Analysis
-
max time kernel
135s -
max time network
153s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 04:07
Static task
static1
Behavioral task
behavioral1
Sample
1605d430f551f62a6de86ee2642cdf8afdb41edb76f6154fb0cc74ff27ff5d38.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
1605d430f551f62a6de86ee2642cdf8afdb41edb76f6154fb0cc74ff27ff5d38.exe
Resource
win10v2004-en-20220113
General
-
Target
1605d430f551f62a6de86ee2642cdf8afdb41edb76f6154fb0cc74ff27ff5d38.exe
-
Size
150KB
-
MD5
1aeff85c7442d32019a583f361b4f080
-
SHA1
a6888b1abceb90ba9208d67b84c79580cf32e0c2
-
SHA256
1605d430f551f62a6de86ee2642cdf8afdb41edb76f6154fb0cc74ff27ff5d38
-
SHA512
6a2856044b4d92ac488474e19943dd2f9b539e1a5b75eb2aa388c854b361dbda3b43dbe96de0090324c5a2623e9e334a04ae5a4de3da1020678373d2c7ddd90b
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1916 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1848 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
1605d430f551f62a6de86ee2642cdf8afdb41edb76f6154fb0cc74ff27ff5d38.exepid process 1592 1605d430f551f62a6de86ee2642cdf8afdb41edb76f6154fb0cc74ff27ff5d38.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
1605d430f551f62a6de86ee2642cdf8afdb41edb76f6154fb0cc74ff27ff5d38.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 1605d430f551f62a6de86ee2642cdf8afdb41edb76f6154fb0cc74ff27ff5d38.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
1605d430f551f62a6de86ee2642cdf8afdb41edb76f6154fb0cc74ff27ff5d38.exedescription pid process Token: SeIncBasePriorityPrivilege 1592 1605d430f551f62a6de86ee2642cdf8afdb41edb76f6154fb0cc74ff27ff5d38.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
1605d430f551f62a6de86ee2642cdf8afdb41edb76f6154fb0cc74ff27ff5d38.execmd.exedescription pid process target process PID 1592 wrote to memory of 1916 1592 1605d430f551f62a6de86ee2642cdf8afdb41edb76f6154fb0cc74ff27ff5d38.exe MediaCenter.exe PID 1592 wrote to memory of 1916 1592 1605d430f551f62a6de86ee2642cdf8afdb41edb76f6154fb0cc74ff27ff5d38.exe MediaCenter.exe PID 1592 wrote to memory of 1916 1592 1605d430f551f62a6de86ee2642cdf8afdb41edb76f6154fb0cc74ff27ff5d38.exe MediaCenter.exe PID 1592 wrote to memory of 1916 1592 1605d430f551f62a6de86ee2642cdf8afdb41edb76f6154fb0cc74ff27ff5d38.exe MediaCenter.exe PID 1592 wrote to memory of 1848 1592 1605d430f551f62a6de86ee2642cdf8afdb41edb76f6154fb0cc74ff27ff5d38.exe cmd.exe PID 1592 wrote to memory of 1848 1592 1605d430f551f62a6de86ee2642cdf8afdb41edb76f6154fb0cc74ff27ff5d38.exe cmd.exe PID 1592 wrote to memory of 1848 1592 1605d430f551f62a6de86ee2642cdf8afdb41edb76f6154fb0cc74ff27ff5d38.exe cmd.exe PID 1592 wrote to memory of 1848 1592 1605d430f551f62a6de86ee2642cdf8afdb41edb76f6154fb0cc74ff27ff5d38.exe cmd.exe PID 1848 wrote to memory of 1648 1848 cmd.exe PING.EXE PID 1848 wrote to memory of 1648 1848 cmd.exe PING.EXE PID 1848 wrote to memory of 1648 1848 cmd.exe PING.EXE PID 1848 wrote to memory of 1648 1848 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\1605d430f551f62a6de86ee2642cdf8afdb41edb76f6154fb0cc74ff27ff5d38.exe"C:\Users\Admin\AppData\Local\Temp\1605d430f551f62a6de86ee2642cdf8afdb41edb76f6154fb0cc74ff27ff5d38.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1592 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1916 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\1605d430f551f62a6de86ee2642cdf8afdb41edb76f6154fb0cc74ff27ff5d38.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1848 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1648
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
dd4076b74f09e2fa73594954c533b8b0
SHA117f9450ff06b5d85eae4d5afb32871fad7d6eb7b
SHA25635c8a843e46b8ac4f51a16b39f630637bf6e784edf20144d8a2a4c0a5d7c53ba
SHA512fb293d9b49db2fb946a8f84fdddeb4c1d8bc0b5a6e14108e6edb36ec5748f51fa78fef030916edd3dc99053abbc2747318e4950d8c1ddf34f7e1186c84884176
-
MD5
dd4076b74f09e2fa73594954c533b8b0
SHA117f9450ff06b5d85eae4d5afb32871fad7d6eb7b
SHA25635c8a843e46b8ac4f51a16b39f630637bf6e784edf20144d8a2a4c0a5d7c53ba
SHA512fb293d9b49db2fb946a8f84fdddeb4c1d8bc0b5a6e14108e6edb36ec5748f51fa78fef030916edd3dc99053abbc2747318e4950d8c1ddf34f7e1186c84884176