Analysis
-
max time kernel
118s -
max time network
128s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 04:18
Static task
static1
Behavioral task
behavioral1
Sample
158a52465055d0341a1002774af978ca77a5287e8bf2f04bb8b7a4d2a72e3401.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
158a52465055d0341a1002774af978ca77a5287e8bf2f04bb8b7a4d2a72e3401.exe
Resource
win10v2004-en-20220112
General
-
Target
158a52465055d0341a1002774af978ca77a5287e8bf2f04bb8b7a4d2a72e3401.exe
-
Size
80KB
-
MD5
baa957e90b1fed34bb0549a1ced98392
-
SHA1
8385d115b3a13f63320a5b7f39bff8fd24ba2fcd
-
SHA256
158a52465055d0341a1002774af978ca77a5287e8bf2f04bb8b7a4d2a72e3401
-
SHA512
6dec4f1670096a195ca404fcad00d8dc28a502a581675b5ff39ca859ae39aa056fa22b74be001df59c56c878bf90e13dc1bdbfd6f97e9ffc727d09bc2cce603a
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 804 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 640 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
158a52465055d0341a1002774af978ca77a5287e8bf2f04bb8b7a4d2a72e3401.exepid process 1564 158a52465055d0341a1002774af978ca77a5287e8bf2f04bb8b7a4d2a72e3401.exe 1564 158a52465055d0341a1002774af978ca77a5287e8bf2f04bb8b7a4d2a72e3401.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
158a52465055d0341a1002774af978ca77a5287e8bf2f04bb8b7a4d2a72e3401.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 158a52465055d0341a1002774af978ca77a5287e8bf2f04bb8b7a4d2a72e3401.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
158a52465055d0341a1002774af978ca77a5287e8bf2f04bb8b7a4d2a72e3401.exedescription pid process Token: SeIncBasePriorityPrivilege 1564 158a52465055d0341a1002774af978ca77a5287e8bf2f04bb8b7a4d2a72e3401.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
158a52465055d0341a1002774af978ca77a5287e8bf2f04bb8b7a4d2a72e3401.execmd.exedescription pid process target process PID 1564 wrote to memory of 804 1564 158a52465055d0341a1002774af978ca77a5287e8bf2f04bb8b7a4d2a72e3401.exe MediaCenter.exe PID 1564 wrote to memory of 804 1564 158a52465055d0341a1002774af978ca77a5287e8bf2f04bb8b7a4d2a72e3401.exe MediaCenter.exe PID 1564 wrote to memory of 804 1564 158a52465055d0341a1002774af978ca77a5287e8bf2f04bb8b7a4d2a72e3401.exe MediaCenter.exe PID 1564 wrote to memory of 804 1564 158a52465055d0341a1002774af978ca77a5287e8bf2f04bb8b7a4d2a72e3401.exe MediaCenter.exe PID 1564 wrote to memory of 640 1564 158a52465055d0341a1002774af978ca77a5287e8bf2f04bb8b7a4d2a72e3401.exe cmd.exe PID 1564 wrote to memory of 640 1564 158a52465055d0341a1002774af978ca77a5287e8bf2f04bb8b7a4d2a72e3401.exe cmd.exe PID 1564 wrote to memory of 640 1564 158a52465055d0341a1002774af978ca77a5287e8bf2f04bb8b7a4d2a72e3401.exe cmd.exe PID 1564 wrote to memory of 640 1564 158a52465055d0341a1002774af978ca77a5287e8bf2f04bb8b7a4d2a72e3401.exe cmd.exe PID 640 wrote to memory of 1116 640 cmd.exe PING.EXE PID 640 wrote to memory of 1116 640 cmd.exe PING.EXE PID 640 wrote to memory of 1116 640 cmd.exe PING.EXE PID 640 wrote to memory of 1116 640 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\158a52465055d0341a1002774af978ca77a5287e8bf2f04bb8b7a4d2a72e3401.exe"C:\Users\Admin\AppData\Local\Temp\158a52465055d0341a1002774af978ca77a5287e8bf2f04bb8b7a4d2a72e3401.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1564 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:804 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\158a52465055d0341a1002774af978ca77a5287e8bf2f04bb8b7a4d2a72e3401.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:640 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1116
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
594f0000b7d4a8416132d93c9588bcf2
SHA1ff64f1ba7ffac619e953a7cf30fae0399ff05fe0
SHA2567f586640fb04e09085327148b4fabcc95fb85f65c44e632159422a0502e462be
SHA5122020a4876af38baa5caf754ee6e0e352d49cd6c8193bbe6541befc1e51c1b28c9d6af13a5467d48088d0540fa4016f4dfc8e6f87af88322e2bab3eca8e26447a
-
MD5
594f0000b7d4a8416132d93c9588bcf2
SHA1ff64f1ba7ffac619e953a7cf30fae0399ff05fe0
SHA2567f586640fb04e09085327148b4fabcc95fb85f65c44e632159422a0502e462be
SHA5122020a4876af38baa5caf754ee6e0e352d49cd6c8193bbe6541befc1e51c1b28c9d6af13a5467d48088d0540fa4016f4dfc8e6f87af88322e2bab3eca8e26447a
-
MD5
594f0000b7d4a8416132d93c9588bcf2
SHA1ff64f1ba7ffac619e953a7cf30fae0399ff05fe0
SHA2567f586640fb04e09085327148b4fabcc95fb85f65c44e632159422a0502e462be
SHA5122020a4876af38baa5caf754ee6e0e352d49cd6c8193bbe6541befc1e51c1b28c9d6af13a5467d48088d0540fa4016f4dfc8e6f87af88322e2bab3eca8e26447a