Analysis
-
max time kernel
153s -
max time network
175s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 04:13
Static task
static1
Behavioral task
behavioral1
Sample
15c3a50c17a174cd6610c7d1519e40b5d8f8a34cf3a925142fdd6929c9e467d6.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
15c3a50c17a174cd6610c7d1519e40b5d8f8a34cf3a925142fdd6929c9e467d6.exe
Resource
win10v2004-en-20220112
General
-
Target
15c3a50c17a174cd6610c7d1519e40b5d8f8a34cf3a925142fdd6929c9e467d6.exe
-
Size
89KB
-
MD5
c4fff953e8bac82ec7abb433c5f377ec
-
SHA1
598d9cb35e7d90f8895077c0797606f21fd36caf
-
SHA256
15c3a50c17a174cd6610c7d1519e40b5d8f8a34cf3a925142fdd6929c9e467d6
-
SHA512
f05b7afe3d258cc73a9576dd418b1aba08905ced36a640d071d3c978e54bbce236f493db8083ed5e47b42d6f6cf90368816b5624d8d6a330f242eb0b95e28a16
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral1/memory/788-59-0x0000000000400000-0x000000000041B000-memory.dmp family_sakula behavioral1/memory/1628-60-0x0000000000400000-0x000000000041B000-memory.dmp family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1628 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2044 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
15c3a50c17a174cd6610c7d1519e40b5d8f8a34cf3a925142fdd6929c9e467d6.exepid process 788 15c3a50c17a174cd6610c7d1519e40b5d8f8a34cf3a925142fdd6929c9e467d6.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
15c3a50c17a174cd6610c7d1519e40b5d8f8a34cf3a925142fdd6929c9e467d6.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 15c3a50c17a174cd6610c7d1519e40b5d8f8a34cf3a925142fdd6929c9e467d6.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
15c3a50c17a174cd6610c7d1519e40b5d8f8a34cf3a925142fdd6929c9e467d6.exedescription pid process Token: SeIncBasePriorityPrivilege 788 15c3a50c17a174cd6610c7d1519e40b5d8f8a34cf3a925142fdd6929c9e467d6.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
15c3a50c17a174cd6610c7d1519e40b5d8f8a34cf3a925142fdd6929c9e467d6.execmd.exedescription pid process target process PID 788 wrote to memory of 1628 788 15c3a50c17a174cd6610c7d1519e40b5d8f8a34cf3a925142fdd6929c9e467d6.exe MediaCenter.exe PID 788 wrote to memory of 1628 788 15c3a50c17a174cd6610c7d1519e40b5d8f8a34cf3a925142fdd6929c9e467d6.exe MediaCenter.exe PID 788 wrote to memory of 1628 788 15c3a50c17a174cd6610c7d1519e40b5d8f8a34cf3a925142fdd6929c9e467d6.exe MediaCenter.exe PID 788 wrote to memory of 1628 788 15c3a50c17a174cd6610c7d1519e40b5d8f8a34cf3a925142fdd6929c9e467d6.exe MediaCenter.exe PID 788 wrote to memory of 2044 788 15c3a50c17a174cd6610c7d1519e40b5d8f8a34cf3a925142fdd6929c9e467d6.exe cmd.exe PID 788 wrote to memory of 2044 788 15c3a50c17a174cd6610c7d1519e40b5d8f8a34cf3a925142fdd6929c9e467d6.exe cmd.exe PID 788 wrote to memory of 2044 788 15c3a50c17a174cd6610c7d1519e40b5d8f8a34cf3a925142fdd6929c9e467d6.exe cmd.exe PID 788 wrote to memory of 2044 788 15c3a50c17a174cd6610c7d1519e40b5d8f8a34cf3a925142fdd6929c9e467d6.exe cmd.exe PID 2044 wrote to memory of 2040 2044 cmd.exe PING.EXE PID 2044 wrote to memory of 2040 2044 cmd.exe PING.EXE PID 2044 wrote to memory of 2040 2044 cmd.exe PING.EXE PID 2044 wrote to memory of 2040 2044 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\15c3a50c17a174cd6610c7d1519e40b5d8f8a34cf3a925142fdd6929c9e467d6.exe"C:\Users\Admin\AppData\Local\Temp\15c3a50c17a174cd6610c7d1519e40b5d8f8a34cf3a925142fdd6929c9e467d6.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:788 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1628 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\15c3a50c17a174cd6610c7d1519e40b5d8f8a34cf3a925142fdd6929c9e467d6.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:2040
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
5c023b3e3d12f18561fc6e011a74a23c
SHA169b5421df293f0bb8c4060be450a1c2c024b8449
SHA2563fe0df7405b8fd13d6d19c176800eb4f731e92318c365dc73a27917e42e58a09
SHA5120467842f34b06635902accb3d58ef7c57be62080713aff9972000d490da4b59323f874018a16c8017cd2f5e2f95d1b36503f9a9ce395c5accbc6fb5484bc2c02
-
MD5
5c023b3e3d12f18561fc6e011a74a23c
SHA169b5421df293f0bb8c4060be450a1c2c024b8449
SHA2563fe0df7405b8fd13d6d19c176800eb4f731e92318c365dc73a27917e42e58a09
SHA5120467842f34b06635902accb3d58ef7c57be62080713aff9972000d490da4b59323f874018a16c8017cd2f5e2f95d1b36503f9a9ce395c5accbc6fb5484bc2c02