Analysis
-
max time kernel
137s -
max time network
169s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 05:30
Static task
static1
Behavioral task
behavioral1
Sample
1291fface987f88a60accbad9fc1e51d54fda94c09f831748e5c327709ab7b9f.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
1291fface987f88a60accbad9fc1e51d54fda94c09f831748e5c327709ab7b9f.exe
Resource
win10v2004-en-20220113
General
-
Target
1291fface987f88a60accbad9fc1e51d54fda94c09f831748e5c327709ab7b9f.exe
-
Size
150KB
-
MD5
f672c45b903ff9ed97d092a6b9ed3895
-
SHA1
1ca25d821bd734522fe14c520b9debbaf8f66f0b
-
SHA256
1291fface987f88a60accbad9fc1e51d54fda94c09f831748e5c327709ab7b9f
-
SHA512
f3c5037eb3445b1ff71bafa0354c85411a2292e47e1f5f0173b505ce0469b8edcc893a41c2355e568551acb0b15e6b72383e06699346e88355169f3ec8b0df45
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1224 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1992 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
1291fface987f88a60accbad9fc1e51d54fda94c09f831748e5c327709ab7b9f.exepid process 1848 1291fface987f88a60accbad9fc1e51d54fda94c09f831748e5c327709ab7b9f.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
1291fface987f88a60accbad9fc1e51d54fda94c09f831748e5c327709ab7b9f.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 1291fface987f88a60accbad9fc1e51d54fda94c09f831748e5c327709ab7b9f.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
1291fface987f88a60accbad9fc1e51d54fda94c09f831748e5c327709ab7b9f.exedescription pid process Token: SeIncBasePriorityPrivilege 1848 1291fface987f88a60accbad9fc1e51d54fda94c09f831748e5c327709ab7b9f.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
1291fface987f88a60accbad9fc1e51d54fda94c09f831748e5c327709ab7b9f.execmd.exedescription pid process target process PID 1848 wrote to memory of 1224 1848 1291fface987f88a60accbad9fc1e51d54fda94c09f831748e5c327709ab7b9f.exe MediaCenter.exe PID 1848 wrote to memory of 1224 1848 1291fface987f88a60accbad9fc1e51d54fda94c09f831748e5c327709ab7b9f.exe MediaCenter.exe PID 1848 wrote to memory of 1224 1848 1291fface987f88a60accbad9fc1e51d54fda94c09f831748e5c327709ab7b9f.exe MediaCenter.exe PID 1848 wrote to memory of 1224 1848 1291fface987f88a60accbad9fc1e51d54fda94c09f831748e5c327709ab7b9f.exe MediaCenter.exe PID 1848 wrote to memory of 1992 1848 1291fface987f88a60accbad9fc1e51d54fda94c09f831748e5c327709ab7b9f.exe cmd.exe PID 1848 wrote to memory of 1992 1848 1291fface987f88a60accbad9fc1e51d54fda94c09f831748e5c327709ab7b9f.exe cmd.exe PID 1848 wrote to memory of 1992 1848 1291fface987f88a60accbad9fc1e51d54fda94c09f831748e5c327709ab7b9f.exe cmd.exe PID 1848 wrote to memory of 1992 1848 1291fface987f88a60accbad9fc1e51d54fda94c09f831748e5c327709ab7b9f.exe cmd.exe PID 1992 wrote to memory of 1940 1992 cmd.exe PING.EXE PID 1992 wrote to memory of 1940 1992 cmd.exe PING.EXE PID 1992 wrote to memory of 1940 1992 cmd.exe PING.EXE PID 1992 wrote to memory of 1940 1992 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\1291fface987f88a60accbad9fc1e51d54fda94c09f831748e5c327709ab7b9f.exe"C:\Users\Admin\AppData\Local\Temp\1291fface987f88a60accbad9fc1e51d54fda94c09f831748e5c327709ab7b9f.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1848 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1224 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\1291fface987f88a60accbad9fc1e51d54fda94c09f831748e5c327709ab7b9f.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1992 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1940
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
4aafaa1aa5495931bc3e9b95b1497f8b
SHA130b97556b55d50acab9cc77a5404a15f14bc2e8e
SHA2561c595ddbd52c5ad55c9e76d41684b4f7136bdf913d0dcb6bd2994f44be092164
SHA512afbbccee2f8eca90dbf0f9c6bc52f4728daba93d80a3634dab0adf0c6de8861299a7a94ef932b1f1c6c5c31768f9924b00d88d13f73eca189d177514e2d4a614
-
MD5
4aafaa1aa5495931bc3e9b95b1497f8b
SHA130b97556b55d50acab9cc77a5404a15f14bc2e8e
SHA2561c595ddbd52c5ad55c9e76d41684b4f7136bdf913d0dcb6bd2994f44be092164
SHA512afbbccee2f8eca90dbf0f9c6bc52f4728daba93d80a3634dab0adf0c6de8861299a7a94ef932b1f1c6c5c31768f9924b00d88d13f73eca189d177514e2d4a614