Analysis
-
max time kernel
153s -
max time network
169s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 05:34
Static task
static1
Behavioral task
behavioral1
Sample
1253b29c4c199eab010818ba2fddf57952bfcda54d8861a56a6c429e1ebc3c42.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
1253b29c4c199eab010818ba2fddf57952bfcda54d8861a56a6c429e1ebc3c42.exe
Resource
win10v2004-en-20220112
General
-
Target
1253b29c4c199eab010818ba2fddf57952bfcda54d8861a56a6c429e1ebc3c42.exe
-
Size
192KB
-
MD5
4113284d22657961b0a08db47ece9944
-
SHA1
c2f0f2d20261d920a5f4e924ecb7a9d2adc9b48e
-
SHA256
1253b29c4c199eab010818ba2fddf57952bfcda54d8861a56a6c429e1ebc3c42
-
SHA512
403a82c184d310133520591b1a4d1df380e9688a7062470fe5ada1459d7a20e998df9879bc605bdd8f570f9a47b5644c99a7f9a3293179ef78b1591370f2c42e
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1052 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 800 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
1253b29c4c199eab010818ba2fddf57952bfcda54d8861a56a6c429e1ebc3c42.exepid process 808 1253b29c4c199eab010818ba2fddf57952bfcda54d8861a56a6c429e1ebc3c42.exe 808 1253b29c4c199eab010818ba2fddf57952bfcda54d8861a56a6c429e1ebc3c42.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
1253b29c4c199eab010818ba2fddf57952bfcda54d8861a56a6c429e1ebc3c42.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 1253b29c4c199eab010818ba2fddf57952bfcda54d8861a56a6c429e1ebc3c42.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
1253b29c4c199eab010818ba2fddf57952bfcda54d8861a56a6c429e1ebc3c42.exedescription pid process Token: SeIncBasePriorityPrivilege 808 1253b29c4c199eab010818ba2fddf57952bfcda54d8861a56a6c429e1ebc3c42.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
1253b29c4c199eab010818ba2fddf57952bfcda54d8861a56a6c429e1ebc3c42.execmd.exedescription pid process target process PID 808 wrote to memory of 1052 808 1253b29c4c199eab010818ba2fddf57952bfcda54d8861a56a6c429e1ebc3c42.exe MediaCenter.exe PID 808 wrote to memory of 1052 808 1253b29c4c199eab010818ba2fddf57952bfcda54d8861a56a6c429e1ebc3c42.exe MediaCenter.exe PID 808 wrote to memory of 1052 808 1253b29c4c199eab010818ba2fddf57952bfcda54d8861a56a6c429e1ebc3c42.exe MediaCenter.exe PID 808 wrote to memory of 1052 808 1253b29c4c199eab010818ba2fddf57952bfcda54d8861a56a6c429e1ebc3c42.exe MediaCenter.exe PID 808 wrote to memory of 800 808 1253b29c4c199eab010818ba2fddf57952bfcda54d8861a56a6c429e1ebc3c42.exe cmd.exe PID 808 wrote to memory of 800 808 1253b29c4c199eab010818ba2fddf57952bfcda54d8861a56a6c429e1ebc3c42.exe cmd.exe PID 808 wrote to memory of 800 808 1253b29c4c199eab010818ba2fddf57952bfcda54d8861a56a6c429e1ebc3c42.exe cmd.exe PID 808 wrote to memory of 800 808 1253b29c4c199eab010818ba2fddf57952bfcda54d8861a56a6c429e1ebc3c42.exe cmd.exe PID 800 wrote to memory of 1832 800 cmd.exe PING.EXE PID 800 wrote to memory of 1832 800 cmd.exe PING.EXE PID 800 wrote to memory of 1832 800 cmd.exe PING.EXE PID 800 wrote to memory of 1832 800 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\1253b29c4c199eab010818ba2fddf57952bfcda54d8861a56a6c429e1ebc3c42.exe"C:\Users\Admin\AppData\Local\Temp\1253b29c4c199eab010818ba2fddf57952bfcda54d8861a56a6c429e1ebc3c42.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:808 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1052 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\1253b29c4c199eab010818ba2fddf57952bfcda54d8861a56a6c429e1ebc3c42.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:800 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1832
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
2102830390b82394c882bcf099af4b22
SHA14674c1ce503d181ab7f72341d948466e0d26b14f
SHA2562dd0e560801890d131cfbd2adf7002a5f38705d05b51a54f77e3813cd835733c
SHA512fad745aefbad55644330223fd27c4ef0e97f41e66619bec016aa7db1627869d2558b625dbcabe943aa50462b9a7ab77088ff18116bb4aff32e86ee1148e9afa4
-
MD5
2102830390b82394c882bcf099af4b22
SHA14674c1ce503d181ab7f72341d948466e0d26b14f
SHA2562dd0e560801890d131cfbd2adf7002a5f38705d05b51a54f77e3813cd835733c
SHA512fad745aefbad55644330223fd27c4ef0e97f41e66619bec016aa7db1627869d2558b625dbcabe943aa50462b9a7ab77088ff18116bb4aff32e86ee1148e9afa4
-
MD5
2102830390b82394c882bcf099af4b22
SHA14674c1ce503d181ab7f72341d948466e0d26b14f
SHA2562dd0e560801890d131cfbd2adf7002a5f38705d05b51a54f77e3813cd835733c
SHA512fad745aefbad55644330223fd27c4ef0e97f41e66619bec016aa7db1627869d2558b625dbcabe943aa50462b9a7ab77088ff18116bb4aff32e86ee1148e9afa4