Analysis
-
max time kernel
139s -
max time network
170s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 04:16
Static task
static1
Behavioral task
behavioral1
Sample
15a4b6c379bcd3c896d474fbc2760e23f96c3a23ad93a3e9ba4aea01758f8ac9.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
15a4b6c379bcd3c896d474fbc2760e23f96c3a23ad93a3e9ba4aea01758f8ac9.exe
Resource
win10v2004-en-20220113
General
-
Target
15a4b6c379bcd3c896d474fbc2760e23f96c3a23ad93a3e9ba4aea01758f8ac9.exe
-
Size
104KB
-
MD5
81d356647a59f9c07470b19d926f275a
-
SHA1
01713cf6de30480c037f8be0279545f99900c367
-
SHA256
15a4b6c379bcd3c896d474fbc2760e23f96c3a23ad93a3e9ba4aea01758f8ac9
-
SHA512
933714a5212d70dc59c3a8013d7564fafeb4507cc5fc2fb51216f079b9ec04e1aebf580549eff0e6d5171f1e3b80480c5e260344a13c22d4c75265c879004f78
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 952 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1928 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
15a4b6c379bcd3c896d474fbc2760e23f96c3a23ad93a3e9ba4aea01758f8ac9.exepid process 1632 15a4b6c379bcd3c896d474fbc2760e23f96c3a23ad93a3e9ba4aea01758f8ac9.exe 1632 15a4b6c379bcd3c896d474fbc2760e23f96c3a23ad93a3e9ba4aea01758f8ac9.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
15a4b6c379bcd3c896d474fbc2760e23f96c3a23ad93a3e9ba4aea01758f8ac9.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 15a4b6c379bcd3c896d474fbc2760e23f96c3a23ad93a3e9ba4aea01758f8ac9.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
15a4b6c379bcd3c896d474fbc2760e23f96c3a23ad93a3e9ba4aea01758f8ac9.exedescription pid process Token: SeIncBasePriorityPrivilege 1632 15a4b6c379bcd3c896d474fbc2760e23f96c3a23ad93a3e9ba4aea01758f8ac9.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
15a4b6c379bcd3c896d474fbc2760e23f96c3a23ad93a3e9ba4aea01758f8ac9.execmd.exedescription pid process target process PID 1632 wrote to memory of 952 1632 15a4b6c379bcd3c896d474fbc2760e23f96c3a23ad93a3e9ba4aea01758f8ac9.exe MediaCenter.exe PID 1632 wrote to memory of 952 1632 15a4b6c379bcd3c896d474fbc2760e23f96c3a23ad93a3e9ba4aea01758f8ac9.exe MediaCenter.exe PID 1632 wrote to memory of 952 1632 15a4b6c379bcd3c896d474fbc2760e23f96c3a23ad93a3e9ba4aea01758f8ac9.exe MediaCenter.exe PID 1632 wrote to memory of 952 1632 15a4b6c379bcd3c896d474fbc2760e23f96c3a23ad93a3e9ba4aea01758f8ac9.exe MediaCenter.exe PID 1632 wrote to memory of 1928 1632 15a4b6c379bcd3c896d474fbc2760e23f96c3a23ad93a3e9ba4aea01758f8ac9.exe cmd.exe PID 1632 wrote to memory of 1928 1632 15a4b6c379bcd3c896d474fbc2760e23f96c3a23ad93a3e9ba4aea01758f8ac9.exe cmd.exe PID 1632 wrote to memory of 1928 1632 15a4b6c379bcd3c896d474fbc2760e23f96c3a23ad93a3e9ba4aea01758f8ac9.exe cmd.exe PID 1632 wrote to memory of 1928 1632 15a4b6c379bcd3c896d474fbc2760e23f96c3a23ad93a3e9ba4aea01758f8ac9.exe cmd.exe PID 1928 wrote to memory of 1636 1928 cmd.exe PING.EXE PID 1928 wrote to memory of 1636 1928 cmd.exe PING.EXE PID 1928 wrote to memory of 1636 1928 cmd.exe PING.EXE PID 1928 wrote to memory of 1636 1928 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\15a4b6c379bcd3c896d474fbc2760e23f96c3a23ad93a3e9ba4aea01758f8ac9.exe"C:\Users\Admin\AppData\Local\Temp\15a4b6c379bcd3c896d474fbc2760e23f96c3a23ad93a3e9ba4aea01758f8ac9.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1632 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:952 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\15a4b6c379bcd3c896d474fbc2760e23f96c3a23ad93a3e9ba4aea01758f8ac9.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1928 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1636
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
3e01cd69764e368c9b794834ee719245
SHA16f625332dfa46d1c035b2ddf3743a09eca186005
SHA256e8654c59ef99d7d765b62169ba5ce388b95a89c1fea74678580c7276be94b64b
SHA512a732373948694400bddfd9599106d824a10066e75beb38055a9c8c27d81ea1bc0badf2a64320ed755629370d174cca0f1700c2b4323d707326681dd845bb00fa
-
MD5
3e01cd69764e368c9b794834ee719245
SHA16f625332dfa46d1c035b2ddf3743a09eca186005
SHA256e8654c59ef99d7d765b62169ba5ce388b95a89c1fea74678580c7276be94b64b
SHA512a732373948694400bddfd9599106d824a10066e75beb38055a9c8c27d81ea1bc0badf2a64320ed755629370d174cca0f1700c2b4323d707326681dd845bb00fa
-
MD5
3e01cd69764e368c9b794834ee719245
SHA16f625332dfa46d1c035b2ddf3743a09eca186005
SHA256e8654c59ef99d7d765b62169ba5ce388b95a89c1fea74678580c7276be94b64b
SHA512a732373948694400bddfd9599106d824a10066e75beb38055a9c8c27d81ea1bc0badf2a64320ed755629370d174cca0f1700c2b4323d707326681dd845bb00fa