Analysis
-
max time kernel
122s -
max time network
134s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 04:21
Static task
static1
Behavioral task
behavioral1
Sample
15779b21660c32d7bab65ae82aa2279ba9edeb3c8bd84c091cbcd5aec8ffcaa5.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
15779b21660c32d7bab65ae82aa2279ba9edeb3c8bd84c091cbcd5aec8ffcaa5.exe
Resource
win10v2004-en-20220113
General
-
Target
15779b21660c32d7bab65ae82aa2279ba9edeb3c8bd84c091cbcd5aec8ffcaa5.exe
-
Size
192KB
-
MD5
afb2579aff74db141ded5ead3fa20e66
-
SHA1
3ca2e7e640630426d5c413fb8a96fb0687b0c6b5
-
SHA256
15779b21660c32d7bab65ae82aa2279ba9edeb3c8bd84c091cbcd5aec8ffcaa5
-
SHA512
bb83efb60f6ecf8d5c2544c7961ae546226b2ff5742671524df908d65fee75d58fbfe8aed23bf68efb8d30c4a49560c7fb694ccb26bb24ef85eacafb40776d99
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1576 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 432 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
15779b21660c32d7bab65ae82aa2279ba9edeb3c8bd84c091cbcd5aec8ffcaa5.exepid process 1664 15779b21660c32d7bab65ae82aa2279ba9edeb3c8bd84c091cbcd5aec8ffcaa5.exe 1664 15779b21660c32d7bab65ae82aa2279ba9edeb3c8bd84c091cbcd5aec8ffcaa5.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
15779b21660c32d7bab65ae82aa2279ba9edeb3c8bd84c091cbcd5aec8ffcaa5.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 15779b21660c32d7bab65ae82aa2279ba9edeb3c8bd84c091cbcd5aec8ffcaa5.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
15779b21660c32d7bab65ae82aa2279ba9edeb3c8bd84c091cbcd5aec8ffcaa5.exedescription pid process Token: SeIncBasePriorityPrivilege 1664 15779b21660c32d7bab65ae82aa2279ba9edeb3c8bd84c091cbcd5aec8ffcaa5.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
15779b21660c32d7bab65ae82aa2279ba9edeb3c8bd84c091cbcd5aec8ffcaa5.execmd.exedescription pid process target process PID 1664 wrote to memory of 1576 1664 15779b21660c32d7bab65ae82aa2279ba9edeb3c8bd84c091cbcd5aec8ffcaa5.exe MediaCenter.exe PID 1664 wrote to memory of 1576 1664 15779b21660c32d7bab65ae82aa2279ba9edeb3c8bd84c091cbcd5aec8ffcaa5.exe MediaCenter.exe PID 1664 wrote to memory of 1576 1664 15779b21660c32d7bab65ae82aa2279ba9edeb3c8bd84c091cbcd5aec8ffcaa5.exe MediaCenter.exe PID 1664 wrote to memory of 1576 1664 15779b21660c32d7bab65ae82aa2279ba9edeb3c8bd84c091cbcd5aec8ffcaa5.exe MediaCenter.exe PID 1664 wrote to memory of 432 1664 15779b21660c32d7bab65ae82aa2279ba9edeb3c8bd84c091cbcd5aec8ffcaa5.exe cmd.exe PID 1664 wrote to memory of 432 1664 15779b21660c32d7bab65ae82aa2279ba9edeb3c8bd84c091cbcd5aec8ffcaa5.exe cmd.exe PID 1664 wrote to memory of 432 1664 15779b21660c32d7bab65ae82aa2279ba9edeb3c8bd84c091cbcd5aec8ffcaa5.exe cmd.exe PID 1664 wrote to memory of 432 1664 15779b21660c32d7bab65ae82aa2279ba9edeb3c8bd84c091cbcd5aec8ffcaa5.exe cmd.exe PID 432 wrote to memory of 1068 432 cmd.exe PING.EXE PID 432 wrote to memory of 1068 432 cmd.exe PING.EXE PID 432 wrote to memory of 1068 432 cmd.exe PING.EXE PID 432 wrote to memory of 1068 432 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\15779b21660c32d7bab65ae82aa2279ba9edeb3c8bd84c091cbcd5aec8ffcaa5.exe"C:\Users\Admin\AppData\Local\Temp\15779b21660c32d7bab65ae82aa2279ba9edeb3c8bd84c091cbcd5aec8ffcaa5.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1576 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\15779b21660c32d7bab65ae82aa2279ba9edeb3c8bd84c091cbcd5aec8ffcaa5.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:432 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1068
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
e1d5fbf42b7f1f0404913a5be4857b80
SHA16acd137c0ae45e44ce8aceb227fe95bbec2c6815
SHA256adca2bbf04737985a3576c1f3dd969d3c3bf9ed835f16c7f52d977f4b0149dab
SHA5123d780a79d828200c0f944e21991e0b3ab4baddf3207ec2fd27b0fae6fd00fc9b62afc71ad0ed92d1fd5ebf99b32b3e53a03bc7514ef46233f7c27062286aa054
-
MD5
e1d5fbf42b7f1f0404913a5be4857b80
SHA16acd137c0ae45e44ce8aceb227fe95bbec2c6815
SHA256adca2bbf04737985a3576c1f3dd969d3c3bf9ed835f16c7f52d977f4b0149dab
SHA5123d780a79d828200c0f944e21991e0b3ab4baddf3207ec2fd27b0fae6fd00fc9b62afc71ad0ed92d1fd5ebf99b32b3e53a03bc7514ef46233f7c27062286aa054
-
MD5
e1d5fbf42b7f1f0404913a5be4857b80
SHA16acd137c0ae45e44ce8aceb227fe95bbec2c6815
SHA256adca2bbf04737985a3576c1f3dd969d3c3bf9ed835f16c7f52d977f4b0149dab
SHA5123d780a79d828200c0f944e21991e0b3ab4baddf3207ec2fd27b0fae6fd00fc9b62afc71ad0ed92d1fd5ebf99b32b3e53a03bc7514ef46233f7c27062286aa054