Analysis
-
max time kernel
140s -
max time network
159s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 05:32
Static task
static1
Behavioral task
behavioral1
Sample
126978b03110b815143dbd1f20472e471bb28d833e803c7447d1505be245872b.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
126978b03110b815143dbd1f20472e471bb28d833e803c7447d1505be245872b.exe
Resource
win10v2004-en-20220113
General
-
Target
126978b03110b815143dbd1f20472e471bb28d833e803c7447d1505be245872b.exe
-
Size
79KB
-
MD5
25a2ddd746ccd0e094e43db6dd79efdb
-
SHA1
eb628519f5d549d00212a5493073c12db4be46e2
-
SHA256
126978b03110b815143dbd1f20472e471bb28d833e803c7447d1505be245872b
-
SHA512
66f276ed7b8be7ce70797cdd06598679853a79959a52d4edba784cc9ad3ebd0e952e6545490a39820f2de98f2c7cec5078a2deec06e15b789348c262c45745dc
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1880 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 588 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
126978b03110b815143dbd1f20472e471bb28d833e803c7447d1505be245872b.exepid process 1596 126978b03110b815143dbd1f20472e471bb28d833e803c7447d1505be245872b.exe 1596 126978b03110b815143dbd1f20472e471bb28d833e803c7447d1505be245872b.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
126978b03110b815143dbd1f20472e471bb28d833e803c7447d1505be245872b.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 126978b03110b815143dbd1f20472e471bb28d833e803c7447d1505be245872b.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
126978b03110b815143dbd1f20472e471bb28d833e803c7447d1505be245872b.exedescription pid process Token: SeIncBasePriorityPrivilege 1596 126978b03110b815143dbd1f20472e471bb28d833e803c7447d1505be245872b.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
126978b03110b815143dbd1f20472e471bb28d833e803c7447d1505be245872b.execmd.exedescription pid process target process PID 1596 wrote to memory of 1880 1596 126978b03110b815143dbd1f20472e471bb28d833e803c7447d1505be245872b.exe MediaCenter.exe PID 1596 wrote to memory of 1880 1596 126978b03110b815143dbd1f20472e471bb28d833e803c7447d1505be245872b.exe MediaCenter.exe PID 1596 wrote to memory of 1880 1596 126978b03110b815143dbd1f20472e471bb28d833e803c7447d1505be245872b.exe MediaCenter.exe PID 1596 wrote to memory of 1880 1596 126978b03110b815143dbd1f20472e471bb28d833e803c7447d1505be245872b.exe MediaCenter.exe PID 1596 wrote to memory of 588 1596 126978b03110b815143dbd1f20472e471bb28d833e803c7447d1505be245872b.exe cmd.exe PID 1596 wrote to memory of 588 1596 126978b03110b815143dbd1f20472e471bb28d833e803c7447d1505be245872b.exe cmd.exe PID 1596 wrote to memory of 588 1596 126978b03110b815143dbd1f20472e471bb28d833e803c7447d1505be245872b.exe cmd.exe PID 1596 wrote to memory of 588 1596 126978b03110b815143dbd1f20472e471bb28d833e803c7447d1505be245872b.exe cmd.exe PID 588 wrote to memory of 1944 588 cmd.exe PING.EXE PID 588 wrote to memory of 1944 588 cmd.exe PING.EXE PID 588 wrote to memory of 1944 588 cmd.exe PING.EXE PID 588 wrote to memory of 1944 588 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\126978b03110b815143dbd1f20472e471bb28d833e803c7447d1505be245872b.exe"C:\Users\Admin\AppData\Local\Temp\126978b03110b815143dbd1f20472e471bb28d833e803c7447d1505be245872b.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1596 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1880 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\126978b03110b815143dbd1f20472e471bb28d833e803c7447d1505be245872b.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:588 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1944
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
d34e80abb7575249c72bdf8101f04e2e
SHA1b42dc01bb15b3e138d9c3560a60570f0c497234a
SHA25613d6011896241b0e4a645d4230fc24f70d21daae2c0b246b949f7a079899902c
SHA512bfab7f1082c75433ea171075e69d07316432e555f55325a7efdb9e95260040e064151afd5cd98e2cb22d9a36263f73c4df44ba599165b35cf67b6f2a154793bd
-
MD5
d34e80abb7575249c72bdf8101f04e2e
SHA1b42dc01bb15b3e138d9c3560a60570f0c497234a
SHA25613d6011896241b0e4a645d4230fc24f70d21daae2c0b246b949f7a079899902c
SHA512bfab7f1082c75433ea171075e69d07316432e555f55325a7efdb9e95260040e064151afd5cd98e2cb22d9a36263f73c4df44ba599165b35cf67b6f2a154793bd
-
MD5
d34e80abb7575249c72bdf8101f04e2e
SHA1b42dc01bb15b3e138d9c3560a60570f0c497234a
SHA25613d6011896241b0e4a645d4230fc24f70d21daae2c0b246b949f7a079899902c
SHA512bfab7f1082c75433ea171075e69d07316432e555f55325a7efdb9e95260040e064151afd5cd98e2cb22d9a36263f73c4df44ba599165b35cf67b6f2a154793bd