Analysis
-
max time kernel
153s -
max time network
160s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 05:35
Static task
static1
Behavioral task
behavioral1
Sample
1247442f9b84e1445a3f96d72fb9f63d4de68364d389ac53a3c1760af264cde5.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
1247442f9b84e1445a3f96d72fb9f63d4de68364d389ac53a3c1760af264cde5.exe
Resource
win10v2004-en-20220113
General
-
Target
1247442f9b84e1445a3f96d72fb9f63d4de68364d389ac53a3c1760af264cde5.exe
-
Size
216KB
-
MD5
5a816b8bb6ac5fcbaaa405cd1ed4ad52
-
SHA1
4d3474acc3633d48aeca5624dc0151eae0f36ff4
-
SHA256
1247442f9b84e1445a3f96d72fb9f63d4de68364d389ac53a3c1760af264cde5
-
SHA512
a0fe5c967bd35b85fc76d5ae80e75032f306955de0b2ea1073aa04a0b80430153f6c5cdaa3a4ba88a6eb670c09317059a1d0ca1ea85dcb9d4bac5b28c98ac119
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral1/memory/1680-58-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral1/memory/1388-59-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1388 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1796 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
1247442f9b84e1445a3f96d72fb9f63d4de68364d389ac53a3c1760af264cde5.exepid process 1680 1247442f9b84e1445a3f96d72fb9f63d4de68364d389ac53a3c1760af264cde5.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
1247442f9b84e1445a3f96d72fb9f63d4de68364d389ac53a3c1760af264cde5.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 1247442f9b84e1445a3f96d72fb9f63d4de68364d389ac53a3c1760af264cde5.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
1247442f9b84e1445a3f96d72fb9f63d4de68364d389ac53a3c1760af264cde5.exedescription pid process Token: SeIncBasePriorityPrivilege 1680 1247442f9b84e1445a3f96d72fb9f63d4de68364d389ac53a3c1760af264cde5.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
1247442f9b84e1445a3f96d72fb9f63d4de68364d389ac53a3c1760af264cde5.execmd.exedescription pid process target process PID 1680 wrote to memory of 1388 1680 1247442f9b84e1445a3f96d72fb9f63d4de68364d389ac53a3c1760af264cde5.exe MediaCenter.exe PID 1680 wrote to memory of 1388 1680 1247442f9b84e1445a3f96d72fb9f63d4de68364d389ac53a3c1760af264cde5.exe MediaCenter.exe PID 1680 wrote to memory of 1388 1680 1247442f9b84e1445a3f96d72fb9f63d4de68364d389ac53a3c1760af264cde5.exe MediaCenter.exe PID 1680 wrote to memory of 1388 1680 1247442f9b84e1445a3f96d72fb9f63d4de68364d389ac53a3c1760af264cde5.exe MediaCenter.exe PID 1680 wrote to memory of 1796 1680 1247442f9b84e1445a3f96d72fb9f63d4de68364d389ac53a3c1760af264cde5.exe cmd.exe PID 1680 wrote to memory of 1796 1680 1247442f9b84e1445a3f96d72fb9f63d4de68364d389ac53a3c1760af264cde5.exe cmd.exe PID 1680 wrote to memory of 1796 1680 1247442f9b84e1445a3f96d72fb9f63d4de68364d389ac53a3c1760af264cde5.exe cmd.exe PID 1680 wrote to memory of 1796 1680 1247442f9b84e1445a3f96d72fb9f63d4de68364d389ac53a3c1760af264cde5.exe cmd.exe PID 1796 wrote to memory of 1440 1796 cmd.exe PING.EXE PID 1796 wrote to memory of 1440 1796 cmd.exe PING.EXE PID 1796 wrote to memory of 1440 1796 cmd.exe PING.EXE PID 1796 wrote to memory of 1440 1796 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\1247442f9b84e1445a3f96d72fb9f63d4de68364d389ac53a3c1760af264cde5.exe"C:\Users\Admin\AppData\Local\Temp\1247442f9b84e1445a3f96d72fb9f63d4de68364d389ac53a3c1760af264cde5.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1388 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\1247442f9b84e1445a3f96d72fb9f63d4de68364d389ac53a3c1760af264cde5.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1796 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1440
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
a106a44e0bc49efd374c2663e8e27982
SHA117413fa8f6b72c0c515b3c6f61614dfbdb8a2a5d
SHA256593ea4370789bf93295b976f2d6ad09e821add5eec5910bb912ce53023926cfe
SHA5129ddf9cde3615e04707b6ffe2a080b26ff53d458e12810ab1cc18a71e019175423d8c80c4ce666c2a21c39e3ea044a930125ceb8f772fcef7c5eefc4b5a6dabfc
-
MD5
a106a44e0bc49efd374c2663e8e27982
SHA117413fa8f6b72c0c515b3c6f61614dfbdb8a2a5d
SHA256593ea4370789bf93295b976f2d6ad09e821add5eec5910bb912ce53023926cfe
SHA5129ddf9cde3615e04707b6ffe2a080b26ff53d458e12810ab1cc18a71e019175423d8c80c4ce666c2a21c39e3ea044a930125ceb8f772fcef7c5eefc4b5a6dabfc