Analysis
-
max time kernel
136s -
max time network
166s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 05:21
Static task
static1
Behavioral task
behavioral1
Sample
12f457ef0a7296efbf6a6dd3a0b2f31eaaf52bf51f5a46991c4ab676e50b3772.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
12f457ef0a7296efbf6a6dd3a0b2f31eaaf52bf51f5a46991c4ab676e50b3772.exe
Resource
win10v2004-en-20220113
General
-
Target
12f457ef0a7296efbf6a6dd3a0b2f31eaaf52bf51f5a46991c4ab676e50b3772.exe
-
Size
192KB
-
MD5
244548e62a96222bdab4c96ee41879fb
-
SHA1
3aa1349c230c8de38000dcf3b6de5828e2b97490
-
SHA256
12f457ef0a7296efbf6a6dd3a0b2f31eaaf52bf51f5a46991c4ab676e50b3772
-
SHA512
9b9f250e70538f81cfabe5658f6d9ef7e137c651460eef6d5f97b3d4a30f2ec1e308161c98fe304df16cb1aded623b5db208b8b15e097b784bd164ed49d549b5
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1656 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1816 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
12f457ef0a7296efbf6a6dd3a0b2f31eaaf52bf51f5a46991c4ab676e50b3772.exepid process 1628 12f457ef0a7296efbf6a6dd3a0b2f31eaaf52bf51f5a46991c4ab676e50b3772.exe 1628 12f457ef0a7296efbf6a6dd3a0b2f31eaaf52bf51f5a46991c4ab676e50b3772.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
12f457ef0a7296efbf6a6dd3a0b2f31eaaf52bf51f5a46991c4ab676e50b3772.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 12f457ef0a7296efbf6a6dd3a0b2f31eaaf52bf51f5a46991c4ab676e50b3772.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
12f457ef0a7296efbf6a6dd3a0b2f31eaaf52bf51f5a46991c4ab676e50b3772.exedescription pid process Token: SeIncBasePriorityPrivilege 1628 12f457ef0a7296efbf6a6dd3a0b2f31eaaf52bf51f5a46991c4ab676e50b3772.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
12f457ef0a7296efbf6a6dd3a0b2f31eaaf52bf51f5a46991c4ab676e50b3772.execmd.exedescription pid process target process PID 1628 wrote to memory of 1656 1628 12f457ef0a7296efbf6a6dd3a0b2f31eaaf52bf51f5a46991c4ab676e50b3772.exe MediaCenter.exe PID 1628 wrote to memory of 1656 1628 12f457ef0a7296efbf6a6dd3a0b2f31eaaf52bf51f5a46991c4ab676e50b3772.exe MediaCenter.exe PID 1628 wrote to memory of 1656 1628 12f457ef0a7296efbf6a6dd3a0b2f31eaaf52bf51f5a46991c4ab676e50b3772.exe MediaCenter.exe PID 1628 wrote to memory of 1656 1628 12f457ef0a7296efbf6a6dd3a0b2f31eaaf52bf51f5a46991c4ab676e50b3772.exe MediaCenter.exe PID 1628 wrote to memory of 1816 1628 12f457ef0a7296efbf6a6dd3a0b2f31eaaf52bf51f5a46991c4ab676e50b3772.exe cmd.exe PID 1628 wrote to memory of 1816 1628 12f457ef0a7296efbf6a6dd3a0b2f31eaaf52bf51f5a46991c4ab676e50b3772.exe cmd.exe PID 1628 wrote to memory of 1816 1628 12f457ef0a7296efbf6a6dd3a0b2f31eaaf52bf51f5a46991c4ab676e50b3772.exe cmd.exe PID 1628 wrote to memory of 1816 1628 12f457ef0a7296efbf6a6dd3a0b2f31eaaf52bf51f5a46991c4ab676e50b3772.exe cmd.exe PID 1816 wrote to memory of 400 1816 cmd.exe PING.EXE PID 1816 wrote to memory of 400 1816 cmd.exe PING.EXE PID 1816 wrote to memory of 400 1816 cmd.exe PING.EXE PID 1816 wrote to memory of 400 1816 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\12f457ef0a7296efbf6a6dd3a0b2f31eaaf52bf51f5a46991c4ab676e50b3772.exe"C:\Users\Admin\AppData\Local\Temp\12f457ef0a7296efbf6a6dd3a0b2f31eaaf52bf51f5a46991c4ab676e50b3772.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1628 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1656 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\12f457ef0a7296efbf6a6dd3a0b2f31eaaf52bf51f5a46991c4ab676e50b3772.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1816 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:400
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
f4280e12564f97688bc755dc6dd0eb59
SHA13345af4d487b81bb6bf57e03c1be767f7ceb3a1c
SHA256f1d82d4dafc3c9a8fb09109b10d08eb0d305fd7143c6d9a861d2310745147824
SHA512fe4022609f23b5444a2598729e9b9d5887e8391ecb8a6fb85a4522a298f4ea1825703dc7dde00060534934a40b0df190b60a958ea76d87c3cf4b0cda2640ac3a
-
MD5
f4280e12564f97688bc755dc6dd0eb59
SHA13345af4d487b81bb6bf57e03c1be767f7ceb3a1c
SHA256f1d82d4dafc3c9a8fb09109b10d08eb0d305fd7143c6d9a861d2310745147824
SHA512fe4022609f23b5444a2598729e9b9d5887e8391ecb8a6fb85a4522a298f4ea1825703dc7dde00060534934a40b0df190b60a958ea76d87c3cf4b0cda2640ac3a
-
MD5
f4280e12564f97688bc755dc6dd0eb59
SHA13345af4d487b81bb6bf57e03c1be767f7ceb3a1c
SHA256f1d82d4dafc3c9a8fb09109b10d08eb0d305fd7143c6d9a861d2310745147824
SHA512fe4022609f23b5444a2598729e9b9d5887e8391ecb8a6fb85a4522a298f4ea1825703dc7dde00060534934a40b0df190b60a958ea76d87c3cf4b0cda2640ac3a