Analysis
-
max time kernel
149s -
max time network
158s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 04:13
Static task
static1
Behavioral task
behavioral1
Sample
15c79a753676b26983b9d1a5b66c2941fa03d64d4a550959868218c3eb3202ea.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
15c79a753676b26983b9d1a5b66c2941fa03d64d4a550959868218c3eb3202ea.exe
Resource
win10v2004-en-20220113
General
-
Target
15c79a753676b26983b9d1a5b66c2941fa03d64d4a550959868218c3eb3202ea.exe
-
Size
89KB
-
MD5
9ac84c1467284bb2dd0ef7a4250a63b4
-
SHA1
9dc003cfebd445048337a9feea5a207afcdf452f
-
SHA256
15c79a753676b26983b9d1a5b66c2941fa03d64d4a550959868218c3eb3202ea
-
SHA512
dbeba387c86a3ca26250d6537606d9b81ada83fa95231b7ad5d9c08fba326d1e2b1580e1890824cd58ebf72f334397dd86964fc525b07fa3b92a02f2cef4d8e0
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 628 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 428 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
15c79a753676b26983b9d1a5b66c2941fa03d64d4a550959868218c3eb3202ea.exepid process 1796 15c79a753676b26983b9d1a5b66c2941fa03d64d4a550959868218c3eb3202ea.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
15c79a753676b26983b9d1a5b66c2941fa03d64d4a550959868218c3eb3202ea.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 15c79a753676b26983b9d1a5b66c2941fa03d64d4a550959868218c3eb3202ea.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
15c79a753676b26983b9d1a5b66c2941fa03d64d4a550959868218c3eb3202ea.exedescription pid process Token: SeIncBasePriorityPrivilege 1796 15c79a753676b26983b9d1a5b66c2941fa03d64d4a550959868218c3eb3202ea.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
15c79a753676b26983b9d1a5b66c2941fa03d64d4a550959868218c3eb3202ea.execmd.exedescription pid process target process PID 1796 wrote to memory of 628 1796 15c79a753676b26983b9d1a5b66c2941fa03d64d4a550959868218c3eb3202ea.exe MediaCenter.exe PID 1796 wrote to memory of 628 1796 15c79a753676b26983b9d1a5b66c2941fa03d64d4a550959868218c3eb3202ea.exe MediaCenter.exe PID 1796 wrote to memory of 628 1796 15c79a753676b26983b9d1a5b66c2941fa03d64d4a550959868218c3eb3202ea.exe MediaCenter.exe PID 1796 wrote to memory of 628 1796 15c79a753676b26983b9d1a5b66c2941fa03d64d4a550959868218c3eb3202ea.exe MediaCenter.exe PID 1796 wrote to memory of 428 1796 15c79a753676b26983b9d1a5b66c2941fa03d64d4a550959868218c3eb3202ea.exe cmd.exe PID 1796 wrote to memory of 428 1796 15c79a753676b26983b9d1a5b66c2941fa03d64d4a550959868218c3eb3202ea.exe cmd.exe PID 1796 wrote to memory of 428 1796 15c79a753676b26983b9d1a5b66c2941fa03d64d4a550959868218c3eb3202ea.exe cmd.exe PID 1796 wrote to memory of 428 1796 15c79a753676b26983b9d1a5b66c2941fa03d64d4a550959868218c3eb3202ea.exe cmd.exe PID 428 wrote to memory of 1844 428 cmd.exe PING.EXE PID 428 wrote to memory of 1844 428 cmd.exe PING.EXE PID 428 wrote to memory of 1844 428 cmd.exe PING.EXE PID 428 wrote to memory of 1844 428 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\15c79a753676b26983b9d1a5b66c2941fa03d64d4a550959868218c3eb3202ea.exe"C:\Users\Admin\AppData\Local\Temp\15c79a753676b26983b9d1a5b66c2941fa03d64d4a550959868218c3eb3202ea.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1796 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:628 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\15c79a753676b26983b9d1a5b66c2941fa03d64d4a550959868218c3eb3202ea.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:428 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1844
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
c0df397937bd0c700cf914b7f96ae8cd
SHA15df50f10e08ebd18652a7d95cb8129b45e913f37
SHA256290d683d39519db6957f36212240b45a778101b67d2e48cf417d8975aa38d170
SHA5120801dcdc35631eb4f9cdb3b822e5d7a60bd9cd454942b5292dc98d6c82d66e40f4d34b9519452446efb8a3512787e6d6d5b21c41d5a02de8fc744f0270a361e2
-
MD5
c0df397937bd0c700cf914b7f96ae8cd
SHA15df50f10e08ebd18652a7d95cb8129b45e913f37
SHA256290d683d39519db6957f36212240b45a778101b67d2e48cf417d8975aa38d170
SHA5120801dcdc35631eb4f9cdb3b822e5d7a60bd9cd454942b5292dc98d6c82d66e40f4d34b9519452446efb8a3512787e6d6d5b21c41d5a02de8fc744f0270a361e2