1212 1643e022000a980fc4198771af41bb14fd480a5d146d95a9bdb6c92952a29e85.exe MediaCenter.exe PID 1212 wrote to memory of 1172 1212 1643e022000a980fc4198771af41bb14fd480a5d146d95a9bdb6c92952a29e85.exe cmd.exe PID 1212 wrote to memory of 1172 1212 1643e022000a980fc4198771af41bb14fd480a5d146d95a9bdb6c92952a29e85.exe cmd.exe PID 1212 wrote to memory of 1172 1212 1643e022000a980fc4198771af41bb14fd480a5d146d95a9bdb6c92952a29e85.exe cmd.exe PID 1212 wrote to memory of 1172 1212 1643e022000a980fc4198771af41bb14fd480a5d146d95a9bdb6c92952a29e85.exe cmd.exe PID 1172 wrote to memory of 1204 1172 cmd.exe PING.EXE PID 1172 wrote to memory of 1204 1172 cmd.exe PING.EXE PID 1172 wrote to memory of 1204 1172 cmd.exe PING.EXE PID 1172 wrote to memory of 1204 1172 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\1643e022000a980fc4198771af41bb14fd480a5d146d95a9bdb6c92952a29e85.exe"C:\Users\Admin\AppData\Local\Temp\1643e022000a980fc4198771af41bb14fd480a5d146d95a9bdb6c92952a29e85.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1212 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:648 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\1643e022000a980fc4198771af41bb14fd480a5d146d95a9bdb6c92952a29e85.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1172 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1204
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
99372de68a2de125c2e1439882f9653d
SHA1af06a8008edc2cb1e430b92524c290651c58fe33
SHA256e83d9264e0c7e0daeb83d97de207bd78dc1e4182048836be2aa160368a0f8c10
SHA512042d4fa62e14efdbfe469055ef331fd4ef953f0269f3e09614657664e04a918f1dfc762fef3effb587d27901439f8115cfe375bd8a006796b31c33e3a1974089
-
MD5
99372de68a2de125c2e1439882f9653d
SHA1af06a8008edc2cb1e430b92524c290651c58fe33
SHA256e83d9264e0c7e0daeb83d97de207bd78dc1e4182048836be2aa160368a0f8c10
SHA512042d4fa62e14efdbfe469055ef331fd4ef953f0269f3e09614657664e04a918f1dfc762fef3effb587d27901439f8115cfe375bd8a006796b31c33e3a1974089
-
MD5
99372de68a2de125c2e1439882f9653d
SHA1af06a8008edc2cb1e430b92524c290651c58fe33
SHA256e83d9264e0c7e0daeb83d97de207bd78dc1e4182048836be2aa160368a0f8c10
SHA512042d4fa62e14efdbfe469055ef331fd4ef953f0269f3e09614657664e04a918f1dfc762fef3effb587d27901439f8115cfe375bd8a006796b31c33e3a1974089