Analysis
-
max time kernel
117s -
max time network
126s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 04:45
Static task
static1
Behavioral task
behavioral1
Sample
14943b577e36630ed1a1bee1291f5ac0ac6aafdc1b8018db668d7d7f7073f179.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
14943b577e36630ed1a1bee1291f5ac0ac6aafdc1b8018db668d7d7f7073f179.exe
Resource
win10v2004-en-20220113
General
-
Target
14943b577e36630ed1a1bee1291f5ac0ac6aafdc1b8018db668d7d7f7073f179.exe
-
Size
100KB
-
MD5
58470b07aca5010b23b97f023a01f1ac
-
SHA1
b40f52f10476b261ba148af69e52b28591cb9782
-
SHA256
14943b577e36630ed1a1bee1291f5ac0ac6aafdc1b8018db668d7d7f7073f179
-
SHA512
a6c9e19464b64b0bc9564a468639e48601e13ea0b9a72a2b21bfa1b3c87536b4255bb615f0da7d8b026984df672a2884a532396c11dc7f0311a0aa77916c40fd
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1084 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1560 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
14943b577e36630ed1a1bee1291f5ac0ac6aafdc1b8018db668d7d7f7073f179.exepid process 1068 14943b577e36630ed1a1bee1291f5ac0ac6aafdc1b8018db668d7d7f7073f179.exe 1068 14943b577e36630ed1a1bee1291f5ac0ac6aafdc1b8018db668d7d7f7073f179.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
14943b577e36630ed1a1bee1291f5ac0ac6aafdc1b8018db668d7d7f7073f179.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 14943b577e36630ed1a1bee1291f5ac0ac6aafdc1b8018db668d7d7f7073f179.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
14943b577e36630ed1a1bee1291f5ac0ac6aafdc1b8018db668d7d7f7073f179.exedescription pid process Token: SeIncBasePriorityPrivilege 1068 14943b577e36630ed1a1bee1291f5ac0ac6aafdc1b8018db668d7d7f7073f179.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
14943b577e36630ed1a1bee1291f5ac0ac6aafdc1b8018db668d7d7f7073f179.execmd.exedescription pid process target process PID 1068 wrote to memory of 1084 1068 14943b577e36630ed1a1bee1291f5ac0ac6aafdc1b8018db668d7d7f7073f179.exe MediaCenter.exe PID 1068 wrote to memory of 1084 1068 14943b577e36630ed1a1bee1291f5ac0ac6aafdc1b8018db668d7d7f7073f179.exe MediaCenter.exe PID 1068 wrote to memory of 1084 1068 14943b577e36630ed1a1bee1291f5ac0ac6aafdc1b8018db668d7d7f7073f179.exe MediaCenter.exe PID 1068 wrote to memory of 1084 1068 14943b577e36630ed1a1bee1291f5ac0ac6aafdc1b8018db668d7d7f7073f179.exe MediaCenter.exe PID 1068 wrote to memory of 1560 1068 14943b577e36630ed1a1bee1291f5ac0ac6aafdc1b8018db668d7d7f7073f179.exe cmd.exe PID 1068 wrote to memory of 1560 1068 14943b577e36630ed1a1bee1291f5ac0ac6aafdc1b8018db668d7d7f7073f179.exe cmd.exe PID 1068 wrote to memory of 1560 1068 14943b577e36630ed1a1bee1291f5ac0ac6aafdc1b8018db668d7d7f7073f179.exe cmd.exe PID 1068 wrote to memory of 1560 1068 14943b577e36630ed1a1bee1291f5ac0ac6aafdc1b8018db668d7d7f7073f179.exe cmd.exe PID 1560 wrote to memory of 440 1560 cmd.exe PING.EXE PID 1560 wrote to memory of 440 1560 cmd.exe PING.EXE PID 1560 wrote to memory of 440 1560 cmd.exe PING.EXE PID 1560 wrote to memory of 440 1560 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\14943b577e36630ed1a1bee1291f5ac0ac6aafdc1b8018db668d7d7f7073f179.exe"C:\Users\Admin\AppData\Local\Temp\14943b577e36630ed1a1bee1291f5ac0ac6aafdc1b8018db668d7d7f7073f179.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1068 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1084 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\14943b577e36630ed1a1bee1291f5ac0ac6aafdc1b8018db668d7d7f7073f179.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1560 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:440
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
782b8a461e1b5a391db55bca33ad208c
SHA182a9b1f3bf35ba5cef0988c08c81563d9478f707
SHA2562efcea653d64333007d898cba17737f7e8f296803aacfb27851cd794f099427b
SHA512150413055225a18a3f4f7d8c36d55db552b151ec18f5fb5b418b55c3487711f04112e185727a06e27e0eb7ecafd61fca445efa185dc1f44472465ea0d8dcfb9e
-
MD5
782b8a461e1b5a391db55bca33ad208c
SHA182a9b1f3bf35ba5cef0988c08c81563d9478f707
SHA2562efcea653d64333007d898cba17737f7e8f296803aacfb27851cd794f099427b
SHA512150413055225a18a3f4f7d8c36d55db552b151ec18f5fb5b418b55c3487711f04112e185727a06e27e0eb7ecafd61fca445efa185dc1f44472465ea0d8dcfb9e
-
MD5
782b8a461e1b5a391db55bca33ad208c
SHA182a9b1f3bf35ba5cef0988c08c81563d9478f707
SHA2562efcea653d64333007d898cba17737f7e8f296803aacfb27851cd794f099427b
SHA512150413055225a18a3f4f7d8c36d55db552b151ec18f5fb5b418b55c3487711f04112e185727a06e27e0eb7ecafd61fca445efa185dc1f44472465ea0d8dcfb9e