Analysis
-
max time kernel
151s -
max time network
167s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 05:21
Behavioral task
behavioral1
Sample
12fe88b0a1f257aa0f5d14b65601a3d6bdb5bd9aa5159d1941957e75b836f949.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
12fe88b0a1f257aa0f5d14b65601a3d6bdb5bd9aa5159d1941957e75b836f949.exe
Resource
win10v2004-en-20220113
General
-
Target
12fe88b0a1f257aa0f5d14b65601a3d6bdb5bd9aa5159d1941957e75b836f949.exe
-
Size
212KB
-
MD5
ccdd1b7c7013f7e35f8115bddff6f94d
-
SHA1
475ee37fb0161fa1248c7e17909e176208a6cb03
-
SHA256
12fe88b0a1f257aa0f5d14b65601a3d6bdb5bd9aa5159d1941957e75b836f949
-
SHA512
fbc301e61a565e2b09af08a97c4fd28c529e6cda56427fa734a6cf59ae7029e8f0a37bbdb9385e504ab09a18b4839353c20191997f05ba3a6f2ae4a4afba8382
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1668 MediaCenter.exe -
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe upx C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe upx -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1604 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
12fe88b0a1f257aa0f5d14b65601a3d6bdb5bd9aa5159d1941957e75b836f949.exepid process 960 12fe88b0a1f257aa0f5d14b65601a3d6bdb5bd9aa5159d1941957e75b836f949.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
12fe88b0a1f257aa0f5d14b65601a3d6bdb5bd9aa5159d1941957e75b836f949.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 12fe88b0a1f257aa0f5d14b65601a3d6bdb5bd9aa5159d1941957e75b836f949.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
12fe88b0a1f257aa0f5d14b65601a3d6bdb5bd9aa5159d1941957e75b836f949.exedescription pid process Token: SeIncBasePriorityPrivilege 960 12fe88b0a1f257aa0f5d14b65601a3d6bdb5bd9aa5159d1941957e75b836f949.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
12fe88b0a1f257aa0f5d14b65601a3d6bdb5bd9aa5159d1941957e75b836f949.execmd.exedescription pid process target process PID 960 wrote to memory of 1668 960 12fe88b0a1f257aa0f5d14b65601a3d6bdb5bd9aa5159d1941957e75b836f949.exe MediaCenter.exe PID 960 wrote to memory of 1668 960 12fe88b0a1f257aa0f5d14b65601a3d6bdb5bd9aa5159d1941957e75b836f949.exe MediaCenter.exe PID 960 wrote to memory of 1668 960 12fe88b0a1f257aa0f5d14b65601a3d6bdb5bd9aa5159d1941957e75b836f949.exe MediaCenter.exe PID 960 wrote to memory of 1668 960 12fe88b0a1f257aa0f5d14b65601a3d6bdb5bd9aa5159d1941957e75b836f949.exe MediaCenter.exe PID 960 wrote to memory of 1604 960 12fe88b0a1f257aa0f5d14b65601a3d6bdb5bd9aa5159d1941957e75b836f949.exe cmd.exe PID 960 wrote to memory of 1604 960 12fe88b0a1f257aa0f5d14b65601a3d6bdb5bd9aa5159d1941957e75b836f949.exe cmd.exe PID 960 wrote to memory of 1604 960 12fe88b0a1f257aa0f5d14b65601a3d6bdb5bd9aa5159d1941957e75b836f949.exe cmd.exe PID 960 wrote to memory of 1604 960 12fe88b0a1f257aa0f5d14b65601a3d6bdb5bd9aa5159d1941957e75b836f949.exe cmd.exe PID 1604 wrote to memory of 1484 1604 cmd.exe PING.EXE PID 1604 wrote to memory of 1484 1604 cmd.exe PING.EXE PID 1604 wrote to memory of 1484 1604 cmd.exe PING.EXE PID 1604 wrote to memory of 1484 1604 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\12fe88b0a1f257aa0f5d14b65601a3d6bdb5bd9aa5159d1941957e75b836f949.exe"C:\Users\Admin\AppData\Local\Temp\12fe88b0a1f257aa0f5d14b65601a3d6bdb5bd9aa5159d1941957e75b836f949.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:960 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1668 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\12fe88b0a1f257aa0f5d14b65601a3d6bdb5bd9aa5159d1941957e75b836f949.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1604 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1484
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
ecf58cc18d94e404652c789f93d36550
SHA12de5434fa8f3e8923a4ec6411fd895bc03e6020b
SHA2562145892c49a23e3546c0f547f4c366409cd9ea62e2348e6cd3153b767b5da52c
SHA51239d5d2a1096feca8688d09b29541467d0ae421dc2307c2cc9e810cd7a38444118cb22aa2fd0209bc1e32dfec6bbca2c72fb17f23bd4d0a4bb0a293758cc88f59
-
MD5
ecf58cc18d94e404652c789f93d36550
SHA12de5434fa8f3e8923a4ec6411fd895bc03e6020b
SHA2562145892c49a23e3546c0f547f4c366409cd9ea62e2348e6cd3153b767b5da52c
SHA51239d5d2a1096feca8688d09b29541467d0ae421dc2307c2cc9e810cd7a38444118cb22aa2fd0209bc1e32dfec6bbca2c72fb17f23bd4d0a4bb0a293758cc88f59