Analysis
-
max time kernel
117s -
max time network
127s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 04:09
Static task
static1
Behavioral task
behavioral1
Sample
15ecd5a1280d7095e100a28c61e419a265d58e42fc63c4471c9d9b1084892ae6.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
15ecd5a1280d7095e100a28c61e419a265d58e42fc63c4471c9d9b1084892ae6.exe
Resource
win10v2004-en-20220113
General
-
Target
15ecd5a1280d7095e100a28c61e419a265d58e42fc63c4471c9d9b1084892ae6.exe
-
Size
80KB
-
MD5
78b54aa038d21d1f429ec52c20617e5f
-
SHA1
dfbdb5fd9a2e7af085f65988278e9abc1c49585c
-
SHA256
15ecd5a1280d7095e100a28c61e419a265d58e42fc63c4471c9d9b1084892ae6
-
SHA512
5f6bb73400c725a84503e7186fe31c5d948d501e805c784333ac2398ff3b316360e312045640c063832926177f550ad7f7320935a39c01bb06ca7d5710049711
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1888 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1944 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
15ecd5a1280d7095e100a28c61e419a265d58e42fc63c4471c9d9b1084892ae6.exepid process 1720 15ecd5a1280d7095e100a28c61e419a265d58e42fc63c4471c9d9b1084892ae6.exe 1720 15ecd5a1280d7095e100a28c61e419a265d58e42fc63c4471c9d9b1084892ae6.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
15ecd5a1280d7095e100a28c61e419a265d58e42fc63c4471c9d9b1084892ae6.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 15ecd5a1280d7095e100a28c61e419a265d58e42fc63c4471c9d9b1084892ae6.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
15ecd5a1280d7095e100a28c61e419a265d58e42fc63c4471c9d9b1084892ae6.exedescription pid process Token: SeIncBasePriorityPrivilege 1720 15ecd5a1280d7095e100a28c61e419a265d58e42fc63c4471c9d9b1084892ae6.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
15ecd5a1280d7095e100a28c61e419a265d58e42fc63c4471c9d9b1084892ae6.execmd.exedescription pid process target process PID 1720 wrote to memory of 1888 1720 15ecd5a1280d7095e100a28c61e419a265d58e42fc63c4471c9d9b1084892ae6.exe MediaCenter.exe PID 1720 wrote to memory of 1888 1720 15ecd5a1280d7095e100a28c61e419a265d58e42fc63c4471c9d9b1084892ae6.exe MediaCenter.exe PID 1720 wrote to memory of 1888 1720 15ecd5a1280d7095e100a28c61e419a265d58e42fc63c4471c9d9b1084892ae6.exe MediaCenter.exe PID 1720 wrote to memory of 1888 1720 15ecd5a1280d7095e100a28c61e419a265d58e42fc63c4471c9d9b1084892ae6.exe MediaCenter.exe PID 1720 wrote to memory of 1944 1720 15ecd5a1280d7095e100a28c61e419a265d58e42fc63c4471c9d9b1084892ae6.exe cmd.exe PID 1720 wrote to memory of 1944 1720 15ecd5a1280d7095e100a28c61e419a265d58e42fc63c4471c9d9b1084892ae6.exe cmd.exe PID 1720 wrote to memory of 1944 1720 15ecd5a1280d7095e100a28c61e419a265d58e42fc63c4471c9d9b1084892ae6.exe cmd.exe PID 1720 wrote to memory of 1944 1720 15ecd5a1280d7095e100a28c61e419a265d58e42fc63c4471c9d9b1084892ae6.exe cmd.exe PID 1944 wrote to memory of 1640 1944 cmd.exe PING.EXE PID 1944 wrote to memory of 1640 1944 cmd.exe PING.EXE PID 1944 wrote to memory of 1640 1944 cmd.exe PING.EXE PID 1944 wrote to memory of 1640 1944 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\15ecd5a1280d7095e100a28c61e419a265d58e42fc63c4471c9d9b1084892ae6.exe"C:\Users\Admin\AppData\Local\Temp\15ecd5a1280d7095e100a28c61e419a265d58e42fc63c4471c9d9b1084892ae6.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1720 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1888 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\15ecd5a1280d7095e100a28c61e419a265d58e42fc63c4471c9d9b1084892ae6.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1944 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1640
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
220a95ada4d8ad165adeb588094f65df
SHA1c5278935db9c48d0a46d6e6af8d97c0a615bebf4
SHA2564cabc8e20e8497278641a73e4fd79f8b8b5d8bdebe9236221ff7f1fdea986d39
SHA512c23f78ac155301fb71ad4b274dc64e136e6c59c821b2a3b4278efdf390a9f25667fea0dab94623431bad72998384d6ed036f0221ce39e4856f1cbcc3a5191d31
-
MD5
220a95ada4d8ad165adeb588094f65df
SHA1c5278935db9c48d0a46d6e6af8d97c0a615bebf4
SHA2564cabc8e20e8497278641a73e4fd79f8b8b5d8bdebe9236221ff7f1fdea986d39
SHA512c23f78ac155301fb71ad4b274dc64e136e6c59c821b2a3b4278efdf390a9f25667fea0dab94623431bad72998384d6ed036f0221ce39e4856f1cbcc3a5191d31
-
MD5
220a95ada4d8ad165adeb588094f65df
SHA1c5278935db9c48d0a46d6e6af8d97c0a615bebf4
SHA2564cabc8e20e8497278641a73e4fd79f8b8b5d8bdebe9236221ff7f1fdea986d39
SHA512c23f78ac155301fb71ad4b274dc64e136e6c59c821b2a3b4278efdf390a9f25667fea0dab94623431bad72998384d6ed036f0221ce39e4856f1cbcc3a5191d31