Analysis
-
max time kernel
155s -
max time network
180s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 05:26
Static task
static1
Behavioral task
behavioral1
Sample
12c27586c103f4a4e01061a8c2b23cf73bd0ec6534275974261084bf42064428.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
12c27586c103f4a4e01061a8c2b23cf73bd0ec6534275974261084bf42064428.exe
Resource
win10v2004-en-20220112
General
-
Target
12c27586c103f4a4e01061a8c2b23cf73bd0ec6534275974261084bf42064428.exe
-
Size
99KB
-
MD5
a0bab1a393eaaf9ff6975645dfa9534c
-
SHA1
8112b4f530ff8a94f5a08721e8138c92e6fae708
-
SHA256
12c27586c103f4a4e01061a8c2b23cf73bd0ec6534275974261084bf42064428
-
SHA512
aeb2db8dcc6a9f43a6b8ed708d40f358035bce70ea4534a66da740640c0e49351fd7bfa9f4c29ba70bb7b8aa37c04f18e1d1164d063fb5674e80eb8443cd2434
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1784 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1168 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
12c27586c103f4a4e01061a8c2b23cf73bd0ec6534275974261084bf42064428.exepid process 1556 12c27586c103f4a4e01061a8c2b23cf73bd0ec6534275974261084bf42064428.exe 1556 12c27586c103f4a4e01061a8c2b23cf73bd0ec6534275974261084bf42064428.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
12c27586c103f4a4e01061a8c2b23cf73bd0ec6534275974261084bf42064428.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 12c27586c103f4a4e01061a8c2b23cf73bd0ec6534275974261084bf42064428.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
12c27586c103f4a4e01061a8c2b23cf73bd0ec6534275974261084bf42064428.exedescription pid process Token: SeIncBasePriorityPrivilege 1556 12c27586c103f4a4e01061a8c2b23cf73bd0ec6534275974261084bf42064428.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
12c27586c103f4a4e01061a8c2b23cf73bd0ec6534275974261084bf42064428.execmd.exedescription pid process target process PID 1556 wrote to memory of 1784 1556 12c27586c103f4a4e01061a8c2b23cf73bd0ec6534275974261084bf42064428.exe MediaCenter.exe PID 1556 wrote to memory of 1784 1556 12c27586c103f4a4e01061a8c2b23cf73bd0ec6534275974261084bf42064428.exe MediaCenter.exe PID 1556 wrote to memory of 1784 1556 12c27586c103f4a4e01061a8c2b23cf73bd0ec6534275974261084bf42064428.exe MediaCenter.exe PID 1556 wrote to memory of 1784 1556 12c27586c103f4a4e01061a8c2b23cf73bd0ec6534275974261084bf42064428.exe MediaCenter.exe PID 1556 wrote to memory of 1168 1556 12c27586c103f4a4e01061a8c2b23cf73bd0ec6534275974261084bf42064428.exe cmd.exe PID 1556 wrote to memory of 1168 1556 12c27586c103f4a4e01061a8c2b23cf73bd0ec6534275974261084bf42064428.exe cmd.exe PID 1556 wrote to memory of 1168 1556 12c27586c103f4a4e01061a8c2b23cf73bd0ec6534275974261084bf42064428.exe cmd.exe PID 1556 wrote to memory of 1168 1556 12c27586c103f4a4e01061a8c2b23cf73bd0ec6534275974261084bf42064428.exe cmd.exe PID 1168 wrote to memory of 1408 1168 cmd.exe PING.EXE PID 1168 wrote to memory of 1408 1168 cmd.exe PING.EXE PID 1168 wrote to memory of 1408 1168 cmd.exe PING.EXE PID 1168 wrote to memory of 1408 1168 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\12c27586c103f4a4e01061a8c2b23cf73bd0ec6534275974261084bf42064428.exe"C:\Users\Admin\AppData\Local\Temp\12c27586c103f4a4e01061a8c2b23cf73bd0ec6534275974261084bf42064428.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1556 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1784 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\12c27586c103f4a4e01061a8c2b23cf73bd0ec6534275974261084bf42064428.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1168 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1408
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
df71c7c52288bae013ce0945412dfbed
SHA12adaed493d7e11c7a2f6b6971716885564fbddd6
SHA256ae17a39dd71cf1752b501ee11217aa1e29a64405e636f145d3b80d38f145763b
SHA5124db360cc30f8a41993ce8b698f623c4a6e30941e42a4b7252e790523b564fce3cd6b2814ff4ede716138e5014b76e47287d275cbe09922d90c1a680f4d756fdb
-
MD5
df71c7c52288bae013ce0945412dfbed
SHA12adaed493d7e11c7a2f6b6971716885564fbddd6
SHA256ae17a39dd71cf1752b501ee11217aa1e29a64405e636f145d3b80d38f145763b
SHA5124db360cc30f8a41993ce8b698f623c4a6e30941e42a4b7252e790523b564fce3cd6b2814ff4ede716138e5014b76e47287d275cbe09922d90c1a680f4d756fdb
-
MD5
df71c7c52288bae013ce0945412dfbed
SHA12adaed493d7e11c7a2f6b6971716885564fbddd6
SHA256ae17a39dd71cf1752b501ee11217aa1e29a64405e636f145d3b80d38f145763b
SHA5124db360cc30f8a41993ce8b698f623c4a6e30941e42a4b7252e790523b564fce3cd6b2814ff4ede716138e5014b76e47287d275cbe09922d90c1a680f4d756fdb