Analysis
-
max time kernel
141s -
max time network
166s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 04:42
Static task
static1
Behavioral task
behavioral1
Sample
14c2d6fbed8e34eef0dcac2ebd3bcec8be8ed887e03e6f99e6f9982915e3879b.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
14c2d6fbed8e34eef0dcac2ebd3bcec8be8ed887e03e6f99e6f9982915e3879b.exe
Resource
win10v2004-en-20220113
General
-
Target
14c2d6fbed8e34eef0dcac2ebd3bcec8be8ed887e03e6f99e6f9982915e3879b.exe
-
Size
89KB
-
MD5
0f97508957cc5f0397e25c39657145ee
-
SHA1
90fde6621f25c5915adadfe888a8d061b33e7367
-
SHA256
14c2d6fbed8e34eef0dcac2ebd3bcec8be8ed887e03e6f99e6f9982915e3879b
-
SHA512
ffdd5141f6347b40f3c5628c37b635a46ad2144ecb51e829ce1ba196a8ddfd73ab615270d5017780b3dad92748e9adf9f1b0c788dc3760ec0d24f94c23caf82c
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1656 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 944 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
14c2d6fbed8e34eef0dcac2ebd3bcec8be8ed887e03e6f99e6f9982915e3879b.exepid process 1628 14c2d6fbed8e34eef0dcac2ebd3bcec8be8ed887e03e6f99e6f9982915e3879b.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
14c2d6fbed8e34eef0dcac2ebd3bcec8be8ed887e03e6f99e6f9982915e3879b.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 14c2d6fbed8e34eef0dcac2ebd3bcec8be8ed887e03e6f99e6f9982915e3879b.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
14c2d6fbed8e34eef0dcac2ebd3bcec8be8ed887e03e6f99e6f9982915e3879b.exedescription pid process Token: SeIncBasePriorityPrivilege 1628 14c2d6fbed8e34eef0dcac2ebd3bcec8be8ed887e03e6f99e6f9982915e3879b.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
14c2d6fbed8e34eef0dcac2ebd3bcec8be8ed887e03e6f99e6f9982915e3879b.execmd.exedescription pid process target process PID 1628 wrote to memory of 1656 1628 14c2d6fbed8e34eef0dcac2ebd3bcec8be8ed887e03e6f99e6f9982915e3879b.exe MediaCenter.exe PID 1628 wrote to memory of 1656 1628 14c2d6fbed8e34eef0dcac2ebd3bcec8be8ed887e03e6f99e6f9982915e3879b.exe MediaCenter.exe PID 1628 wrote to memory of 1656 1628 14c2d6fbed8e34eef0dcac2ebd3bcec8be8ed887e03e6f99e6f9982915e3879b.exe MediaCenter.exe PID 1628 wrote to memory of 1656 1628 14c2d6fbed8e34eef0dcac2ebd3bcec8be8ed887e03e6f99e6f9982915e3879b.exe MediaCenter.exe PID 1628 wrote to memory of 944 1628 14c2d6fbed8e34eef0dcac2ebd3bcec8be8ed887e03e6f99e6f9982915e3879b.exe cmd.exe PID 1628 wrote to memory of 944 1628 14c2d6fbed8e34eef0dcac2ebd3bcec8be8ed887e03e6f99e6f9982915e3879b.exe cmd.exe PID 1628 wrote to memory of 944 1628 14c2d6fbed8e34eef0dcac2ebd3bcec8be8ed887e03e6f99e6f9982915e3879b.exe cmd.exe PID 1628 wrote to memory of 944 1628 14c2d6fbed8e34eef0dcac2ebd3bcec8be8ed887e03e6f99e6f9982915e3879b.exe cmd.exe PID 944 wrote to memory of 1040 944 cmd.exe PING.EXE PID 944 wrote to memory of 1040 944 cmd.exe PING.EXE PID 944 wrote to memory of 1040 944 cmd.exe PING.EXE PID 944 wrote to memory of 1040 944 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\14c2d6fbed8e34eef0dcac2ebd3bcec8be8ed887e03e6f99e6f9982915e3879b.exe"C:\Users\Admin\AppData\Local\Temp\14c2d6fbed8e34eef0dcac2ebd3bcec8be8ed887e03e6f99e6f9982915e3879b.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1628 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1656 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\14c2d6fbed8e34eef0dcac2ebd3bcec8be8ed887e03e6f99e6f9982915e3879b.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:944 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1040
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
d185bedaec333b77c3c02d4426f8a1f8
SHA12bdfa5468a0ce519b0d9400f97f2d253bb04766d
SHA25605bf942704ee031695e41493062053f799ea46a69fa05ffc348916c66b0fae5f
SHA51214a4194dd14fcc80d035e95f11108b51d163ae1849d2b117bf8fc051236caf9fcd39f47ea2087bc3dea6bbd4712290e966d45862e42011dbf7ecae7a0a02b573
-
MD5
d185bedaec333b77c3c02d4426f8a1f8
SHA12bdfa5468a0ce519b0d9400f97f2d253bb04766d
SHA25605bf942704ee031695e41493062053f799ea46a69fa05ffc348916c66b0fae5f
SHA51214a4194dd14fcc80d035e95f11108b51d163ae1849d2b117bf8fc051236caf9fcd39f47ea2087bc3dea6bbd4712290e966d45862e42011dbf7ecae7a0a02b573