Analysis
-
max time kernel
140s -
max time network
168s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 05:26
Static task
static1
Behavioral task
behavioral1
Sample
12b93e7d210b951708efd0f543a0b9f6d4640387240dbad10c0bb30508413fdd.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
12b93e7d210b951708efd0f543a0b9f6d4640387240dbad10c0bb30508413fdd.exe
Resource
win10v2004-en-20220113
General
-
Target
12b93e7d210b951708efd0f543a0b9f6d4640387240dbad10c0bb30508413fdd.exe
-
Size
104KB
-
MD5
b9046eef3920b13890d0b7cfd70beb89
-
SHA1
303f5916c891481e38eb25219671c8b6c72f63eb
-
SHA256
12b93e7d210b951708efd0f543a0b9f6d4640387240dbad10c0bb30508413fdd
-
SHA512
a19259ff9124ed6f35429b0cd901cb83c3fe3e2c188cffad3c204cf6e301d6978d3fb883e6132e65dc54028c34d45b8f9c333135dfd15f22c741585a2b4246f0
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 840 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 752 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
12b93e7d210b951708efd0f543a0b9f6d4640387240dbad10c0bb30508413fdd.exepid process 1660 12b93e7d210b951708efd0f543a0b9f6d4640387240dbad10c0bb30508413fdd.exe 1660 12b93e7d210b951708efd0f543a0b9f6d4640387240dbad10c0bb30508413fdd.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
12b93e7d210b951708efd0f543a0b9f6d4640387240dbad10c0bb30508413fdd.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 12b93e7d210b951708efd0f543a0b9f6d4640387240dbad10c0bb30508413fdd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
12b93e7d210b951708efd0f543a0b9f6d4640387240dbad10c0bb30508413fdd.exedescription pid process Token: SeIncBasePriorityPrivilege 1660 12b93e7d210b951708efd0f543a0b9f6d4640387240dbad10c0bb30508413fdd.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
12b93e7d210b951708efd0f543a0b9f6d4640387240dbad10c0bb30508413fdd.execmd.exedescription pid process target process PID 1660 wrote to memory of 840 1660 12b93e7d210b951708efd0f543a0b9f6d4640387240dbad10c0bb30508413fdd.exe MediaCenter.exe PID 1660 wrote to memory of 840 1660 12b93e7d210b951708efd0f543a0b9f6d4640387240dbad10c0bb30508413fdd.exe MediaCenter.exe PID 1660 wrote to memory of 840 1660 12b93e7d210b951708efd0f543a0b9f6d4640387240dbad10c0bb30508413fdd.exe MediaCenter.exe PID 1660 wrote to memory of 840 1660 12b93e7d210b951708efd0f543a0b9f6d4640387240dbad10c0bb30508413fdd.exe MediaCenter.exe PID 1660 wrote to memory of 752 1660 12b93e7d210b951708efd0f543a0b9f6d4640387240dbad10c0bb30508413fdd.exe cmd.exe PID 1660 wrote to memory of 752 1660 12b93e7d210b951708efd0f543a0b9f6d4640387240dbad10c0bb30508413fdd.exe cmd.exe PID 1660 wrote to memory of 752 1660 12b93e7d210b951708efd0f543a0b9f6d4640387240dbad10c0bb30508413fdd.exe cmd.exe PID 1660 wrote to memory of 752 1660 12b93e7d210b951708efd0f543a0b9f6d4640387240dbad10c0bb30508413fdd.exe cmd.exe PID 752 wrote to memory of 1432 752 cmd.exe PING.EXE PID 752 wrote to memory of 1432 752 cmd.exe PING.EXE PID 752 wrote to memory of 1432 752 cmd.exe PING.EXE PID 752 wrote to memory of 1432 752 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\12b93e7d210b951708efd0f543a0b9f6d4640387240dbad10c0bb30508413fdd.exe"C:\Users\Admin\AppData\Local\Temp\12b93e7d210b951708efd0f543a0b9f6d4640387240dbad10c0bb30508413fdd.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1660 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:840 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\12b93e7d210b951708efd0f543a0b9f6d4640387240dbad10c0bb30508413fdd.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:752 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1432
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
75f5befcf4f81af1fb3a231f7b788470
SHA12f8b7e50e509cd88c5947d68ab94dfcaaedcfa37
SHA25695d88e61830994bb5b045ec15aa12828da1bcbfe51f39851784a9ed362949b93
SHA512711a4f87a50fe49964202abaf1b3a6a5cd644b4025941801a1f6dd93a5116e888f4c814510d9f77b06fc5ef6ccae5c3060be5f7138ad5d6624e394856b354385
-
MD5
75f5befcf4f81af1fb3a231f7b788470
SHA12f8b7e50e509cd88c5947d68ab94dfcaaedcfa37
SHA25695d88e61830994bb5b045ec15aa12828da1bcbfe51f39851784a9ed362949b93
SHA512711a4f87a50fe49964202abaf1b3a6a5cd644b4025941801a1f6dd93a5116e888f4c814510d9f77b06fc5ef6ccae5c3060be5f7138ad5d6624e394856b354385
-
MD5
75f5befcf4f81af1fb3a231f7b788470
SHA12f8b7e50e509cd88c5947d68ab94dfcaaedcfa37
SHA25695d88e61830994bb5b045ec15aa12828da1bcbfe51f39851784a9ed362949b93
SHA512711a4f87a50fe49964202abaf1b3a6a5cd644b4025941801a1f6dd93a5116e888f4c814510d9f77b06fc5ef6ccae5c3060be5f7138ad5d6624e394856b354385