Analysis
-
max time kernel
129s -
max time network
145s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 04:49
Static task
static1
Behavioral task
behavioral1
Sample
144b64555304f9bc1ae8d6ceae824ca151743157911659023d4ef2998ccac61c.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
144b64555304f9bc1ae8d6ceae824ca151743157911659023d4ef2998ccac61c.exe
Resource
win10v2004-en-20220113
General
-
Target
144b64555304f9bc1ae8d6ceae824ca151743157911659023d4ef2998ccac61c.exe
-
Size
216KB
-
MD5
8d88a23210696513c262607aa197f1be
-
SHA1
c1f56591ec7ea5409d6afd34f6b190cdd6780935
-
SHA256
144b64555304f9bc1ae8d6ceae824ca151743157911659023d4ef2998ccac61c
-
SHA512
2005531ed80f78d57d97f61e09e653e7d45e3c27b3466fd068c26086cda651338f82ed60b6928b2039a40d715e7ff84ddcb77a151bc15998a7b4115aac2d2d03
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral1/memory/1768-59-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral1/memory/1148-60-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1148 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1108 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
144b64555304f9bc1ae8d6ceae824ca151743157911659023d4ef2998ccac61c.exepid process 1768 144b64555304f9bc1ae8d6ceae824ca151743157911659023d4ef2998ccac61c.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
144b64555304f9bc1ae8d6ceae824ca151743157911659023d4ef2998ccac61c.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 144b64555304f9bc1ae8d6ceae824ca151743157911659023d4ef2998ccac61c.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
144b64555304f9bc1ae8d6ceae824ca151743157911659023d4ef2998ccac61c.exedescription pid process Token: SeIncBasePriorityPrivilege 1768 144b64555304f9bc1ae8d6ceae824ca151743157911659023d4ef2998ccac61c.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
144b64555304f9bc1ae8d6ceae824ca151743157911659023d4ef2998ccac61c.execmd.exedescription pid process target process PID 1768 wrote to memory of 1148 1768 144b64555304f9bc1ae8d6ceae824ca151743157911659023d4ef2998ccac61c.exe MediaCenter.exe PID 1768 wrote to memory of 1148 1768 144b64555304f9bc1ae8d6ceae824ca151743157911659023d4ef2998ccac61c.exe MediaCenter.exe PID 1768 wrote to memory of 1148 1768 144b64555304f9bc1ae8d6ceae824ca151743157911659023d4ef2998ccac61c.exe MediaCenter.exe PID 1768 wrote to memory of 1148 1768 144b64555304f9bc1ae8d6ceae824ca151743157911659023d4ef2998ccac61c.exe MediaCenter.exe PID 1768 wrote to memory of 1108 1768 144b64555304f9bc1ae8d6ceae824ca151743157911659023d4ef2998ccac61c.exe cmd.exe PID 1768 wrote to memory of 1108 1768 144b64555304f9bc1ae8d6ceae824ca151743157911659023d4ef2998ccac61c.exe cmd.exe PID 1768 wrote to memory of 1108 1768 144b64555304f9bc1ae8d6ceae824ca151743157911659023d4ef2998ccac61c.exe cmd.exe PID 1768 wrote to memory of 1108 1768 144b64555304f9bc1ae8d6ceae824ca151743157911659023d4ef2998ccac61c.exe cmd.exe PID 1108 wrote to memory of 1072 1108 cmd.exe PING.EXE PID 1108 wrote to memory of 1072 1108 cmd.exe PING.EXE PID 1108 wrote to memory of 1072 1108 cmd.exe PING.EXE PID 1108 wrote to memory of 1072 1108 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\144b64555304f9bc1ae8d6ceae824ca151743157911659023d4ef2998ccac61c.exe"C:\Users\Admin\AppData\Local\Temp\144b64555304f9bc1ae8d6ceae824ca151743157911659023d4ef2998ccac61c.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1768 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1148 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\144b64555304f9bc1ae8d6ceae824ca151743157911659023d4ef2998ccac61c.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1108 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1072
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
d8178aeaf71c60d01d065ff444ad374c
SHA11ab97a6932ed4188e6c426a2f164020d74c95466
SHA256c74c3caa793bdaf4f2eaf6ae46d63d819cac9541212e6f653c7d5102ee636eba
SHA512f162933d52c71d90b2e9f7a8dd43a5cca95c0a8293783f15dafeab1d00b53a5a52adda19826b0061d31ccd956a721cf9bf53aa23021c4da1b9c977c29b8d128e
-
MD5
d8178aeaf71c60d01d065ff444ad374c
SHA11ab97a6932ed4188e6c426a2f164020d74c95466
SHA256c74c3caa793bdaf4f2eaf6ae46d63d819cac9541212e6f653c7d5102ee636eba
SHA512f162933d52c71d90b2e9f7a8dd43a5cca95c0a8293783f15dafeab1d00b53a5a52adda19826b0061d31ccd956a721cf9bf53aa23021c4da1b9c977c29b8d128e