Analysis
-
max time kernel
134s -
max time network
159s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 05:31
Static task
static1
Behavioral task
behavioral1
Sample
1281d7f5c56a4bdb974f6151972603afd55d07ecb3fc5306cc3945158f4936f3.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
1281d7f5c56a4bdb974f6151972603afd55d07ecb3fc5306cc3945158f4936f3.exe
Resource
win10v2004-en-20220112
General
-
Target
1281d7f5c56a4bdb974f6151972603afd55d07ecb3fc5306cc3945158f4936f3.exe
-
Size
80KB
-
MD5
4b4c129f9cce90f19f303b5d0c52452b
-
SHA1
60925ab268d4cef64806cc1962258b524b448a46
-
SHA256
1281d7f5c56a4bdb974f6151972603afd55d07ecb3fc5306cc3945158f4936f3
-
SHA512
366e24f43037d1607a04b0cd6e87f6aa587e2457980569f58d4ef6e77e3aebf4b3a93b493d5b4a3b8e886b6a262b6ae972d49057f3910e9b29a4f91a1a283517
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1528 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1832 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
1281d7f5c56a4bdb974f6151972603afd55d07ecb3fc5306cc3945158f4936f3.exepid process 1520 1281d7f5c56a4bdb974f6151972603afd55d07ecb3fc5306cc3945158f4936f3.exe 1520 1281d7f5c56a4bdb974f6151972603afd55d07ecb3fc5306cc3945158f4936f3.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
1281d7f5c56a4bdb974f6151972603afd55d07ecb3fc5306cc3945158f4936f3.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 1281d7f5c56a4bdb974f6151972603afd55d07ecb3fc5306cc3945158f4936f3.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
1281d7f5c56a4bdb974f6151972603afd55d07ecb3fc5306cc3945158f4936f3.exedescription pid process Token: SeIncBasePriorityPrivilege 1520 1281d7f5c56a4bdb974f6151972603afd55d07ecb3fc5306cc3945158f4936f3.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
1281d7f5c56a4bdb974f6151972603afd55d07ecb3fc5306cc3945158f4936f3.execmd.exedescription pid process target process PID 1520 wrote to memory of 1528 1520 1281d7f5c56a4bdb974f6151972603afd55d07ecb3fc5306cc3945158f4936f3.exe MediaCenter.exe PID 1520 wrote to memory of 1528 1520 1281d7f5c56a4bdb974f6151972603afd55d07ecb3fc5306cc3945158f4936f3.exe MediaCenter.exe PID 1520 wrote to memory of 1528 1520 1281d7f5c56a4bdb974f6151972603afd55d07ecb3fc5306cc3945158f4936f3.exe MediaCenter.exe PID 1520 wrote to memory of 1528 1520 1281d7f5c56a4bdb974f6151972603afd55d07ecb3fc5306cc3945158f4936f3.exe MediaCenter.exe PID 1520 wrote to memory of 1832 1520 1281d7f5c56a4bdb974f6151972603afd55d07ecb3fc5306cc3945158f4936f3.exe cmd.exe PID 1520 wrote to memory of 1832 1520 1281d7f5c56a4bdb974f6151972603afd55d07ecb3fc5306cc3945158f4936f3.exe cmd.exe PID 1520 wrote to memory of 1832 1520 1281d7f5c56a4bdb974f6151972603afd55d07ecb3fc5306cc3945158f4936f3.exe cmd.exe PID 1520 wrote to memory of 1832 1520 1281d7f5c56a4bdb974f6151972603afd55d07ecb3fc5306cc3945158f4936f3.exe cmd.exe PID 1832 wrote to memory of 1144 1832 cmd.exe PING.EXE PID 1832 wrote to memory of 1144 1832 cmd.exe PING.EXE PID 1832 wrote to memory of 1144 1832 cmd.exe PING.EXE PID 1832 wrote to memory of 1144 1832 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\1281d7f5c56a4bdb974f6151972603afd55d07ecb3fc5306cc3945158f4936f3.exe"C:\Users\Admin\AppData\Local\Temp\1281d7f5c56a4bdb974f6151972603afd55d07ecb3fc5306cc3945158f4936f3.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1520 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1528 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\1281d7f5c56a4bdb974f6151972603afd55d07ecb3fc5306cc3945158f4936f3.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1832 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1144
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
9735a6ab88a7c7ba539e60ba01396067
SHA1d8893065abc6d2571e3d53ae1a03fc40738c9a91
SHA256510bb7e8a0c09bc03e05cdd9badda30cc0032ba3669a40db6c93071aad0198cf
SHA51233ec7b6d50ba154269eeeeaa7914e91fa8b43776decc8c65ddf84ac167dd699b465f1e51313243e46e2ead3b03b7cd4bf9fdddb6e1f834d01d6df7124a093981
-
MD5
9735a6ab88a7c7ba539e60ba01396067
SHA1d8893065abc6d2571e3d53ae1a03fc40738c9a91
SHA256510bb7e8a0c09bc03e05cdd9badda30cc0032ba3669a40db6c93071aad0198cf
SHA51233ec7b6d50ba154269eeeeaa7914e91fa8b43776decc8c65ddf84ac167dd699b465f1e51313243e46e2ead3b03b7cd4bf9fdddb6e1f834d01d6df7124a093981
-
MD5
9735a6ab88a7c7ba539e60ba01396067
SHA1d8893065abc6d2571e3d53ae1a03fc40738c9a91
SHA256510bb7e8a0c09bc03e05cdd9badda30cc0032ba3669a40db6c93071aad0198cf
SHA51233ec7b6d50ba154269eeeeaa7914e91fa8b43776decc8c65ddf84ac167dd699b465f1e51313243e46e2ead3b03b7cd4bf9fdddb6e1f834d01d6df7124a093981