Analysis
-
max time kernel
155s -
max time network
173s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 04:21
Static task
static1
Behavioral task
behavioral1
Sample
1571a251b891d020f4bd7c5dda427aef494731b54667061090a4bdde55ea951f.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
1571a251b891d020f4bd7c5dda427aef494731b54667061090a4bdde55ea951f.exe
Resource
win10v2004-en-20220113
General
-
Target
1571a251b891d020f4bd7c5dda427aef494731b54667061090a4bdde55ea951f.exe
-
Size
220KB
-
MD5
dfb265994491e781af2ed22d8d90f2ba
-
SHA1
d58ad0ca27f124cce2ddeedd4011d4a6d8395b6d
-
SHA256
1571a251b891d020f4bd7c5dda427aef494731b54667061090a4bdde55ea951f
-
SHA512
5ef8741961068b325fe61c0c843a90c1bde04cd427368e19c079597f07cadbd108c9b1fd177360524094a2de67f03cd4362526052b12e7b58c1a6939d6a6703b
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral1/memory/1488-59-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral1/memory/1660-60-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1660 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1124 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
1571a251b891d020f4bd7c5dda427aef494731b54667061090a4bdde55ea951f.exepid process 1488 1571a251b891d020f4bd7c5dda427aef494731b54667061090a4bdde55ea951f.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
1571a251b891d020f4bd7c5dda427aef494731b54667061090a4bdde55ea951f.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 1571a251b891d020f4bd7c5dda427aef494731b54667061090a4bdde55ea951f.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
1571a251b891d020f4bd7c5dda427aef494731b54667061090a4bdde55ea951f.exedescription pid process Token: SeIncBasePriorityPrivilege 1488 1571a251b891d020f4bd7c5dda427aef494731b54667061090a4bdde55ea951f.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
1571a251b891d020f4bd7c5dda427aef494731b54667061090a4bdde55ea951f.execmd.exedescription pid process target process PID 1488 wrote to memory of 1660 1488 1571a251b891d020f4bd7c5dda427aef494731b54667061090a4bdde55ea951f.exe MediaCenter.exe PID 1488 wrote to memory of 1660 1488 1571a251b891d020f4bd7c5dda427aef494731b54667061090a4bdde55ea951f.exe MediaCenter.exe PID 1488 wrote to memory of 1660 1488 1571a251b891d020f4bd7c5dda427aef494731b54667061090a4bdde55ea951f.exe MediaCenter.exe PID 1488 wrote to memory of 1660 1488 1571a251b891d020f4bd7c5dda427aef494731b54667061090a4bdde55ea951f.exe MediaCenter.exe PID 1488 wrote to memory of 1124 1488 1571a251b891d020f4bd7c5dda427aef494731b54667061090a4bdde55ea951f.exe cmd.exe PID 1488 wrote to memory of 1124 1488 1571a251b891d020f4bd7c5dda427aef494731b54667061090a4bdde55ea951f.exe cmd.exe PID 1488 wrote to memory of 1124 1488 1571a251b891d020f4bd7c5dda427aef494731b54667061090a4bdde55ea951f.exe cmd.exe PID 1488 wrote to memory of 1124 1488 1571a251b891d020f4bd7c5dda427aef494731b54667061090a4bdde55ea951f.exe cmd.exe PID 1124 wrote to memory of 2008 1124 cmd.exe PING.EXE PID 1124 wrote to memory of 2008 1124 cmd.exe PING.EXE PID 1124 wrote to memory of 2008 1124 cmd.exe PING.EXE PID 1124 wrote to memory of 2008 1124 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\1571a251b891d020f4bd7c5dda427aef494731b54667061090a4bdde55ea951f.exe"C:\Users\Admin\AppData\Local\Temp\1571a251b891d020f4bd7c5dda427aef494731b54667061090a4bdde55ea951f.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1488 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1660 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\1571a251b891d020f4bd7c5dda427aef494731b54667061090a4bdde55ea951f.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1124 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:2008
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
6279378864583ac44bb7b56a460fcee5
SHA17e3a60b6b6578b0a2016efcfa8f07004272de33e
SHA256d4abc5ede32bd2f01d3c07f8d2ba248837ceca84cf2db7f8d60e85723940cfb3
SHA5126b9e905bd9b5fe926c96bb48df1464e0fce4705930c3adcd303e41468d813536c787d00d83663ca350729ce460179950cdda62bbe0393c0336d833aa2bba0de0
-
MD5
6279378864583ac44bb7b56a460fcee5
SHA17e3a60b6b6578b0a2016efcfa8f07004272de33e
SHA256d4abc5ede32bd2f01d3c07f8d2ba248837ceca84cf2db7f8d60e85723940cfb3
SHA5126b9e905bd9b5fe926c96bb48df1464e0fce4705930c3adcd303e41468d813536c787d00d83663ca350729ce460179950cdda62bbe0393c0336d833aa2bba0de0