Analysis
-
max time kernel
130s -
max time network
139s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 05:30
Static task
static1
Behavioral task
behavioral1
Sample
128e514ed912e3b13736ceadce1e40ee31c9dc0224170fee6d40261d1417ae62.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
128e514ed912e3b13736ceadce1e40ee31c9dc0224170fee6d40261d1417ae62.exe
Resource
win10v2004-en-20220113
General
-
Target
128e514ed912e3b13736ceadce1e40ee31c9dc0224170fee6d40261d1417ae62.exe
-
Size
150KB
-
MD5
c77ad87992f4586da9634e7c7f35c71b
-
SHA1
94b7f3344138afdab705a586375b4b56b0778528
-
SHA256
128e514ed912e3b13736ceadce1e40ee31c9dc0224170fee6d40261d1417ae62
-
SHA512
9003bbce1a2c272fc54bc9f1db48ccd484a96bcbcfa602b7d29af74de839c35a9042e3bc17ff9a1edd0dde7058a837d7ac5231bbdb423d4f727e43c1e7d923ee
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 648 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1188 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
128e514ed912e3b13736ceadce1e40ee31c9dc0224170fee6d40261d1417ae62.exepid process 1212 128e514ed912e3b13736ceadce1e40ee31c9dc0224170fee6d40261d1417ae62.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
128e514ed912e3b13736ceadce1e40ee31c9dc0224170fee6d40261d1417ae62.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 128e514ed912e3b13736ceadce1e40ee31c9dc0224170fee6d40261d1417ae62.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
128e514ed912e3b13736ceadce1e40ee31c9dc0224170fee6d40261d1417ae62.exedescription pid process Token: SeIncBasePriorityPrivilege 1212 128e514ed912e3b13736ceadce1e40ee31c9dc0224170fee6d40261d1417ae62.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
128e514ed912e3b13736ceadce1e40ee31c9dc0224170fee6d40261d1417ae62.execmd.exedescription pid process target process PID 1212 wrote to memory of 648 1212 128e514ed912e3b13736ceadce1e40ee31c9dc0224170fee6d40261d1417ae62.exe MediaCenter.exe PID 1212 wrote to memory of 648 1212 128e514ed912e3b13736ceadce1e40ee31c9dc0224170fee6d40261d1417ae62.exe MediaCenter.exe PID 1212 wrote to memory of 648 1212 128e514ed912e3b13736ceadce1e40ee31c9dc0224170fee6d40261d1417ae62.exe MediaCenter.exe PID 1212 wrote to memory of 648 1212 128e514ed912e3b13736ceadce1e40ee31c9dc0224170fee6d40261d1417ae62.exe MediaCenter.exe PID 1212 wrote to memory of 1188 1212 128e514ed912e3b13736ceadce1e40ee31c9dc0224170fee6d40261d1417ae62.exe cmd.exe PID 1212 wrote to memory of 1188 1212 128e514ed912e3b13736ceadce1e40ee31c9dc0224170fee6d40261d1417ae62.exe cmd.exe PID 1212 wrote to memory of 1188 1212 128e514ed912e3b13736ceadce1e40ee31c9dc0224170fee6d40261d1417ae62.exe cmd.exe PID 1212 wrote to memory of 1188 1212 128e514ed912e3b13736ceadce1e40ee31c9dc0224170fee6d40261d1417ae62.exe cmd.exe PID 1188 wrote to memory of 1184 1188 cmd.exe PING.EXE PID 1188 wrote to memory of 1184 1188 cmd.exe PING.EXE PID 1188 wrote to memory of 1184 1188 cmd.exe PING.EXE PID 1188 wrote to memory of 1184 1188 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\128e514ed912e3b13736ceadce1e40ee31c9dc0224170fee6d40261d1417ae62.exe"C:\Users\Admin\AppData\Local\Temp\128e514ed912e3b13736ceadce1e40ee31c9dc0224170fee6d40261d1417ae62.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1212 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:648 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\128e514ed912e3b13736ceadce1e40ee31c9dc0224170fee6d40261d1417ae62.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1188 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1184
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
7bb498a34bb4384640ff0ebe41c2ec31
SHA1f924d19467e4bef60b74a2b49ac65776a397c079
SHA256d98b493361c8cff45b71b64922c7677ffc3796ad05a967862957cbaf4c26e7e5
SHA512c07c1e292ddf48b0d75c73ab97e9bdbcf7b2a926fa8f145d2a5a0f465cb9acf9b77211ddada1d472a75f55f9ff1ead486a3d7ddd47c2a3e4a174ddc6db4e5511
-
MD5
7bb498a34bb4384640ff0ebe41c2ec31
SHA1f924d19467e4bef60b74a2b49ac65776a397c079
SHA256d98b493361c8cff45b71b64922c7677ffc3796ad05a967862957cbaf4c26e7e5
SHA512c07c1e292ddf48b0d75c73ab97e9bdbcf7b2a926fa8f145d2a5a0f465cb9acf9b77211ddada1d472a75f55f9ff1ead486a3d7ddd47c2a3e4a174ddc6db4e5511