Analysis
-
max time kernel
136s -
max time network
151s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 05:23
Static task
static1
Behavioral task
behavioral1
Sample
12e2bfbf292ba09400bfa63ebbe278d5edd60015f67d1b15730b7692729d9d47.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
12e2bfbf292ba09400bfa63ebbe278d5edd60015f67d1b15730b7692729d9d47.exe
Resource
win10v2004-en-20220113
General
-
Target
12e2bfbf292ba09400bfa63ebbe278d5edd60015f67d1b15730b7692729d9d47.exe
-
Size
172KB
-
MD5
00eebad47b12282a057f7b6f9696910c
-
SHA1
39595bb93837ae147e191654c8dfdb0950456239
-
SHA256
12e2bfbf292ba09400bfa63ebbe278d5edd60015f67d1b15730b7692729d9d47
-
SHA512
b8aa1fd57e6cd15e4dd17d75287711ea50445651106818778b8a5b222af588a59f4be9de0790a89e7e0b00be1bcd5db9554ff80710f314d983f584edb240dd19
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral1/memory/1636-59-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral1/memory/1212-60-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1212 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1468 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
12e2bfbf292ba09400bfa63ebbe278d5edd60015f67d1b15730b7692729d9d47.exepid process 1636 12e2bfbf292ba09400bfa63ebbe278d5edd60015f67d1b15730b7692729d9d47.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
12e2bfbf292ba09400bfa63ebbe278d5edd60015f67d1b15730b7692729d9d47.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 12e2bfbf292ba09400bfa63ebbe278d5edd60015f67d1b15730b7692729d9d47.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
12e2bfbf292ba09400bfa63ebbe278d5edd60015f67d1b15730b7692729d9d47.exedescription pid process Token: SeIncBasePriorityPrivilege 1636 12e2bfbf292ba09400bfa63ebbe278d5edd60015f67d1b15730b7692729d9d47.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
12e2bfbf292ba09400bfa63ebbe278d5edd60015f67d1b15730b7692729d9d47.execmd.exedescription pid process target process PID 1636 wrote to memory of 1212 1636 12e2bfbf292ba09400bfa63ebbe278d5edd60015f67d1b15730b7692729d9d47.exe MediaCenter.exe PID 1636 wrote to memory of 1212 1636 12e2bfbf292ba09400bfa63ebbe278d5edd60015f67d1b15730b7692729d9d47.exe MediaCenter.exe PID 1636 wrote to memory of 1212 1636 12e2bfbf292ba09400bfa63ebbe278d5edd60015f67d1b15730b7692729d9d47.exe MediaCenter.exe PID 1636 wrote to memory of 1212 1636 12e2bfbf292ba09400bfa63ebbe278d5edd60015f67d1b15730b7692729d9d47.exe MediaCenter.exe PID 1636 wrote to memory of 1468 1636 12e2bfbf292ba09400bfa63ebbe278d5edd60015f67d1b15730b7692729d9d47.exe cmd.exe PID 1636 wrote to memory of 1468 1636 12e2bfbf292ba09400bfa63ebbe278d5edd60015f67d1b15730b7692729d9d47.exe cmd.exe PID 1636 wrote to memory of 1468 1636 12e2bfbf292ba09400bfa63ebbe278d5edd60015f67d1b15730b7692729d9d47.exe cmd.exe PID 1636 wrote to memory of 1468 1636 12e2bfbf292ba09400bfa63ebbe278d5edd60015f67d1b15730b7692729d9d47.exe cmd.exe PID 1468 wrote to memory of 592 1468 cmd.exe PING.EXE PID 1468 wrote to memory of 592 1468 cmd.exe PING.EXE PID 1468 wrote to memory of 592 1468 cmd.exe PING.EXE PID 1468 wrote to memory of 592 1468 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\12e2bfbf292ba09400bfa63ebbe278d5edd60015f67d1b15730b7692729d9d47.exe"C:\Users\Admin\AppData\Local\Temp\12e2bfbf292ba09400bfa63ebbe278d5edd60015f67d1b15730b7692729d9d47.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1212 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\12e2bfbf292ba09400bfa63ebbe278d5edd60015f67d1b15730b7692729d9d47.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1468 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:592
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
cba45675946f5227050944b439f3c1cd
SHA15f6703e756e97338e823cdf4c22eb73c1f776fe7
SHA25678dd2a2b08dd3572845b43236cbbf877870abfcd239154bb88ae44039cbc263c
SHA5123ed70882a9b12391173664edc81ffb54b3e9239be33c832f37ca91d1427a85edece8ba04c41da8382a694ee74c86897fe9fd6ad041767dcc6ab6c68554d2dc84
-
MD5
cba45675946f5227050944b439f3c1cd
SHA15f6703e756e97338e823cdf4c22eb73c1f776fe7
SHA25678dd2a2b08dd3572845b43236cbbf877870abfcd239154bb88ae44039cbc263c
SHA5123ed70882a9b12391173664edc81ffb54b3e9239be33c832f37ca91d1427a85edece8ba04c41da8382a694ee74c86897fe9fd6ad041767dcc6ab6c68554d2dc84