Analysis
-
max time kernel
126s -
max time network
139s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 04:15
Behavioral task
behavioral1
Sample
15ad29cf58a63b4e32dd4244e7c92569eb826826df451d0481efea72f52b7911.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
15ad29cf58a63b4e32dd4244e7c92569eb826826df451d0481efea72f52b7911.exe
Resource
win10v2004-en-20220113
General
-
Target
15ad29cf58a63b4e32dd4244e7c92569eb826826df451d0481efea72f52b7911.exe
-
Size
212KB
-
MD5
7bbf76dd54f96bb17f9bfb90fbfdc21f
-
SHA1
4949df6788c290c37d0e535ee29d8014033b72b8
-
SHA256
15ad29cf58a63b4e32dd4244e7c92569eb826826df451d0481efea72f52b7911
-
SHA512
40497ac60e6652d148b602f2161526aef61e442d862b46b93477ee52452f4974cdbae626a020226176239e973f080b9f324ea7dd41ce720023be41dd7f70f998
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1656 MediaCenter.exe -
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe upx C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe upx -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 856 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
15ad29cf58a63b4e32dd4244e7c92569eb826826df451d0481efea72f52b7911.exepid process 1488 15ad29cf58a63b4e32dd4244e7c92569eb826826df451d0481efea72f52b7911.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
15ad29cf58a63b4e32dd4244e7c92569eb826826df451d0481efea72f52b7911.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 15ad29cf58a63b4e32dd4244e7c92569eb826826df451d0481efea72f52b7911.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
15ad29cf58a63b4e32dd4244e7c92569eb826826df451d0481efea72f52b7911.exedescription pid process Token: SeIncBasePriorityPrivilege 1488 15ad29cf58a63b4e32dd4244e7c92569eb826826df451d0481efea72f52b7911.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
15ad29cf58a63b4e32dd4244e7c92569eb826826df451d0481efea72f52b7911.execmd.exedescription pid process target process PID 1488 wrote to memory of 1656 1488 15ad29cf58a63b4e32dd4244e7c92569eb826826df451d0481efea72f52b7911.exe MediaCenter.exe PID 1488 wrote to memory of 1656 1488 15ad29cf58a63b4e32dd4244e7c92569eb826826df451d0481efea72f52b7911.exe MediaCenter.exe PID 1488 wrote to memory of 1656 1488 15ad29cf58a63b4e32dd4244e7c92569eb826826df451d0481efea72f52b7911.exe MediaCenter.exe PID 1488 wrote to memory of 1656 1488 15ad29cf58a63b4e32dd4244e7c92569eb826826df451d0481efea72f52b7911.exe MediaCenter.exe PID 1488 wrote to memory of 856 1488 15ad29cf58a63b4e32dd4244e7c92569eb826826df451d0481efea72f52b7911.exe cmd.exe PID 1488 wrote to memory of 856 1488 15ad29cf58a63b4e32dd4244e7c92569eb826826df451d0481efea72f52b7911.exe cmd.exe PID 1488 wrote to memory of 856 1488 15ad29cf58a63b4e32dd4244e7c92569eb826826df451d0481efea72f52b7911.exe cmd.exe PID 1488 wrote to memory of 856 1488 15ad29cf58a63b4e32dd4244e7c92569eb826826df451d0481efea72f52b7911.exe cmd.exe PID 856 wrote to memory of 1816 856 cmd.exe PING.EXE PID 856 wrote to memory of 1816 856 cmd.exe PING.EXE PID 856 wrote to memory of 1816 856 cmd.exe PING.EXE PID 856 wrote to memory of 1816 856 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\15ad29cf58a63b4e32dd4244e7c92569eb826826df451d0481efea72f52b7911.exe"C:\Users\Admin\AppData\Local\Temp\15ad29cf58a63b4e32dd4244e7c92569eb826826df451d0481efea72f52b7911.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1488 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1656 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\15ad29cf58a63b4e32dd4244e7c92569eb826826df451d0481efea72f52b7911.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:856 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1816
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
e208d572d4764d94e05d3b0764ec79bc
SHA143b483d39f0c52fcac59a85d916973e96a340336
SHA256c41821a593d3983d1a66bac2a156f451afa853443ca330bf3886b280932cfbd8
SHA512ada1f1a031f2963512673311a9882617bd865ae12054263b8f1d03485371f883b741e10431a5e9bb5e4bb81feb3d0351f693137047cf9f38dc6e5f6460aee1b1
-
MD5
e208d572d4764d94e05d3b0764ec79bc
SHA143b483d39f0c52fcac59a85d916973e96a340336
SHA256c41821a593d3983d1a66bac2a156f451afa853443ca330bf3886b280932cfbd8
SHA512ada1f1a031f2963512673311a9882617bd865ae12054263b8f1d03485371f883b741e10431a5e9bb5e4bb81feb3d0351f693137047cf9f38dc6e5f6460aee1b1