Analysis
-
max time kernel
119s -
max time network
131s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 04:22
Static task
static1
Behavioral task
behavioral1
Sample
156a712ffc3a1f28ee30c76d40af5c67dc769fb9634749bd8746f6a8ceff02c6.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
156a712ffc3a1f28ee30c76d40af5c67dc769fb9634749bd8746f6a8ceff02c6.exe
Resource
win10v2004-en-20220113
General
-
Target
156a712ffc3a1f28ee30c76d40af5c67dc769fb9634749bd8746f6a8ceff02c6.exe
-
Size
80KB
-
MD5
f1f5b75bfb2565bd6e97d305d2ade120
-
SHA1
48eb536870789537d57eb63ab3898bd9f1aa8451
-
SHA256
156a712ffc3a1f28ee30c76d40af5c67dc769fb9634749bd8746f6a8ceff02c6
-
SHA512
0dc54d35e294347895198d1b6ec9d42cd50fefb4f1f2a70dd520eabf7e2f0cecd852beda98ab9f2519eb1250ce8fd6b55b6bd20f4e479e90664d89da39ee3d66
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1220 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 828 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
156a712ffc3a1f28ee30c76d40af5c67dc769fb9634749bd8746f6a8ceff02c6.exepid process 1624 156a712ffc3a1f28ee30c76d40af5c67dc769fb9634749bd8746f6a8ceff02c6.exe 1624 156a712ffc3a1f28ee30c76d40af5c67dc769fb9634749bd8746f6a8ceff02c6.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
156a712ffc3a1f28ee30c76d40af5c67dc769fb9634749bd8746f6a8ceff02c6.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 156a712ffc3a1f28ee30c76d40af5c67dc769fb9634749bd8746f6a8ceff02c6.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
156a712ffc3a1f28ee30c76d40af5c67dc769fb9634749bd8746f6a8ceff02c6.exedescription pid process Token: SeIncBasePriorityPrivilege 1624 156a712ffc3a1f28ee30c76d40af5c67dc769fb9634749bd8746f6a8ceff02c6.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
156a712ffc3a1f28ee30c76d40af5c67dc769fb9634749bd8746f6a8ceff02c6.execmd.exedescription pid process target process PID 1624 wrote to memory of 1220 1624 156a712ffc3a1f28ee30c76d40af5c67dc769fb9634749bd8746f6a8ceff02c6.exe MediaCenter.exe PID 1624 wrote to memory of 1220 1624 156a712ffc3a1f28ee30c76d40af5c67dc769fb9634749bd8746f6a8ceff02c6.exe MediaCenter.exe PID 1624 wrote to memory of 1220 1624 156a712ffc3a1f28ee30c76d40af5c67dc769fb9634749bd8746f6a8ceff02c6.exe MediaCenter.exe PID 1624 wrote to memory of 1220 1624 156a712ffc3a1f28ee30c76d40af5c67dc769fb9634749bd8746f6a8ceff02c6.exe MediaCenter.exe PID 1624 wrote to memory of 828 1624 156a712ffc3a1f28ee30c76d40af5c67dc769fb9634749bd8746f6a8ceff02c6.exe cmd.exe PID 1624 wrote to memory of 828 1624 156a712ffc3a1f28ee30c76d40af5c67dc769fb9634749bd8746f6a8ceff02c6.exe cmd.exe PID 1624 wrote to memory of 828 1624 156a712ffc3a1f28ee30c76d40af5c67dc769fb9634749bd8746f6a8ceff02c6.exe cmd.exe PID 1624 wrote to memory of 828 1624 156a712ffc3a1f28ee30c76d40af5c67dc769fb9634749bd8746f6a8ceff02c6.exe cmd.exe PID 828 wrote to memory of 1832 828 cmd.exe PING.EXE PID 828 wrote to memory of 1832 828 cmd.exe PING.EXE PID 828 wrote to memory of 1832 828 cmd.exe PING.EXE PID 828 wrote to memory of 1832 828 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\156a712ffc3a1f28ee30c76d40af5c67dc769fb9634749bd8746f6a8ceff02c6.exe"C:\Users\Admin\AppData\Local\Temp\156a712ffc3a1f28ee30c76d40af5c67dc769fb9634749bd8746f6a8ceff02c6.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1624 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1220 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\156a712ffc3a1f28ee30c76d40af5c67dc769fb9634749bd8746f6a8ceff02c6.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:828 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1832
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
42ec9af1742a8560f531c43303d15d23
SHA1e107ede63b3455c5cbde292d159ff06c996e65ef
SHA2566e6e18022171199d009de89e4a2ff65898523eb45da3652452cea56a9044e8e1
SHA5125a2b52cd2c131f56caf8be0f6e77a73eacde0f38254006233ab80cfcb24f02f60b0891afaa90f17f2a2756fc9555d5b589852d6195f29810f7f367ad6b28f694
-
MD5
42ec9af1742a8560f531c43303d15d23
SHA1e107ede63b3455c5cbde292d159ff06c996e65ef
SHA2566e6e18022171199d009de89e4a2ff65898523eb45da3652452cea56a9044e8e1
SHA5125a2b52cd2c131f56caf8be0f6e77a73eacde0f38254006233ab80cfcb24f02f60b0891afaa90f17f2a2756fc9555d5b589852d6195f29810f7f367ad6b28f694
-
MD5
42ec9af1742a8560f531c43303d15d23
SHA1e107ede63b3455c5cbde292d159ff06c996e65ef
SHA2566e6e18022171199d009de89e4a2ff65898523eb45da3652452cea56a9044e8e1
SHA5125a2b52cd2c131f56caf8be0f6e77a73eacde0f38254006233ab80cfcb24f02f60b0891afaa90f17f2a2756fc9555d5b589852d6195f29810f7f367ad6b28f694