Analysis
-
max time kernel
119s -
max time network
133s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 05:28
Static task
static1
Behavioral task
behavioral1
Sample
12ac35e35ff247d89a35afffe065639ec0c61862d15e79df2361ca61a872aaff.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
12ac35e35ff247d89a35afffe065639ec0c61862d15e79df2361ca61a872aaff.exe
Resource
win10v2004-en-20220113
General
-
Target
12ac35e35ff247d89a35afffe065639ec0c61862d15e79df2361ca61a872aaff.exe
-
Size
79KB
-
MD5
52996ba6234d7f7c743a021ef84d6c1e
-
SHA1
4b4d1f4eed3494d279c9145926da8f97e48024cd
-
SHA256
12ac35e35ff247d89a35afffe065639ec0c61862d15e79df2361ca61a872aaff
-
SHA512
ae1cda21d416e1adc0d20b637e647719a199bba868500d62edc8557fa3c2144a314ace01933d735cf5eb2a4ea9f0b79a89df8d4cf6abe810af6de6d74c330c3b
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1032 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1816 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
12ac35e35ff247d89a35afffe065639ec0c61862d15e79df2361ca61a872aaff.exepid process 1592 12ac35e35ff247d89a35afffe065639ec0c61862d15e79df2361ca61a872aaff.exe 1592 12ac35e35ff247d89a35afffe065639ec0c61862d15e79df2361ca61a872aaff.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
12ac35e35ff247d89a35afffe065639ec0c61862d15e79df2361ca61a872aaff.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 12ac35e35ff247d89a35afffe065639ec0c61862d15e79df2361ca61a872aaff.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
12ac35e35ff247d89a35afffe065639ec0c61862d15e79df2361ca61a872aaff.exedescription pid process Token: SeIncBasePriorityPrivilege 1592 12ac35e35ff247d89a35afffe065639ec0c61862d15e79df2361ca61a872aaff.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
12ac35e35ff247d89a35afffe065639ec0c61862d15e79df2361ca61a872aaff.execmd.exedescription pid process target process PID 1592 wrote to memory of 1032 1592 12ac35e35ff247d89a35afffe065639ec0c61862d15e79df2361ca61a872aaff.exe MediaCenter.exe PID 1592 wrote to memory of 1032 1592 12ac35e35ff247d89a35afffe065639ec0c61862d15e79df2361ca61a872aaff.exe MediaCenter.exe PID 1592 wrote to memory of 1032 1592 12ac35e35ff247d89a35afffe065639ec0c61862d15e79df2361ca61a872aaff.exe MediaCenter.exe PID 1592 wrote to memory of 1032 1592 12ac35e35ff247d89a35afffe065639ec0c61862d15e79df2361ca61a872aaff.exe MediaCenter.exe PID 1592 wrote to memory of 1816 1592 12ac35e35ff247d89a35afffe065639ec0c61862d15e79df2361ca61a872aaff.exe cmd.exe PID 1592 wrote to memory of 1816 1592 12ac35e35ff247d89a35afffe065639ec0c61862d15e79df2361ca61a872aaff.exe cmd.exe PID 1592 wrote to memory of 1816 1592 12ac35e35ff247d89a35afffe065639ec0c61862d15e79df2361ca61a872aaff.exe cmd.exe PID 1592 wrote to memory of 1816 1592 12ac35e35ff247d89a35afffe065639ec0c61862d15e79df2361ca61a872aaff.exe cmd.exe PID 1816 wrote to memory of 1812 1816 cmd.exe PING.EXE PID 1816 wrote to memory of 1812 1816 cmd.exe PING.EXE PID 1816 wrote to memory of 1812 1816 cmd.exe PING.EXE PID 1816 wrote to memory of 1812 1816 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\12ac35e35ff247d89a35afffe065639ec0c61862d15e79df2361ca61a872aaff.exe"C:\Users\Admin\AppData\Local\Temp\12ac35e35ff247d89a35afffe065639ec0c61862d15e79df2361ca61a872aaff.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1592 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1032 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\12ac35e35ff247d89a35afffe065639ec0c61862d15e79df2361ca61a872aaff.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1816 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1812
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
20edd5378e637985fd1a53efaee11152
SHA14234bb28bc4d69f68fa863b8e5675105a74e9c6d
SHA2565ddaa1c29a4a09b6cc1ada2f556f3906f36c080314cf3f562ebbac8133be2552
SHA512ea5f210ae807f4ccd35518d06f899e785aba31dbf84601a086ac72bc4fb348538aadf12ae834fc8e4130bbb62852998c264ce49c71f4d1829c72c62a2df07fd8
-
MD5
20edd5378e637985fd1a53efaee11152
SHA14234bb28bc4d69f68fa863b8e5675105a74e9c6d
SHA2565ddaa1c29a4a09b6cc1ada2f556f3906f36c080314cf3f562ebbac8133be2552
SHA512ea5f210ae807f4ccd35518d06f899e785aba31dbf84601a086ac72bc4fb348538aadf12ae834fc8e4130bbb62852998c264ce49c71f4d1829c72c62a2df07fd8
-
MD5
20edd5378e637985fd1a53efaee11152
SHA14234bb28bc4d69f68fa863b8e5675105a74e9c6d
SHA2565ddaa1c29a4a09b6cc1ada2f556f3906f36c080314cf3f562ebbac8133be2552
SHA512ea5f210ae807f4ccd35518d06f899e785aba31dbf84601a086ac72bc4fb348538aadf12ae834fc8e4130bbb62852998c264ce49c71f4d1829c72c62a2df07fd8