Analysis
-
max time kernel
149s -
max time network
160s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 04:10
Static task
static1
Behavioral task
behavioral1
Sample
15e2dcf3581688410688cb4eab5b6933b552868dde6a0df915d8737ad69d2fc4.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
15e2dcf3581688410688cb4eab5b6933b552868dde6a0df915d8737ad69d2fc4.exe
Resource
win10v2004-en-20220112
General
-
Target
15e2dcf3581688410688cb4eab5b6933b552868dde6a0df915d8737ad69d2fc4.exe
-
Size
176KB
-
MD5
0c4ff7bc5d60f6c5dbffdaff55451c62
-
SHA1
cc436a24dc02eff8090e8245c32871a05a1f441d
-
SHA256
15e2dcf3581688410688cb4eab5b6933b552868dde6a0df915d8737ad69d2fc4
-
SHA512
d906f43cfbfc1cad8651762424feca5331850877aabeedd0bb43ea82d69d019a7d5b7911a7a55966e633e707d42c781a454437adef6b8ea1f1aacb5a4db97633
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral1/memory/1352-57-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral1/memory/1340-58-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1340 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 624 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
15e2dcf3581688410688cb4eab5b6933b552868dde6a0df915d8737ad69d2fc4.exepid process 1352 15e2dcf3581688410688cb4eab5b6933b552868dde6a0df915d8737ad69d2fc4.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
15e2dcf3581688410688cb4eab5b6933b552868dde6a0df915d8737ad69d2fc4.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 15e2dcf3581688410688cb4eab5b6933b552868dde6a0df915d8737ad69d2fc4.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
15e2dcf3581688410688cb4eab5b6933b552868dde6a0df915d8737ad69d2fc4.exedescription pid process Token: SeIncBasePriorityPrivilege 1352 15e2dcf3581688410688cb4eab5b6933b552868dde6a0df915d8737ad69d2fc4.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
15e2dcf3581688410688cb4eab5b6933b552868dde6a0df915d8737ad69d2fc4.execmd.exedescription pid process target process PID 1352 wrote to memory of 1340 1352 15e2dcf3581688410688cb4eab5b6933b552868dde6a0df915d8737ad69d2fc4.exe MediaCenter.exe PID 1352 wrote to memory of 1340 1352 15e2dcf3581688410688cb4eab5b6933b552868dde6a0df915d8737ad69d2fc4.exe MediaCenter.exe PID 1352 wrote to memory of 1340 1352 15e2dcf3581688410688cb4eab5b6933b552868dde6a0df915d8737ad69d2fc4.exe MediaCenter.exe PID 1352 wrote to memory of 1340 1352 15e2dcf3581688410688cb4eab5b6933b552868dde6a0df915d8737ad69d2fc4.exe MediaCenter.exe PID 1352 wrote to memory of 624 1352 15e2dcf3581688410688cb4eab5b6933b552868dde6a0df915d8737ad69d2fc4.exe cmd.exe PID 1352 wrote to memory of 624 1352 15e2dcf3581688410688cb4eab5b6933b552868dde6a0df915d8737ad69d2fc4.exe cmd.exe PID 1352 wrote to memory of 624 1352 15e2dcf3581688410688cb4eab5b6933b552868dde6a0df915d8737ad69d2fc4.exe cmd.exe PID 1352 wrote to memory of 624 1352 15e2dcf3581688410688cb4eab5b6933b552868dde6a0df915d8737ad69d2fc4.exe cmd.exe PID 624 wrote to memory of 784 624 cmd.exe PING.EXE PID 624 wrote to memory of 784 624 cmd.exe PING.EXE PID 624 wrote to memory of 784 624 cmd.exe PING.EXE PID 624 wrote to memory of 784 624 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\15e2dcf3581688410688cb4eab5b6933b552868dde6a0df915d8737ad69d2fc4.exe"C:\Users\Admin\AppData\Local\Temp\15e2dcf3581688410688cb4eab5b6933b552868dde6a0df915d8737ad69d2fc4.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1352 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1340 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\15e2dcf3581688410688cb4eab5b6933b552868dde6a0df915d8737ad69d2fc4.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:624 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:784
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
9786d050d48e35839c262c7c57f37324
SHA18dc98e2a8c8ba9c07de5a78e2e51475249d4c630
SHA256ad60f938b66607bd53fb1d58a0259cff1869310bd040887003c129c59fdd46d2
SHA512902c04768489e5c5cc0aa1a04bf724f82f8289f5068976e3ba30f4082c2298a23fa0a1b298d8ef5e45a208d1bc615f69b56c82d6425d812d695a0c04fc4fc383
-
MD5
9786d050d48e35839c262c7c57f37324
SHA18dc98e2a8c8ba9c07de5a78e2e51475249d4c630
SHA256ad60f938b66607bd53fb1d58a0259cff1869310bd040887003c129c59fdd46d2
SHA512902c04768489e5c5cc0aa1a04bf724f82f8289f5068976e3ba30f4082c2298a23fa0a1b298d8ef5e45a208d1bc615f69b56c82d6425d812d695a0c04fc4fc383