Analysis
-
max time kernel
155s -
max time network
167s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 05:34
Static task
static1
Behavioral task
behavioral1
Sample
125aa3d5afc42340c4cd950231ccdb74ddc4da85068745dbf61af9973a6fdd1d.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
125aa3d5afc42340c4cd950231ccdb74ddc4da85068745dbf61af9973a6fdd1d.exe
Resource
win10v2004-en-20220113
General
-
Target
125aa3d5afc42340c4cd950231ccdb74ddc4da85068745dbf61af9973a6fdd1d.exe
-
Size
101KB
-
MD5
9ac4a53520330083b035a86edb8ca0ac
-
SHA1
3c5a7d0aa88007aa5862f8f55e17c1f467ced842
-
SHA256
125aa3d5afc42340c4cd950231ccdb74ddc4da85068745dbf61af9973a6fdd1d
-
SHA512
0447d743d647c89338315eb62de135db7a01b657013ec3c0da9792815cfe2d9a7eff6c27e14d267d17fc78329acd62ee3c3978c3d1c4bd4841d4e2aa41da6d5d
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1916 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1120 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
125aa3d5afc42340c4cd950231ccdb74ddc4da85068745dbf61af9973a6fdd1d.exepid process 980 125aa3d5afc42340c4cd950231ccdb74ddc4da85068745dbf61af9973a6fdd1d.exe 980 125aa3d5afc42340c4cd950231ccdb74ddc4da85068745dbf61af9973a6fdd1d.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
125aa3d5afc42340c4cd950231ccdb74ddc4da85068745dbf61af9973a6fdd1d.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 125aa3d5afc42340c4cd950231ccdb74ddc4da85068745dbf61af9973a6fdd1d.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
125aa3d5afc42340c4cd950231ccdb74ddc4da85068745dbf61af9973a6fdd1d.exedescription pid process Token: SeIncBasePriorityPrivilege 980 125aa3d5afc42340c4cd950231ccdb74ddc4da85068745dbf61af9973a6fdd1d.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
125aa3d5afc42340c4cd950231ccdb74ddc4da85068745dbf61af9973a6fdd1d.execmd.exedescription pid process target process PID 980 wrote to memory of 1916 980 125aa3d5afc42340c4cd950231ccdb74ddc4da85068745dbf61af9973a6fdd1d.exe MediaCenter.exe PID 980 wrote to memory of 1916 980 125aa3d5afc42340c4cd950231ccdb74ddc4da85068745dbf61af9973a6fdd1d.exe MediaCenter.exe PID 980 wrote to memory of 1916 980 125aa3d5afc42340c4cd950231ccdb74ddc4da85068745dbf61af9973a6fdd1d.exe MediaCenter.exe PID 980 wrote to memory of 1916 980 125aa3d5afc42340c4cd950231ccdb74ddc4da85068745dbf61af9973a6fdd1d.exe MediaCenter.exe PID 980 wrote to memory of 1120 980 125aa3d5afc42340c4cd950231ccdb74ddc4da85068745dbf61af9973a6fdd1d.exe cmd.exe PID 980 wrote to memory of 1120 980 125aa3d5afc42340c4cd950231ccdb74ddc4da85068745dbf61af9973a6fdd1d.exe cmd.exe PID 980 wrote to memory of 1120 980 125aa3d5afc42340c4cd950231ccdb74ddc4da85068745dbf61af9973a6fdd1d.exe cmd.exe PID 980 wrote to memory of 1120 980 125aa3d5afc42340c4cd950231ccdb74ddc4da85068745dbf61af9973a6fdd1d.exe cmd.exe PID 1120 wrote to memory of 1812 1120 cmd.exe PING.EXE PID 1120 wrote to memory of 1812 1120 cmd.exe PING.EXE PID 1120 wrote to memory of 1812 1120 cmd.exe PING.EXE PID 1120 wrote to memory of 1812 1120 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\125aa3d5afc42340c4cd950231ccdb74ddc4da85068745dbf61af9973a6fdd1d.exe"C:\Users\Admin\AppData\Local\Temp\125aa3d5afc42340c4cd950231ccdb74ddc4da85068745dbf61af9973a6fdd1d.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:980 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1916 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\125aa3d5afc42340c4cd950231ccdb74ddc4da85068745dbf61af9973a6fdd1d.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1120 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1812
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
5ac9e4355c944f2380933a81f492d27c
SHA15ee7b06f67a94e1ee0a0875edb5ce903b6386cca
SHA256c1e43f3245b00372a8527c5f0606e36adbc595e1543686bc9860e8d9972259ad
SHA5124dd9f9afa9676b51f6a8e07f58ab6a6014d2040f9c5d83908964cba74c248e12a3bde598d5773696599c38b47897585ed59d27a362046b122f0d225024620749
-
MD5
5ac9e4355c944f2380933a81f492d27c
SHA15ee7b06f67a94e1ee0a0875edb5ce903b6386cca
SHA256c1e43f3245b00372a8527c5f0606e36adbc595e1543686bc9860e8d9972259ad
SHA5124dd9f9afa9676b51f6a8e07f58ab6a6014d2040f9c5d83908964cba74c248e12a3bde598d5773696599c38b47897585ed59d27a362046b122f0d225024620749
-
MD5
5ac9e4355c944f2380933a81f492d27c
SHA15ee7b06f67a94e1ee0a0875edb5ce903b6386cca
SHA256c1e43f3245b00372a8527c5f0606e36adbc595e1543686bc9860e8d9972259ad
SHA5124dd9f9afa9676b51f6a8e07f58ab6a6014d2040f9c5d83908964cba74c248e12a3bde598d5773696599c38b47897585ed59d27a362046b122f0d225024620749