Analysis
-
max time kernel
152s -
max time network
158s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 04:46
Static task
static1
Behavioral task
behavioral1
Sample
147b3ab1f78e903ee4629ea8d29cea3e067b1998f48a39400eed03bdf0279029.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
147b3ab1f78e903ee4629ea8d29cea3e067b1998f48a39400eed03bdf0279029.exe
Resource
win10v2004-en-20220113
General
-
Target
147b3ab1f78e903ee4629ea8d29cea3e067b1998f48a39400eed03bdf0279029.exe
-
Size
100KB
-
MD5
75c5f8ee7d85854b1740acd661033d39
-
SHA1
94215ed78ec698a1b72ff4bb18959c12472ca5cf
-
SHA256
147b3ab1f78e903ee4629ea8d29cea3e067b1998f48a39400eed03bdf0279029
-
SHA512
75d3486ec3cbb03e61a4c1aa4935058242aea8752f275e89ee757d9e1a7207885c14a1713b2c3167a184a4d0a5d50f232407c4373b7f09020fc086951937d4ae
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 268 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1864 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
147b3ab1f78e903ee4629ea8d29cea3e067b1998f48a39400eed03bdf0279029.exepid process 1172 147b3ab1f78e903ee4629ea8d29cea3e067b1998f48a39400eed03bdf0279029.exe 1172 147b3ab1f78e903ee4629ea8d29cea3e067b1998f48a39400eed03bdf0279029.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
147b3ab1f78e903ee4629ea8d29cea3e067b1998f48a39400eed03bdf0279029.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 147b3ab1f78e903ee4629ea8d29cea3e067b1998f48a39400eed03bdf0279029.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
147b3ab1f78e903ee4629ea8d29cea3e067b1998f48a39400eed03bdf0279029.exedescription pid process Token: SeIncBasePriorityPrivilege 1172 147b3ab1f78e903ee4629ea8d29cea3e067b1998f48a39400eed03bdf0279029.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
147b3ab1f78e903ee4629ea8d29cea3e067b1998f48a39400eed03bdf0279029.execmd.exedescription pid process target process PID 1172 wrote to memory of 268 1172 147b3ab1f78e903ee4629ea8d29cea3e067b1998f48a39400eed03bdf0279029.exe MediaCenter.exe PID 1172 wrote to memory of 268 1172 147b3ab1f78e903ee4629ea8d29cea3e067b1998f48a39400eed03bdf0279029.exe MediaCenter.exe PID 1172 wrote to memory of 268 1172 147b3ab1f78e903ee4629ea8d29cea3e067b1998f48a39400eed03bdf0279029.exe MediaCenter.exe PID 1172 wrote to memory of 268 1172 147b3ab1f78e903ee4629ea8d29cea3e067b1998f48a39400eed03bdf0279029.exe MediaCenter.exe PID 1172 wrote to memory of 1864 1172 147b3ab1f78e903ee4629ea8d29cea3e067b1998f48a39400eed03bdf0279029.exe cmd.exe PID 1172 wrote to memory of 1864 1172 147b3ab1f78e903ee4629ea8d29cea3e067b1998f48a39400eed03bdf0279029.exe cmd.exe PID 1172 wrote to memory of 1864 1172 147b3ab1f78e903ee4629ea8d29cea3e067b1998f48a39400eed03bdf0279029.exe cmd.exe PID 1172 wrote to memory of 1864 1172 147b3ab1f78e903ee4629ea8d29cea3e067b1998f48a39400eed03bdf0279029.exe cmd.exe PID 1864 wrote to memory of 1948 1864 cmd.exe PING.EXE PID 1864 wrote to memory of 1948 1864 cmd.exe PING.EXE PID 1864 wrote to memory of 1948 1864 cmd.exe PING.EXE PID 1864 wrote to memory of 1948 1864 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\147b3ab1f78e903ee4629ea8d29cea3e067b1998f48a39400eed03bdf0279029.exe"C:\Users\Admin\AppData\Local\Temp\147b3ab1f78e903ee4629ea8d29cea3e067b1998f48a39400eed03bdf0279029.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1172 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:268 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\147b3ab1f78e903ee4629ea8d29cea3e067b1998f48a39400eed03bdf0279029.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1864 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1948
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
bd81ef1ecf79feed5e8c28e2c63bbc96
SHA1d7b05eed0e606c9df558c35280fd6841ca442e26
SHA25615e0e048863b8ab286c44b3df652c48ce850f9097ef67571939f9d79ff02c31b
SHA5127fb9d19b216e9d3e880775a405d3921d15f1cbc82d0a6f2efe7aa90347fe661248531554985da2a551eca678ce419c13aa800dde0025a4a8b7b91be59df7e832
-
MD5
bd81ef1ecf79feed5e8c28e2c63bbc96
SHA1d7b05eed0e606c9df558c35280fd6841ca442e26
SHA25615e0e048863b8ab286c44b3df652c48ce850f9097ef67571939f9d79ff02c31b
SHA5127fb9d19b216e9d3e880775a405d3921d15f1cbc82d0a6f2efe7aa90347fe661248531554985da2a551eca678ce419c13aa800dde0025a4a8b7b91be59df7e832
-
MD5
bd81ef1ecf79feed5e8c28e2c63bbc96
SHA1d7b05eed0e606c9df558c35280fd6841ca442e26
SHA25615e0e048863b8ab286c44b3df652c48ce850f9097ef67571939f9d79ff02c31b
SHA5127fb9d19b216e9d3e880775a405d3921d15f1cbc82d0a6f2efe7aa90347fe661248531554985da2a551eca678ce419c13aa800dde0025a4a8b7b91be59df7e832