Analysis
-
max time kernel
155s -
max time network
181s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 04:21
Static task
static1
Behavioral task
behavioral1
Sample
1577c6a920f0deb90eb9c3024bcdc2afffbb8e3cc2c3bf213d3dd9af118c14f2.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
1577c6a920f0deb90eb9c3024bcdc2afffbb8e3cc2c3bf213d3dd9af118c14f2.exe
Resource
win10v2004-en-20220113
General
-
Target
1577c6a920f0deb90eb9c3024bcdc2afffbb8e3cc2c3bf213d3dd9af118c14f2.exe
-
Size
79KB
-
MD5
c8693ada4829a336a37cad7a2e991d59
-
SHA1
330add13cf4bcff0176a2605c181de95714fcf0c
-
SHA256
1577c6a920f0deb90eb9c3024bcdc2afffbb8e3cc2c3bf213d3dd9af118c14f2
-
SHA512
a383b6f117905f0666f04e51ef3bc5cbde3ee8a22987874f5efad2aa3de58a088dd8dc0f0dc3fa4c8828a54acac5f1206ab7d8407b74acf14dc9018d5768976d
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1680 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 812 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
1577c6a920f0deb90eb9c3024bcdc2afffbb8e3cc2c3bf213d3dd9af118c14f2.exepid process 1568 1577c6a920f0deb90eb9c3024bcdc2afffbb8e3cc2c3bf213d3dd9af118c14f2.exe 1568 1577c6a920f0deb90eb9c3024bcdc2afffbb8e3cc2c3bf213d3dd9af118c14f2.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
1577c6a920f0deb90eb9c3024bcdc2afffbb8e3cc2c3bf213d3dd9af118c14f2.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 1577c6a920f0deb90eb9c3024bcdc2afffbb8e3cc2c3bf213d3dd9af118c14f2.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
1577c6a920f0deb90eb9c3024bcdc2afffbb8e3cc2c3bf213d3dd9af118c14f2.exedescription pid process Token: SeIncBasePriorityPrivilege 1568 1577c6a920f0deb90eb9c3024bcdc2afffbb8e3cc2c3bf213d3dd9af118c14f2.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
1577c6a920f0deb90eb9c3024bcdc2afffbb8e3cc2c3bf213d3dd9af118c14f2.execmd.exedescription pid process target process PID 1568 wrote to memory of 1680 1568 1577c6a920f0deb90eb9c3024bcdc2afffbb8e3cc2c3bf213d3dd9af118c14f2.exe MediaCenter.exe PID 1568 wrote to memory of 1680 1568 1577c6a920f0deb90eb9c3024bcdc2afffbb8e3cc2c3bf213d3dd9af118c14f2.exe MediaCenter.exe PID 1568 wrote to memory of 1680 1568 1577c6a920f0deb90eb9c3024bcdc2afffbb8e3cc2c3bf213d3dd9af118c14f2.exe MediaCenter.exe PID 1568 wrote to memory of 1680 1568 1577c6a920f0deb90eb9c3024bcdc2afffbb8e3cc2c3bf213d3dd9af118c14f2.exe MediaCenter.exe PID 1568 wrote to memory of 812 1568 1577c6a920f0deb90eb9c3024bcdc2afffbb8e3cc2c3bf213d3dd9af118c14f2.exe cmd.exe PID 1568 wrote to memory of 812 1568 1577c6a920f0deb90eb9c3024bcdc2afffbb8e3cc2c3bf213d3dd9af118c14f2.exe cmd.exe PID 1568 wrote to memory of 812 1568 1577c6a920f0deb90eb9c3024bcdc2afffbb8e3cc2c3bf213d3dd9af118c14f2.exe cmd.exe PID 1568 wrote to memory of 812 1568 1577c6a920f0deb90eb9c3024bcdc2afffbb8e3cc2c3bf213d3dd9af118c14f2.exe cmd.exe PID 812 wrote to memory of 1168 812 cmd.exe PING.EXE PID 812 wrote to memory of 1168 812 cmd.exe PING.EXE PID 812 wrote to memory of 1168 812 cmd.exe PING.EXE PID 812 wrote to memory of 1168 812 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\1577c6a920f0deb90eb9c3024bcdc2afffbb8e3cc2c3bf213d3dd9af118c14f2.exe"C:\Users\Admin\AppData\Local\Temp\1577c6a920f0deb90eb9c3024bcdc2afffbb8e3cc2c3bf213d3dd9af118c14f2.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1568 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1680 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\1577c6a920f0deb90eb9c3024bcdc2afffbb8e3cc2c3bf213d3dd9af118c14f2.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:812 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1168
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
2fc9471e6652571e49193fa9dd481080
SHA1c3cab6a3799f8f2111c86728b2dc044a8947d07a
SHA256c40ea660197f7834ba34b7ada2273fde2b2e7f0e6e7c404874ea2256655db894
SHA512a3f07da897784876368a0b57879d7d22ffc731633e8f12ea5c4191a9557a5697efe2bfb8dfee20ee0f4c66812f4092f4adb8e6ac6dc59ec83acb0fb124b773b2
-
MD5
2fc9471e6652571e49193fa9dd481080
SHA1c3cab6a3799f8f2111c86728b2dc044a8947d07a
SHA256c40ea660197f7834ba34b7ada2273fde2b2e7f0e6e7c404874ea2256655db894
SHA512a3f07da897784876368a0b57879d7d22ffc731633e8f12ea5c4191a9557a5697efe2bfb8dfee20ee0f4c66812f4092f4adb8e6ac6dc59ec83acb0fb124b773b2
-
MD5
2fc9471e6652571e49193fa9dd481080
SHA1c3cab6a3799f8f2111c86728b2dc044a8947d07a
SHA256c40ea660197f7834ba34b7ada2273fde2b2e7f0e6e7c404874ea2256655db894
SHA512a3f07da897784876368a0b57879d7d22ffc731633e8f12ea5c4191a9557a5697efe2bfb8dfee20ee0f4c66812f4092f4adb8e6ac6dc59ec83acb0fb124b773b2