Analysis
-
max time kernel
132s -
max time network
146s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 04:42
Static task
static1
Behavioral task
behavioral1
Sample
14c55e4f0ee30912cfafb70aacb574ef33a5c0f5b58df8dae20b84a408fe4227.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
14c55e4f0ee30912cfafb70aacb574ef33a5c0f5b58df8dae20b84a408fe4227.exe
Resource
win10v2004-en-20220113
General
-
Target
14c55e4f0ee30912cfafb70aacb574ef33a5c0f5b58df8dae20b84a408fe4227.exe
-
Size
80KB
-
MD5
bfc0247ec59849ae2298997f9fc2a220
-
SHA1
4c9191907ddd1179a7859da419bce0974463803a
-
SHA256
14c55e4f0ee30912cfafb70aacb574ef33a5c0f5b58df8dae20b84a408fe4227
-
SHA512
1e790580eb7a22593bb25ccb79133d0b4a71edbdd3d288fedef83126cc95d823d6180f9e5a39ccaff0edee53e29996b23a6b3c6f9fb4943fdeea11e39c5ba857
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 892 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 396 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
14c55e4f0ee30912cfafb70aacb574ef33a5c0f5b58df8dae20b84a408fe4227.exepid process 1504 14c55e4f0ee30912cfafb70aacb574ef33a5c0f5b58df8dae20b84a408fe4227.exe 1504 14c55e4f0ee30912cfafb70aacb574ef33a5c0f5b58df8dae20b84a408fe4227.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
14c55e4f0ee30912cfafb70aacb574ef33a5c0f5b58df8dae20b84a408fe4227.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 14c55e4f0ee30912cfafb70aacb574ef33a5c0f5b58df8dae20b84a408fe4227.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
14c55e4f0ee30912cfafb70aacb574ef33a5c0f5b58df8dae20b84a408fe4227.exedescription pid process Token: SeIncBasePriorityPrivilege 1504 14c55e4f0ee30912cfafb70aacb574ef33a5c0f5b58df8dae20b84a408fe4227.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
14c55e4f0ee30912cfafb70aacb574ef33a5c0f5b58df8dae20b84a408fe4227.execmd.exedescription pid process target process PID 1504 wrote to memory of 892 1504 14c55e4f0ee30912cfafb70aacb574ef33a5c0f5b58df8dae20b84a408fe4227.exe MediaCenter.exe PID 1504 wrote to memory of 892 1504 14c55e4f0ee30912cfafb70aacb574ef33a5c0f5b58df8dae20b84a408fe4227.exe MediaCenter.exe PID 1504 wrote to memory of 892 1504 14c55e4f0ee30912cfafb70aacb574ef33a5c0f5b58df8dae20b84a408fe4227.exe MediaCenter.exe PID 1504 wrote to memory of 892 1504 14c55e4f0ee30912cfafb70aacb574ef33a5c0f5b58df8dae20b84a408fe4227.exe MediaCenter.exe PID 1504 wrote to memory of 396 1504 14c55e4f0ee30912cfafb70aacb574ef33a5c0f5b58df8dae20b84a408fe4227.exe cmd.exe PID 1504 wrote to memory of 396 1504 14c55e4f0ee30912cfafb70aacb574ef33a5c0f5b58df8dae20b84a408fe4227.exe cmd.exe PID 1504 wrote to memory of 396 1504 14c55e4f0ee30912cfafb70aacb574ef33a5c0f5b58df8dae20b84a408fe4227.exe cmd.exe PID 1504 wrote to memory of 396 1504 14c55e4f0ee30912cfafb70aacb574ef33a5c0f5b58df8dae20b84a408fe4227.exe cmd.exe PID 396 wrote to memory of 1672 396 cmd.exe PING.EXE PID 396 wrote to memory of 1672 396 cmd.exe PING.EXE PID 396 wrote to memory of 1672 396 cmd.exe PING.EXE PID 396 wrote to memory of 1672 396 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\14c55e4f0ee30912cfafb70aacb574ef33a5c0f5b58df8dae20b84a408fe4227.exe"C:\Users\Admin\AppData\Local\Temp\14c55e4f0ee30912cfafb70aacb574ef33a5c0f5b58df8dae20b84a408fe4227.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1504 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:892 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\14c55e4f0ee30912cfafb70aacb574ef33a5c0f5b58df8dae20b84a408fe4227.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:396 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1672
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
31165f932965794e2a15d081b8b41fc6
SHA1373095e95e3d7b6944d0fc5c36b713f08e2f78a1
SHA256c78454dd1b219ac04779243746d1adc053cc11dc7c81af46f103b665a8a09b0b
SHA512390fd4f4a090e0ee430a6eb00d071fcd591a7df319c5eb1870d611350e2a789dfd9b27a023dd7cc43ea462db89c8e01781a5cbeee18aa05a307b7531d32a03b3
-
MD5
31165f932965794e2a15d081b8b41fc6
SHA1373095e95e3d7b6944d0fc5c36b713f08e2f78a1
SHA256c78454dd1b219ac04779243746d1adc053cc11dc7c81af46f103b665a8a09b0b
SHA512390fd4f4a090e0ee430a6eb00d071fcd591a7df319c5eb1870d611350e2a789dfd9b27a023dd7cc43ea462db89c8e01781a5cbeee18aa05a307b7531d32a03b3
-
MD5
31165f932965794e2a15d081b8b41fc6
SHA1373095e95e3d7b6944d0fc5c36b713f08e2f78a1
SHA256c78454dd1b219ac04779243746d1adc053cc11dc7c81af46f103b665a8a09b0b
SHA512390fd4f4a090e0ee430a6eb00d071fcd591a7df319c5eb1870d611350e2a789dfd9b27a023dd7cc43ea462db89c8e01781a5cbeee18aa05a307b7531d32a03b3