Analysis
-
max time kernel
166s -
max time network
189s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 04:42
Static task
static1
Behavioral task
behavioral1
Sample
14c09b3bc43268d5756532d1445fa4b424d41c80f54f70628bcb5a0837803c2e.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
14c09b3bc43268d5756532d1445fa4b424d41c80f54f70628bcb5a0837803c2e.exe
Resource
win10v2004-en-20220113
General
-
Target
14c09b3bc43268d5756532d1445fa4b424d41c80f54f70628bcb5a0837803c2e.exe
-
Size
176KB
-
MD5
c34b797d0e9a7e3ce3a381088790bcfb
-
SHA1
f7b4fe6768cdaa383f563289960b6eb7e9d9d097
-
SHA256
14c09b3bc43268d5756532d1445fa4b424d41c80f54f70628bcb5a0837803c2e
-
SHA512
70abc1ff75a665d98821c15f0ff13138e8f16cef51052f2d63862f3e11d8f61d00e3489b668f8265ac386926c20aa49e1b0a6c0a49f76a05847eb11239afcaa4
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral1/memory/1316-59-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral1/memory/1672-60-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1672 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1784 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
14c09b3bc43268d5756532d1445fa4b424d41c80f54f70628bcb5a0837803c2e.exepid process 1316 14c09b3bc43268d5756532d1445fa4b424d41c80f54f70628bcb5a0837803c2e.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
14c09b3bc43268d5756532d1445fa4b424d41c80f54f70628bcb5a0837803c2e.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 14c09b3bc43268d5756532d1445fa4b424d41c80f54f70628bcb5a0837803c2e.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
14c09b3bc43268d5756532d1445fa4b424d41c80f54f70628bcb5a0837803c2e.exedescription pid process Token: SeIncBasePriorityPrivilege 1316 14c09b3bc43268d5756532d1445fa4b424d41c80f54f70628bcb5a0837803c2e.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
14c09b3bc43268d5756532d1445fa4b424d41c80f54f70628bcb5a0837803c2e.execmd.exedescription pid process target process PID 1316 wrote to memory of 1672 1316 14c09b3bc43268d5756532d1445fa4b424d41c80f54f70628bcb5a0837803c2e.exe MediaCenter.exe PID 1316 wrote to memory of 1672 1316 14c09b3bc43268d5756532d1445fa4b424d41c80f54f70628bcb5a0837803c2e.exe MediaCenter.exe PID 1316 wrote to memory of 1672 1316 14c09b3bc43268d5756532d1445fa4b424d41c80f54f70628bcb5a0837803c2e.exe MediaCenter.exe PID 1316 wrote to memory of 1672 1316 14c09b3bc43268d5756532d1445fa4b424d41c80f54f70628bcb5a0837803c2e.exe MediaCenter.exe PID 1316 wrote to memory of 1784 1316 14c09b3bc43268d5756532d1445fa4b424d41c80f54f70628bcb5a0837803c2e.exe cmd.exe PID 1316 wrote to memory of 1784 1316 14c09b3bc43268d5756532d1445fa4b424d41c80f54f70628bcb5a0837803c2e.exe cmd.exe PID 1316 wrote to memory of 1784 1316 14c09b3bc43268d5756532d1445fa4b424d41c80f54f70628bcb5a0837803c2e.exe cmd.exe PID 1316 wrote to memory of 1784 1316 14c09b3bc43268d5756532d1445fa4b424d41c80f54f70628bcb5a0837803c2e.exe cmd.exe PID 1784 wrote to memory of 1108 1784 cmd.exe PING.EXE PID 1784 wrote to memory of 1108 1784 cmd.exe PING.EXE PID 1784 wrote to memory of 1108 1784 cmd.exe PING.EXE PID 1784 wrote to memory of 1108 1784 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\14c09b3bc43268d5756532d1445fa4b424d41c80f54f70628bcb5a0837803c2e.exe"C:\Users\Admin\AppData\Local\Temp\14c09b3bc43268d5756532d1445fa4b424d41c80f54f70628bcb5a0837803c2e.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1316 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1672 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\14c09b3bc43268d5756532d1445fa4b424d41c80f54f70628bcb5a0837803c2e.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1784 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1108
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
ccaaf6608ee14d85689fe81e88abc27f
SHA1fcf1ab0fc9debf6efd439aa96466ac9a92b1add1
SHA2567ea383b06148af43492100727b5d19f1ffec1e1ac5e4a10b8500c587f98b5ee8
SHA51277fbc6dce8cf654aac626208616fc2b329775dd2d11fa2cf605db120cdcbc315bb13a649bb7f893e4b4ac575f62897e698b0f5a0b44e86ea8d9f52b9dc2980c5
-
MD5
ccaaf6608ee14d85689fe81e88abc27f
SHA1fcf1ab0fc9debf6efd439aa96466ac9a92b1add1
SHA2567ea383b06148af43492100727b5d19f1ffec1e1ac5e4a10b8500c587f98b5ee8
SHA51277fbc6dce8cf654aac626208616fc2b329775dd2d11fa2cf605db120cdcbc315bb13a649bb7f893e4b4ac575f62897e698b0f5a0b44e86ea8d9f52b9dc2980c5