Analysis
-
max time kernel
132s -
max time network
152s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 04:05
Static task
static1
Behavioral task
behavioral1
Sample
1617188c9be685a3fb9e4967434cb45f976fa9cfb76b431a59ef3f6735910182.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
1617188c9be685a3fb9e4967434cb45f976fa9cfb76b431a59ef3f6735910182.exe
Resource
win10v2004-en-20220112
General
-
Target
1617188c9be685a3fb9e4967434cb45f976fa9cfb76b431a59ef3f6735910182.exe
-
Size
99KB
-
MD5
a07ccbf3fa164cbab825d695f6f40ce8
-
SHA1
94b9fce9785b36d9d0560635d29fca631fe5518a
-
SHA256
1617188c9be685a3fb9e4967434cb45f976fa9cfb76b431a59ef3f6735910182
-
SHA512
7336f1c0f4a7897bf71b3d5617fb06430e128092672994eb295c90151a9b79b6a267fa7b295920250fd61c8304bb3192f8e0fa3e8d2a3f08c809290a355feabf
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 944 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1036 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
1617188c9be685a3fb9e4967434cb45f976fa9cfb76b431a59ef3f6735910182.exepid process 1620 1617188c9be685a3fb9e4967434cb45f976fa9cfb76b431a59ef3f6735910182.exe 1620 1617188c9be685a3fb9e4967434cb45f976fa9cfb76b431a59ef3f6735910182.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
1617188c9be685a3fb9e4967434cb45f976fa9cfb76b431a59ef3f6735910182.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 1617188c9be685a3fb9e4967434cb45f976fa9cfb76b431a59ef3f6735910182.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
1617188c9be685a3fb9e4967434cb45f976fa9cfb76b431a59ef3f6735910182.exedescription pid process Token: SeIncBasePriorityPrivilege 1620 1617188c9be685a3fb9e4967434cb45f976fa9cfb76b431a59ef3f6735910182.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
1617188c9be685a3fb9e4967434cb45f976fa9cfb76b431a59ef3f6735910182.execmd.exedescription pid process target process PID 1620 wrote to memory of 944 1620 1617188c9be685a3fb9e4967434cb45f976fa9cfb76b431a59ef3f6735910182.exe MediaCenter.exe PID 1620 wrote to memory of 944 1620 1617188c9be685a3fb9e4967434cb45f976fa9cfb76b431a59ef3f6735910182.exe MediaCenter.exe PID 1620 wrote to memory of 944 1620 1617188c9be685a3fb9e4967434cb45f976fa9cfb76b431a59ef3f6735910182.exe MediaCenter.exe PID 1620 wrote to memory of 944 1620 1617188c9be685a3fb9e4967434cb45f976fa9cfb76b431a59ef3f6735910182.exe MediaCenter.exe PID 1620 wrote to memory of 1036 1620 1617188c9be685a3fb9e4967434cb45f976fa9cfb76b431a59ef3f6735910182.exe cmd.exe PID 1620 wrote to memory of 1036 1620 1617188c9be685a3fb9e4967434cb45f976fa9cfb76b431a59ef3f6735910182.exe cmd.exe PID 1620 wrote to memory of 1036 1620 1617188c9be685a3fb9e4967434cb45f976fa9cfb76b431a59ef3f6735910182.exe cmd.exe PID 1620 wrote to memory of 1036 1620 1617188c9be685a3fb9e4967434cb45f976fa9cfb76b431a59ef3f6735910182.exe cmd.exe PID 1036 wrote to memory of 1900 1036 cmd.exe PING.EXE PID 1036 wrote to memory of 1900 1036 cmd.exe PING.EXE PID 1036 wrote to memory of 1900 1036 cmd.exe PING.EXE PID 1036 wrote to memory of 1900 1036 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\1617188c9be685a3fb9e4967434cb45f976fa9cfb76b431a59ef3f6735910182.exe"C:\Users\Admin\AppData\Local\Temp\1617188c9be685a3fb9e4967434cb45f976fa9cfb76b431a59ef3f6735910182.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:944 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\1617188c9be685a3fb9e4967434cb45f976fa9cfb76b431a59ef3f6735910182.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1036 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1900
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
6a485e9b7044cfe1ca84df5f4f571b62
SHA10a2c9662ac9d5706533a6e486873e342a9f73ac0
SHA2561a1bce5cdeab230eb88880237be5ee75513048a58641629b4b00ad5cb34843fa
SHA5122e530cd7c398afd49fe93d93ed852c28c1ba605f198a94f0a2dedc67df8591533a067b4c0de361eda9bcec11905ea28e202b76e593939468d77fdb2122b5d554
-
MD5
6a485e9b7044cfe1ca84df5f4f571b62
SHA10a2c9662ac9d5706533a6e486873e342a9f73ac0
SHA2561a1bce5cdeab230eb88880237be5ee75513048a58641629b4b00ad5cb34843fa
SHA5122e530cd7c398afd49fe93d93ed852c28c1ba605f198a94f0a2dedc67df8591533a067b4c0de361eda9bcec11905ea28e202b76e593939468d77fdb2122b5d554
-
MD5
6a485e9b7044cfe1ca84df5f4f571b62
SHA10a2c9662ac9d5706533a6e486873e342a9f73ac0
SHA2561a1bce5cdeab230eb88880237be5ee75513048a58641629b4b00ad5cb34843fa
SHA5122e530cd7c398afd49fe93d93ed852c28c1ba605f198a94f0a2dedc67df8591533a067b4c0de361eda9bcec11905ea28e202b76e593939468d77fdb2122b5d554