Analysis
-
max time kernel
119s -
max time network
131s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 04:45
Static task
static1
Behavioral task
behavioral1
Sample
1496f65f885df7a5e95154a38aa6fd1fc3ad0a8917f27129430d9dd1d6ee6c27.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
1496f65f885df7a5e95154a38aa6fd1fc3ad0a8917f27129430d9dd1d6ee6c27.exe
Resource
win10v2004-en-20220113
General
-
Target
1496f65f885df7a5e95154a38aa6fd1fc3ad0a8917f27129430d9dd1d6ee6c27.exe
-
Size
192KB
-
MD5
e719906766439550d92fc92cefb2b4c4
-
SHA1
c72be3b2ddf9b5fe10c25f81d460000cc9eed734
-
SHA256
1496f65f885df7a5e95154a38aa6fd1fc3ad0a8917f27129430d9dd1d6ee6c27
-
SHA512
472a6355f8b641c8f568dd65414f1735181a42c51d82d1c977e0f3e75a81dd31d806403d2244c2212093af7e250ee1e59d1211f856b6c36c661faa08d78c34f3
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1028 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1812 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
1496f65f885df7a5e95154a38aa6fd1fc3ad0a8917f27129430d9dd1d6ee6c27.exepid process 1588 1496f65f885df7a5e95154a38aa6fd1fc3ad0a8917f27129430d9dd1d6ee6c27.exe 1588 1496f65f885df7a5e95154a38aa6fd1fc3ad0a8917f27129430d9dd1d6ee6c27.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
1496f65f885df7a5e95154a38aa6fd1fc3ad0a8917f27129430d9dd1d6ee6c27.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 1496f65f885df7a5e95154a38aa6fd1fc3ad0a8917f27129430d9dd1d6ee6c27.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
1496f65f885df7a5e95154a38aa6fd1fc3ad0a8917f27129430d9dd1d6ee6c27.exedescription pid process Token: SeIncBasePriorityPrivilege 1588 1496f65f885df7a5e95154a38aa6fd1fc3ad0a8917f27129430d9dd1d6ee6c27.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
1496f65f885df7a5e95154a38aa6fd1fc3ad0a8917f27129430d9dd1d6ee6c27.execmd.exedescription pid process target process PID 1588 wrote to memory of 1028 1588 1496f65f885df7a5e95154a38aa6fd1fc3ad0a8917f27129430d9dd1d6ee6c27.exe MediaCenter.exe PID 1588 wrote to memory of 1028 1588 1496f65f885df7a5e95154a38aa6fd1fc3ad0a8917f27129430d9dd1d6ee6c27.exe MediaCenter.exe PID 1588 wrote to memory of 1028 1588 1496f65f885df7a5e95154a38aa6fd1fc3ad0a8917f27129430d9dd1d6ee6c27.exe MediaCenter.exe PID 1588 wrote to memory of 1028 1588 1496f65f885df7a5e95154a38aa6fd1fc3ad0a8917f27129430d9dd1d6ee6c27.exe MediaCenter.exe PID 1588 wrote to memory of 1812 1588 1496f65f885df7a5e95154a38aa6fd1fc3ad0a8917f27129430d9dd1d6ee6c27.exe cmd.exe PID 1588 wrote to memory of 1812 1588 1496f65f885df7a5e95154a38aa6fd1fc3ad0a8917f27129430d9dd1d6ee6c27.exe cmd.exe PID 1588 wrote to memory of 1812 1588 1496f65f885df7a5e95154a38aa6fd1fc3ad0a8917f27129430d9dd1d6ee6c27.exe cmd.exe PID 1588 wrote to memory of 1812 1588 1496f65f885df7a5e95154a38aa6fd1fc3ad0a8917f27129430d9dd1d6ee6c27.exe cmd.exe PID 1812 wrote to memory of 1272 1812 cmd.exe PING.EXE PID 1812 wrote to memory of 1272 1812 cmd.exe PING.EXE PID 1812 wrote to memory of 1272 1812 cmd.exe PING.EXE PID 1812 wrote to memory of 1272 1812 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\1496f65f885df7a5e95154a38aa6fd1fc3ad0a8917f27129430d9dd1d6ee6c27.exe"C:\Users\Admin\AppData\Local\Temp\1496f65f885df7a5e95154a38aa6fd1fc3ad0a8917f27129430d9dd1d6ee6c27.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1588 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1028 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\1496f65f885df7a5e95154a38aa6fd1fc3ad0a8917f27129430d9dd1d6ee6c27.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1812 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1272
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
e845ac5686de6659a42847bdf4f38265
SHA1e935ddf6d042219a59fb89c937384cd6877b26d1
SHA256748a8d0cc02f6389eb61a1f621e41ac2f5d1c47a49f92aa0dc3984c945181284
SHA512027e35452330dd29159859b1c6001461d14944a36e4d15ebbe94c46a61426180310f0c2b6ddabd7eb4cda7ed6a291dfc303dacc42a9d3203485da3b2f9c70107
-
MD5
e845ac5686de6659a42847bdf4f38265
SHA1e935ddf6d042219a59fb89c937384cd6877b26d1
SHA256748a8d0cc02f6389eb61a1f621e41ac2f5d1c47a49f92aa0dc3984c945181284
SHA512027e35452330dd29159859b1c6001461d14944a36e4d15ebbe94c46a61426180310f0c2b6ddabd7eb4cda7ed6a291dfc303dacc42a9d3203485da3b2f9c70107
-
MD5
e845ac5686de6659a42847bdf4f38265
SHA1e935ddf6d042219a59fb89c937384cd6877b26d1
SHA256748a8d0cc02f6389eb61a1f621e41ac2f5d1c47a49f92aa0dc3984c945181284
SHA512027e35452330dd29159859b1c6001461d14944a36e4d15ebbe94c46a61426180310f0c2b6ddabd7eb4cda7ed6a291dfc303dacc42a9d3203485da3b2f9c70107