Analysis
-
max time kernel
118s -
max time network
128s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 05:31
Static task
static1
Behavioral task
behavioral1
Sample
127df2aa83727611766bf1fe7ae2eafcc469ff51cad9d01e45f35d020e678bf6.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
127df2aa83727611766bf1fe7ae2eafcc469ff51cad9d01e45f35d020e678bf6.exe
Resource
win10v2004-en-20220113
General
-
Target
127df2aa83727611766bf1fe7ae2eafcc469ff51cad9d01e45f35d020e678bf6.exe
-
Size
99KB
-
MD5
5631d1cd3c92432bbb6701da341bdc64
-
SHA1
8ca1a0f65432a129f229ca1f75b4e8b0cf95b043
-
SHA256
127df2aa83727611766bf1fe7ae2eafcc469ff51cad9d01e45f35d020e678bf6
-
SHA512
8e8366a2423b7b8f027142df34bbc6b0444095d93164ef341960bc3d81d9b7f288a6db3190ba7891acb089ec2f1e27e0ad2015cd0b6452b976b4aa01e3986e38
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1332 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1628 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
127df2aa83727611766bf1fe7ae2eafcc469ff51cad9d01e45f35d020e678bf6.exepid process 1608 127df2aa83727611766bf1fe7ae2eafcc469ff51cad9d01e45f35d020e678bf6.exe 1608 127df2aa83727611766bf1fe7ae2eafcc469ff51cad9d01e45f35d020e678bf6.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
127df2aa83727611766bf1fe7ae2eafcc469ff51cad9d01e45f35d020e678bf6.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 127df2aa83727611766bf1fe7ae2eafcc469ff51cad9d01e45f35d020e678bf6.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
127df2aa83727611766bf1fe7ae2eafcc469ff51cad9d01e45f35d020e678bf6.exedescription pid process Token: SeIncBasePriorityPrivilege 1608 127df2aa83727611766bf1fe7ae2eafcc469ff51cad9d01e45f35d020e678bf6.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
127df2aa83727611766bf1fe7ae2eafcc469ff51cad9d01e45f35d020e678bf6.execmd.exedescription pid process target process PID 1608 wrote to memory of 1332 1608 127df2aa83727611766bf1fe7ae2eafcc469ff51cad9d01e45f35d020e678bf6.exe MediaCenter.exe PID 1608 wrote to memory of 1332 1608 127df2aa83727611766bf1fe7ae2eafcc469ff51cad9d01e45f35d020e678bf6.exe MediaCenter.exe PID 1608 wrote to memory of 1332 1608 127df2aa83727611766bf1fe7ae2eafcc469ff51cad9d01e45f35d020e678bf6.exe MediaCenter.exe PID 1608 wrote to memory of 1332 1608 127df2aa83727611766bf1fe7ae2eafcc469ff51cad9d01e45f35d020e678bf6.exe MediaCenter.exe PID 1608 wrote to memory of 1628 1608 127df2aa83727611766bf1fe7ae2eafcc469ff51cad9d01e45f35d020e678bf6.exe cmd.exe PID 1608 wrote to memory of 1628 1608 127df2aa83727611766bf1fe7ae2eafcc469ff51cad9d01e45f35d020e678bf6.exe cmd.exe PID 1608 wrote to memory of 1628 1608 127df2aa83727611766bf1fe7ae2eafcc469ff51cad9d01e45f35d020e678bf6.exe cmd.exe PID 1608 wrote to memory of 1628 1608 127df2aa83727611766bf1fe7ae2eafcc469ff51cad9d01e45f35d020e678bf6.exe cmd.exe PID 1628 wrote to memory of 1124 1628 cmd.exe PING.EXE PID 1628 wrote to memory of 1124 1628 cmd.exe PING.EXE PID 1628 wrote to memory of 1124 1628 cmd.exe PING.EXE PID 1628 wrote to memory of 1124 1628 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\127df2aa83727611766bf1fe7ae2eafcc469ff51cad9d01e45f35d020e678bf6.exe"C:\Users\Admin\AppData\Local\Temp\127df2aa83727611766bf1fe7ae2eafcc469ff51cad9d01e45f35d020e678bf6.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1608 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1332 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\127df2aa83727611766bf1fe7ae2eafcc469ff51cad9d01e45f35d020e678bf6.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1628 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1124
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
e99b9849c4ae51248412ec11c3e5e3cc
SHA110a55ae214674333b049a0efc939eff81a4bc151
SHA256ed98363f1e8c7810ae9b2e42c08751ef12ff2f6daa99b89b71508a6bff498c09
SHA512cf91a8edb5f604cfc7a9e21649669b31769a5fbc9d4eeda073aa6c475ac56cc21fce115eb3d4f7cecb81c5b9280002ca8a129c36dd181ebd4fc10542a0d31e8c
-
MD5
e99b9849c4ae51248412ec11c3e5e3cc
SHA110a55ae214674333b049a0efc939eff81a4bc151
SHA256ed98363f1e8c7810ae9b2e42c08751ef12ff2f6daa99b89b71508a6bff498c09
SHA512cf91a8edb5f604cfc7a9e21649669b31769a5fbc9d4eeda073aa6c475ac56cc21fce115eb3d4f7cecb81c5b9280002ca8a129c36dd181ebd4fc10542a0d31e8c
-
MD5
e99b9849c4ae51248412ec11c3e5e3cc
SHA110a55ae214674333b049a0efc939eff81a4bc151
SHA256ed98363f1e8c7810ae9b2e42c08751ef12ff2f6daa99b89b71508a6bff498c09
SHA512cf91a8edb5f604cfc7a9e21649669b31769a5fbc9d4eeda073aa6c475ac56cc21fce115eb3d4f7cecb81c5b9280002ca8a129c36dd181ebd4fc10542a0d31e8c