Analysis
-
max time kernel
121s -
max time network
127s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 04:23
Static task
static1
Behavioral task
behavioral1
Sample
1568ca72b568cfb7e4d92cae6cc4f04520fe89a5723a4e837e1ad0bdeedaba50.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
1568ca72b568cfb7e4d92cae6cc4f04520fe89a5723a4e837e1ad0bdeedaba50.exe
Resource
win10v2004-en-20220112
General
-
Target
1568ca72b568cfb7e4d92cae6cc4f04520fe89a5723a4e837e1ad0bdeedaba50.exe
-
Size
101KB
-
MD5
42ba79f306fe389ee22e2d4d6d2da823
-
SHA1
7b682060195263bf779c1f4ffd70f44fccc2fa07
-
SHA256
1568ca72b568cfb7e4d92cae6cc4f04520fe89a5723a4e837e1ad0bdeedaba50
-
SHA512
fbb3e65acc8772df4695905e80d298c37b9df552e09497671f4d6f97d7c998c437073a85df4542d7d1903a7b8f44d4f1fee924178eba265f252bd5eb19839c4d
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1292 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 972 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
1568ca72b568cfb7e4d92cae6cc4f04520fe89a5723a4e837e1ad0bdeedaba50.exepid process 1448 1568ca72b568cfb7e4d92cae6cc4f04520fe89a5723a4e837e1ad0bdeedaba50.exe 1448 1568ca72b568cfb7e4d92cae6cc4f04520fe89a5723a4e837e1ad0bdeedaba50.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
1568ca72b568cfb7e4d92cae6cc4f04520fe89a5723a4e837e1ad0bdeedaba50.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 1568ca72b568cfb7e4d92cae6cc4f04520fe89a5723a4e837e1ad0bdeedaba50.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
1568ca72b568cfb7e4d92cae6cc4f04520fe89a5723a4e837e1ad0bdeedaba50.exedescription pid process Token: SeIncBasePriorityPrivilege 1448 1568ca72b568cfb7e4d92cae6cc4f04520fe89a5723a4e837e1ad0bdeedaba50.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
1568ca72b568cfb7e4d92cae6cc4f04520fe89a5723a4e837e1ad0bdeedaba50.execmd.exedescription pid process target process PID 1448 wrote to memory of 1292 1448 1568ca72b568cfb7e4d92cae6cc4f04520fe89a5723a4e837e1ad0bdeedaba50.exe MediaCenter.exe PID 1448 wrote to memory of 1292 1448 1568ca72b568cfb7e4d92cae6cc4f04520fe89a5723a4e837e1ad0bdeedaba50.exe MediaCenter.exe PID 1448 wrote to memory of 1292 1448 1568ca72b568cfb7e4d92cae6cc4f04520fe89a5723a4e837e1ad0bdeedaba50.exe MediaCenter.exe PID 1448 wrote to memory of 1292 1448 1568ca72b568cfb7e4d92cae6cc4f04520fe89a5723a4e837e1ad0bdeedaba50.exe MediaCenter.exe PID 1448 wrote to memory of 972 1448 1568ca72b568cfb7e4d92cae6cc4f04520fe89a5723a4e837e1ad0bdeedaba50.exe cmd.exe PID 1448 wrote to memory of 972 1448 1568ca72b568cfb7e4d92cae6cc4f04520fe89a5723a4e837e1ad0bdeedaba50.exe cmd.exe PID 1448 wrote to memory of 972 1448 1568ca72b568cfb7e4d92cae6cc4f04520fe89a5723a4e837e1ad0bdeedaba50.exe cmd.exe PID 1448 wrote to memory of 972 1448 1568ca72b568cfb7e4d92cae6cc4f04520fe89a5723a4e837e1ad0bdeedaba50.exe cmd.exe PID 972 wrote to memory of 1768 972 cmd.exe PING.EXE PID 972 wrote to memory of 1768 972 cmd.exe PING.EXE PID 972 wrote to memory of 1768 972 cmd.exe PING.EXE PID 972 wrote to memory of 1768 972 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\1568ca72b568cfb7e4d92cae6cc4f04520fe89a5723a4e837e1ad0bdeedaba50.exe"C:\Users\Admin\AppData\Local\Temp\1568ca72b568cfb7e4d92cae6cc4f04520fe89a5723a4e837e1ad0bdeedaba50.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1448 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1292 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\1568ca72b568cfb7e4d92cae6cc4f04520fe89a5723a4e837e1ad0bdeedaba50.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:972 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1768
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
895bfd8cce98cfc30430c924a83c2f99
SHA165ee4a609beee6af20bd18b378bcdd2da2230e7e
SHA2564e767f00de19753d0bf95cd29ff4c348e887d14d0c1d6264562b92ba9a768d4f
SHA512102789cb8e56839d26ca19d1633429cfa273c577162128c5fec2fa7742eb284128359951736aec579f18f7c10129555b0a99242ad276d373bc20d42e1fa4f176
-
MD5
895bfd8cce98cfc30430c924a83c2f99
SHA165ee4a609beee6af20bd18b378bcdd2da2230e7e
SHA2564e767f00de19753d0bf95cd29ff4c348e887d14d0c1d6264562b92ba9a768d4f
SHA512102789cb8e56839d26ca19d1633429cfa273c577162128c5fec2fa7742eb284128359951736aec579f18f7c10129555b0a99242ad276d373bc20d42e1fa4f176
-
MD5
895bfd8cce98cfc30430c924a83c2f99
SHA165ee4a609beee6af20bd18b378bcdd2da2230e7e
SHA2564e767f00de19753d0bf95cd29ff4c348e887d14d0c1d6264562b92ba9a768d4f
SHA512102789cb8e56839d26ca19d1633429cfa273c577162128c5fec2fa7742eb284128359951736aec579f18f7c10129555b0a99242ad276d373bc20d42e1fa4f176