Analysis
-
max time kernel
157s -
max time network
175s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 04:49
Static task
static1
Behavioral task
behavioral1
Sample
14541bc6ebc867669a8d89a2acd37f57ed932b484ebfa2400b853748da79090c.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
14541bc6ebc867669a8d89a2acd37f57ed932b484ebfa2400b853748da79090c.exe
Resource
win10v2004-en-20220113
General
-
Target
14541bc6ebc867669a8d89a2acd37f57ed932b484ebfa2400b853748da79090c.exe
-
Size
101KB
-
MD5
e5c8f39466b7e7343bd17daf0a0baa29
-
SHA1
c40dd448870a1bcdf6ff1edaa5a0bb99768aed35
-
SHA256
14541bc6ebc867669a8d89a2acd37f57ed932b484ebfa2400b853748da79090c
-
SHA512
8eab8ea899ebe3edf5b5e2dbaf0924291fac056a5fc71bc79ef829f8a92263aacf174046d9de4371bcb7647c6897f5330bd1769b02dcc3605fb50cd1a47b0e25
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1452 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 828 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
14541bc6ebc867669a8d89a2acd37f57ed932b484ebfa2400b853748da79090c.exepid process 1048 14541bc6ebc867669a8d89a2acd37f57ed932b484ebfa2400b853748da79090c.exe 1048 14541bc6ebc867669a8d89a2acd37f57ed932b484ebfa2400b853748da79090c.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
14541bc6ebc867669a8d89a2acd37f57ed932b484ebfa2400b853748da79090c.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 14541bc6ebc867669a8d89a2acd37f57ed932b484ebfa2400b853748da79090c.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
14541bc6ebc867669a8d89a2acd37f57ed932b484ebfa2400b853748da79090c.exedescription pid process Token: SeIncBasePriorityPrivilege 1048 14541bc6ebc867669a8d89a2acd37f57ed932b484ebfa2400b853748da79090c.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
14541bc6ebc867669a8d89a2acd37f57ed932b484ebfa2400b853748da79090c.execmd.exedescription pid process target process PID 1048 wrote to memory of 1452 1048 14541bc6ebc867669a8d89a2acd37f57ed932b484ebfa2400b853748da79090c.exe MediaCenter.exe PID 1048 wrote to memory of 1452 1048 14541bc6ebc867669a8d89a2acd37f57ed932b484ebfa2400b853748da79090c.exe MediaCenter.exe PID 1048 wrote to memory of 1452 1048 14541bc6ebc867669a8d89a2acd37f57ed932b484ebfa2400b853748da79090c.exe MediaCenter.exe PID 1048 wrote to memory of 1452 1048 14541bc6ebc867669a8d89a2acd37f57ed932b484ebfa2400b853748da79090c.exe MediaCenter.exe PID 1048 wrote to memory of 828 1048 14541bc6ebc867669a8d89a2acd37f57ed932b484ebfa2400b853748da79090c.exe cmd.exe PID 1048 wrote to memory of 828 1048 14541bc6ebc867669a8d89a2acd37f57ed932b484ebfa2400b853748da79090c.exe cmd.exe PID 1048 wrote to memory of 828 1048 14541bc6ebc867669a8d89a2acd37f57ed932b484ebfa2400b853748da79090c.exe cmd.exe PID 1048 wrote to memory of 828 1048 14541bc6ebc867669a8d89a2acd37f57ed932b484ebfa2400b853748da79090c.exe cmd.exe PID 828 wrote to memory of 1856 828 cmd.exe PING.EXE PID 828 wrote to memory of 1856 828 cmd.exe PING.EXE PID 828 wrote to memory of 1856 828 cmd.exe PING.EXE PID 828 wrote to memory of 1856 828 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\14541bc6ebc867669a8d89a2acd37f57ed932b484ebfa2400b853748da79090c.exe"C:\Users\Admin\AppData\Local\Temp\14541bc6ebc867669a8d89a2acd37f57ed932b484ebfa2400b853748da79090c.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1048 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1452 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\14541bc6ebc867669a8d89a2acd37f57ed932b484ebfa2400b853748da79090c.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:828 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1856
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
95b8ce94b9a99c9c3921ddd27c9d6303
SHA19b7becaba76590be8ca7da2f5516c787aa240d07
SHA2564cde7d1b845514c0d963000d96c63a97bbb4778919dd2b192baf206f8f65d3ae
SHA5128e57bd7957aba16f740f1afa195299aea643ecfff0d07e2db6a6679ebc031d2490e46daa84c16669bbea558be248423ed7051a875e3775c5e00c2b8ed00e876a
-
MD5
95b8ce94b9a99c9c3921ddd27c9d6303
SHA19b7becaba76590be8ca7da2f5516c787aa240d07
SHA2564cde7d1b845514c0d963000d96c63a97bbb4778919dd2b192baf206f8f65d3ae
SHA5128e57bd7957aba16f740f1afa195299aea643ecfff0d07e2db6a6679ebc031d2490e46daa84c16669bbea558be248423ed7051a875e3775c5e00c2b8ed00e876a
-
MD5
95b8ce94b9a99c9c3921ddd27c9d6303
SHA19b7becaba76590be8ca7da2f5516c787aa240d07
SHA2564cde7d1b845514c0d963000d96c63a97bbb4778919dd2b192baf206f8f65d3ae
SHA5128e57bd7957aba16f740f1afa195299aea643ecfff0d07e2db6a6679ebc031d2490e46daa84c16669bbea558be248423ed7051a875e3775c5e00c2b8ed00e876a