Analysis
-
max time kernel
147s -
max time network
159s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 04:20
Static task
static1
Behavioral task
behavioral1
Sample
157bd4606a8c89497be76370c2b8a1e39bd1c0fd375fde4277c52685f7f5846c.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
157bd4606a8c89497be76370c2b8a1e39bd1c0fd375fde4277c52685f7f5846c.exe
Resource
win10v2004-en-20220112
General
-
Target
157bd4606a8c89497be76370c2b8a1e39bd1c0fd375fde4277c52685f7f5846c.exe
-
Size
99KB
-
MD5
f7232c289ce68b23ee08b8a951328671
-
SHA1
58b8e6ad0406b5aca509aaefbf7d34cf9b7e1dbf
-
SHA256
157bd4606a8c89497be76370c2b8a1e39bd1c0fd375fde4277c52685f7f5846c
-
SHA512
3397fa63b94202776478257f5a0b2622846acf7861d7fafcdd32e7cd784486f8a5b41a59ec5911116f4c67ab6a16a1020a2994f3fa7089208cdbddfae969f97f
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1632 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 396 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
157bd4606a8c89497be76370c2b8a1e39bd1c0fd375fde4277c52685f7f5846c.exepid process 1272 157bd4606a8c89497be76370c2b8a1e39bd1c0fd375fde4277c52685f7f5846c.exe 1272 157bd4606a8c89497be76370c2b8a1e39bd1c0fd375fde4277c52685f7f5846c.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
157bd4606a8c89497be76370c2b8a1e39bd1c0fd375fde4277c52685f7f5846c.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 157bd4606a8c89497be76370c2b8a1e39bd1c0fd375fde4277c52685f7f5846c.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
157bd4606a8c89497be76370c2b8a1e39bd1c0fd375fde4277c52685f7f5846c.exedescription pid process Token: SeIncBasePriorityPrivilege 1272 157bd4606a8c89497be76370c2b8a1e39bd1c0fd375fde4277c52685f7f5846c.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
157bd4606a8c89497be76370c2b8a1e39bd1c0fd375fde4277c52685f7f5846c.execmd.exedescription pid process target process PID 1272 wrote to memory of 1632 1272 157bd4606a8c89497be76370c2b8a1e39bd1c0fd375fde4277c52685f7f5846c.exe MediaCenter.exe PID 1272 wrote to memory of 1632 1272 157bd4606a8c89497be76370c2b8a1e39bd1c0fd375fde4277c52685f7f5846c.exe MediaCenter.exe PID 1272 wrote to memory of 1632 1272 157bd4606a8c89497be76370c2b8a1e39bd1c0fd375fde4277c52685f7f5846c.exe MediaCenter.exe PID 1272 wrote to memory of 1632 1272 157bd4606a8c89497be76370c2b8a1e39bd1c0fd375fde4277c52685f7f5846c.exe MediaCenter.exe PID 1272 wrote to memory of 396 1272 157bd4606a8c89497be76370c2b8a1e39bd1c0fd375fde4277c52685f7f5846c.exe cmd.exe PID 1272 wrote to memory of 396 1272 157bd4606a8c89497be76370c2b8a1e39bd1c0fd375fde4277c52685f7f5846c.exe cmd.exe PID 1272 wrote to memory of 396 1272 157bd4606a8c89497be76370c2b8a1e39bd1c0fd375fde4277c52685f7f5846c.exe cmd.exe PID 1272 wrote to memory of 396 1272 157bd4606a8c89497be76370c2b8a1e39bd1c0fd375fde4277c52685f7f5846c.exe cmd.exe PID 396 wrote to memory of 1192 396 cmd.exe PING.EXE PID 396 wrote to memory of 1192 396 cmd.exe PING.EXE PID 396 wrote to memory of 1192 396 cmd.exe PING.EXE PID 396 wrote to memory of 1192 396 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\157bd4606a8c89497be76370c2b8a1e39bd1c0fd375fde4277c52685f7f5846c.exe"C:\Users\Admin\AppData\Local\Temp\157bd4606a8c89497be76370c2b8a1e39bd1c0fd375fde4277c52685f7f5846c.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1272 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1632 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\157bd4606a8c89497be76370c2b8a1e39bd1c0fd375fde4277c52685f7f5846c.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:396 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1192
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
fa79e609a244a4df09500ea3139707af
SHA1eb2ca7c638752f009693d010605dde1552dfd8ca
SHA256dc58c47928141e315c45c7420f4303ae0910fde1ddb5ccdae87ff824418e27d3
SHA51216f8ab3137a63dcb077b5441a9c3bd4f113d725875580563da8b63ec7b2e34562c0bd85cdce5ce5b5eb0f02e918aedd90b4ac414e55556cba86fd6959ccdeaea
-
MD5
fa79e609a244a4df09500ea3139707af
SHA1eb2ca7c638752f009693d010605dde1552dfd8ca
SHA256dc58c47928141e315c45c7420f4303ae0910fde1ddb5ccdae87ff824418e27d3
SHA51216f8ab3137a63dcb077b5441a9c3bd4f113d725875580563da8b63ec7b2e34562c0bd85cdce5ce5b5eb0f02e918aedd90b4ac414e55556cba86fd6959ccdeaea
-
MD5
fa79e609a244a4df09500ea3139707af
SHA1eb2ca7c638752f009693d010605dde1552dfd8ca
SHA256dc58c47928141e315c45c7420f4303ae0910fde1ddb5ccdae87ff824418e27d3
SHA51216f8ab3137a63dcb077b5441a9c3bd4f113d725875580563da8b63ec7b2e34562c0bd85cdce5ce5b5eb0f02e918aedd90b4ac414e55556cba86fd6959ccdeaea