Analysis
-
max time kernel
125s -
max time network
156s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 04:48
Static task
static1
Behavioral task
behavioral1
Sample
14628c0dc4aa1e870d5fc84eb0fbf7cb11543628aa06f50bbf8e6ffedcf6a941.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
14628c0dc4aa1e870d5fc84eb0fbf7cb11543628aa06f50bbf8e6ffedcf6a941.exe
Resource
win10v2004-en-20220113
General
-
Target
14628c0dc4aa1e870d5fc84eb0fbf7cb11543628aa06f50bbf8e6ffedcf6a941.exe
-
Size
99KB
-
MD5
d165c639f01cb9433571f35b64417a64
-
SHA1
552ebf9b7e756359e8b6e3986a3852b5325a2bee
-
SHA256
14628c0dc4aa1e870d5fc84eb0fbf7cb11543628aa06f50bbf8e6ffedcf6a941
-
SHA512
9465a71b87d69644d772f7396aea9e349213b211f915a6929c3871646cba3359433e21bac4d2bd2791dcd17ef1960966c9a95bae6666116d7ad73280533fb5b6
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1656 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1520 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
14628c0dc4aa1e870d5fc84eb0fbf7cb11543628aa06f50bbf8e6ffedcf6a941.exepid process 1188 14628c0dc4aa1e870d5fc84eb0fbf7cb11543628aa06f50bbf8e6ffedcf6a941.exe 1188 14628c0dc4aa1e870d5fc84eb0fbf7cb11543628aa06f50bbf8e6ffedcf6a941.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
14628c0dc4aa1e870d5fc84eb0fbf7cb11543628aa06f50bbf8e6ffedcf6a941.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 14628c0dc4aa1e870d5fc84eb0fbf7cb11543628aa06f50bbf8e6ffedcf6a941.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
14628c0dc4aa1e870d5fc84eb0fbf7cb11543628aa06f50bbf8e6ffedcf6a941.exedescription pid process Token: SeIncBasePriorityPrivilege 1188 14628c0dc4aa1e870d5fc84eb0fbf7cb11543628aa06f50bbf8e6ffedcf6a941.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
14628c0dc4aa1e870d5fc84eb0fbf7cb11543628aa06f50bbf8e6ffedcf6a941.execmd.exedescription pid process target process PID 1188 wrote to memory of 1656 1188 14628c0dc4aa1e870d5fc84eb0fbf7cb11543628aa06f50bbf8e6ffedcf6a941.exe MediaCenter.exe PID 1188 wrote to memory of 1656 1188 14628c0dc4aa1e870d5fc84eb0fbf7cb11543628aa06f50bbf8e6ffedcf6a941.exe MediaCenter.exe PID 1188 wrote to memory of 1656 1188 14628c0dc4aa1e870d5fc84eb0fbf7cb11543628aa06f50bbf8e6ffedcf6a941.exe MediaCenter.exe PID 1188 wrote to memory of 1656 1188 14628c0dc4aa1e870d5fc84eb0fbf7cb11543628aa06f50bbf8e6ffedcf6a941.exe MediaCenter.exe PID 1188 wrote to memory of 1520 1188 14628c0dc4aa1e870d5fc84eb0fbf7cb11543628aa06f50bbf8e6ffedcf6a941.exe cmd.exe PID 1188 wrote to memory of 1520 1188 14628c0dc4aa1e870d5fc84eb0fbf7cb11543628aa06f50bbf8e6ffedcf6a941.exe cmd.exe PID 1188 wrote to memory of 1520 1188 14628c0dc4aa1e870d5fc84eb0fbf7cb11543628aa06f50bbf8e6ffedcf6a941.exe cmd.exe PID 1188 wrote to memory of 1520 1188 14628c0dc4aa1e870d5fc84eb0fbf7cb11543628aa06f50bbf8e6ffedcf6a941.exe cmd.exe PID 1520 wrote to memory of 968 1520 cmd.exe PING.EXE PID 1520 wrote to memory of 968 1520 cmd.exe PING.EXE PID 1520 wrote to memory of 968 1520 cmd.exe PING.EXE PID 1520 wrote to memory of 968 1520 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\14628c0dc4aa1e870d5fc84eb0fbf7cb11543628aa06f50bbf8e6ffedcf6a941.exe"C:\Users\Admin\AppData\Local\Temp\14628c0dc4aa1e870d5fc84eb0fbf7cb11543628aa06f50bbf8e6ffedcf6a941.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1188 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1656 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\14628c0dc4aa1e870d5fc84eb0fbf7cb11543628aa06f50bbf8e6ffedcf6a941.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1520 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:968
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
c3d6b28eb652b3a72e50e19f0ee753a1
SHA1359fa673d2cee308e2be5af120848862f733f0fc
SHA2561215c81f3f80d7846eb037288a98e64e4e3b31ac9771ca5036c43a5543fe2a33
SHA512dd60fb07ca8c672add1ee31929206a98d7b66d0df2bf399eeea2de0f9d009568a4ed36c64ce52676ac5964ab772e287017322978d812ddee7615390ae9568204
-
MD5
c3d6b28eb652b3a72e50e19f0ee753a1
SHA1359fa673d2cee308e2be5af120848862f733f0fc
SHA2561215c81f3f80d7846eb037288a98e64e4e3b31ac9771ca5036c43a5543fe2a33
SHA512dd60fb07ca8c672add1ee31929206a98d7b66d0df2bf399eeea2de0f9d009568a4ed36c64ce52676ac5964ab772e287017322978d812ddee7615390ae9568204
-
MD5
c3d6b28eb652b3a72e50e19f0ee753a1
SHA1359fa673d2cee308e2be5af120848862f733f0fc
SHA2561215c81f3f80d7846eb037288a98e64e4e3b31ac9771ca5036c43a5543fe2a33
SHA512dd60fb07ca8c672add1ee31929206a98d7b66d0df2bf399eeea2de0f9d009568a4ed36c64ce52676ac5964ab772e287017322978d812ddee7615390ae9568204