Analysis
-
max time kernel
153s -
max time network
171s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 05:24
Static task
static1
Behavioral task
behavioral1
Sample
12d2fa1ad35a8b21655dbed3c6ef74800ed4f06bbe40f2678b08c9490d723c1c.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
12d2fa1ad35a8b21655dbed3c6ef74800ed4f06bbe40f2678b08c9490d723c1c.exe
Resource
win10v2004-en-20220113
General
-
Target
12d2fa1ad35a8b21655dbed3c6ef74800ed4f06bbe40f2678b08c9490d723c1c.exe
-
Size
191KB
-
MD5
c19533c447548f71ccc29c4b5d51e9fe
-
SHA1
47260fd43fd9f0ac3d2c700d12fc22cda76145f1
-
SHA256
12d2fa1ad35a8b21655dbed3c6ef74800ed4f06bbe40f2678b08c9490d723c1c
-
SHA512
6c812291f8534220df125b64739ca10cf853aa853555e9b5e0f150144d472d8d494e9da8a77e8ef8071fcdc26c618ece81f0c616f0183f37c729680b853ad215
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 804 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 640 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
12d2fa1ad35a8b21655dbed3c6ef74800ed4f06bbe40f2678b08c9490d723c1c.exepid process 1564 12d2fa1ad35a8b21655dbed3c6ef74800ed4f06bbe40f2678b08c9490d723c1c.exe 1564 12d2fa1ad35a8b21655dbed3c6ef74800ed4f06bbe40f2678b08c9490d723c1c.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
12d2fa1ad35a8b21655dbed3c6ef74800ed4f06bbe40f2678b08c9490d723c1c.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 12d2fa1ad35a8b21655dbed3c6ef74800ed4f06bbe40f2678b08c9490d723c1c.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
12d2fa1ad35a8b21655dbed3c6ef74800ed4f06bbe40f2678b08c9490d723c1c.exedescription pid process Token: SeIncBasePriorityPrivilege 1564 12d2fa1ad35a8b21655dbed3c6ef74800ed4f06bbe40f2678b08c9490d723c1c.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
12d2fa1ad35a8b21655dbed3c6ef74800ed4f06bbe40f2678b08c9490d723c1c.execmd.exedescription pid process target process PID 1564 wrote to memory of 804 1564 12d2fa1ad35a8b21655dbed3c6ef74800ed4f06bbe40f2678b08c9490d723c1c.exe MediaCenter.exe PID 1564 wrote to memory of 804 1564 12d2fa1ad35a8b21655dbed3c6ef74800ed4f06bbe40f2678b08c9490d723c1c.exe MediaCenter.exe PID 1564 wrote to memory of 804 1564 12d2fa1ad35a8b21655dbed3c6ef74800ed4f06bbe40f2678b08c9490d723c1c.exe MediaCenter.exe PID 1564 wrote to memory of 804 1564 12d2fa1ad35a8b21655dbed3c6ef74800ed4f06bbe40f2678b08c9490d723c1c.exe MediaCenter.exe PID 1564 wrote to memory of 640 1564 12d2fa1ad35a8b21655dbed3c6ef74800ed4f06bbe40f2678b08c9490d723c1c.exe cmd.exe PID 1564 wrote to memory of 640 1564 12d2fa1ad35a8b21655dbed3c6ef74800ed4f06bbe40f2678b08c9490d723c1c.exe cmd.exe PID 1564 wrote to memory of 640 1564 12d2fa1ad35a8b21655dbed3c6ef74800ed4f06bbe40f2678b08c9490d723c1c.exe cmd.exe PID 1564 wrote to memory of 640 1564 12d2fa1ad35a8b21655dbed3c6ef74800ed4f06bbe40f2678b08c9490d723c1c.exe cmd.exe PID 640 wrote to memory of 1116 640 cmd.exe PING.EXE PID 640 wrote to memory of 1116 640 cmd.exe PING.EXE PID 640 wrote to memory of 1116 640 cmd.exe PING.EXE PID 640 wrote to memory of 1116 640 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\12d2fa1ad35a8b21655dbed3c6ef74800ed4f06bbe40f2678b08c9490d723c1c.exe"C:\Users\Admin\AppData\Local\Temp\12d2fa1ad35a8b21655dbed3c6ef74800ed4f06bbe40f2678b08c9490d723c1c.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1564 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:804 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\12d2fa1ad35a8b21655dbed3c6ef74800ed4f06bbe40f2678b08c9490d723c1c.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:640 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1116
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
4d20bd0c1457b0abac3e96367b38cd56
SHA11e355d2d906418287f3f9fd0daf5b925209b2758
SHA2566ffb9ca1e1e503b7150155f932d593c45af3175c0d7d241f0f74ca8f338fe462
SHA51230666c0aeeaab0484d68828c42b744c14d38ccdeb19bf3f0549314138354b13d09cdd91a902242f66efb28b758e9c0be5d906c00473b05e314ca798419e8c819
-
MD5
4d20bd0c1457b0abac3e96367b38cd56
SHA11e355d2d906418287f3f9fd0daf5b925209b2758
SHA2566ffb9ca1e1e503b7150155f932d593c45af3175c0d7d241f0f74ca8f338fe462
SHA51230666c0aeeaab0484d68828c42b744c14d38ccdeb19bf3f0549314138354b13d09cdd91a902242f66efb28b758e9c0be5d906c00473b05e314ca798419e8c819
-
MD5
4d20bd0c1457b0abac3e96367b38cd56
SHA11e355d2d906418287f3f9fd0daf5b925209b2758
SHA2566ffb9ca1e1e503b7150155f932d593c45af3175c0d7d241f0f74ca8f338fe462
SHA51230666c0aeeaab0484d68828c42b744c14d38ccdeb19bf3f0549314138354b13d09cdd91a902242f66efb28b758e9c0be5d906c00473b05e314ca798419e8c819