Analysis
-
max time kernel
147s -
max time network
175s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 04:49
Static task
static1
Behavioral task
behavioral1
Sample
1451dd6d1f64cd8775150350e5ee870317abf054b297c2cb050a1672e0641b05.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
1451dd6d1f64cd8775150350e5ee870317abf054b297c2cb050a1672e0641b05.exe
Resource
win10v2004-en-20220113
General
-
Target
1451dd6d1f64cd8775150350e5ee870317abf054b297c2cb050a1672e0641b05.exe
-
Size
101KB
-
MD5
5ff458f2a79fe48205000392f098c60e
-
SHA1
85d628a474fad084f467d605b7f98328a6836ed1
-
SHA256
1451dd6d1f64cd8775150350e5ee870317abf054b297c2cb050a1672e0641b05
-
SHA512
c77f7668ae49e02cbd66117d1710ff9b547335d2cc12767f6fde0d5825b2a4af9d91211e0ce037a9473402262e8a8815ee8af820cf48711c310e1f0dc7c34ca5
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1668 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2044 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
1451dd6d1f64cd8775150350e5ee870317abf054b297c2cb050a1672e0641b05.exepid process 1316 1451dd6d1f64cd8775150350e5ee870317abf054b297c2cb050a1672e0641b05.exe 1316 1451dd6d1f64cd8775150350e5ee870317abf054b297c2cb050a1672e0641b05.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
1451dd6d1f64cd8775150350e5ee870317abf054b297c2cb050a1672e0641b05.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 1451dd6d1f64cd8775150350e5ee870317abf054b297c2cb050a1672e0641b05.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
1451dd6d1f64cd8775150350e5ee870317abf054b297c2cb050a1672e0641b05.exedescription pid process Token: SeIncBasePriorityPrivilege 1316 1451dd6d1f64cd8775150350e5ee870317abf054b297c2cb050a1672e0641b05.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
1451dd6d1f64cd8775150350e5ee870317abf054b297c2cb050a1672e0641b05.execmd.exedescription pid process target process PID 1316 wrote to memory of 1668 1316 1451dd6d1f64cd8775150350e5ee870317abf054b297c2cb050a1672e0641b05.exe MediaCenter.exe PID 1316 wrote to memory of 1668 1316 1451dd6d1f64cd8775150350e5ee870317abf054b297c2cb050a1672e0641b05.exe MediaCenter.exe PID 1316 wrote to memory of 1668 1316 1451dd6d1f64cd8775150350e5ee870317abf054b297c2cb050a1672e0641b05.exe MediaCenter.exe PID 1316 wrote to memory of 1668 1316 1451dd6d1f64cd8775150350e5ee870317abf054b297c2cb050a1672e0641b05.exe MediaCenter.exe PID 1316 wrote to memory of 2044 1316 1451dd6d1f64cd8775150350e5ee870317abf054b297c2cb050a1672e0641b05.exe cmd.exe PID 1316 wrote to memory of 2044 1316 1451dd6d1f64cd8775150350e5ee870317abf054b297c2cb050a1672e0641b05.exe cmd.exe PID 1316 wrote to memory of 2044 1316 1451dd6d1f64cd8775150350e5ee870317abf054b297c2cb050a1672e0641b05.exe cmd.exe PID 1316 wrote to memory of 2044 1316 1451dd6d1f64cd8775150350e5ee870317abf054b297c2cb050a1672e0641b05.exe cmd.exe PID 2044 wrote to memory of 1020 2044 cmd.exe PING.EXE PID 2044 wrote to memory of 1020 2044 cmd.exe PING.EXE PID 2044 wrote to memory of 1020 2044 cmd.exe PING.EXE PID 2044 wrote to memory of 1020 2044 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\1451dd6d1f64cd8775150350e5ee870317abf054b297c2cb050a1672e0641b05.exe"C:\Users\Admin\AppData\Local\Temp\1451dd6d1f64cd8775150350e5ee870317abf054b297c2cb050a1672e0641b05.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1316 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1668 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\1451dd6d1f64cd8775150350e5ee870317abf054b297c2cb050a1672e0641b05.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1020
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
e9d2e93188d6e0a814671536a18b1461
SHA15009dca32e5664ad4cabf205d65f2c0dad06c25f
SHA2560e8cb7b9d2d157cf3f4a8cd5b3837a32946738ed710a05670dd1eed1822308fb
SHA5122ddc08e34a9523038adb77c7d328ca100e8291d4a9f15e2dbd3487d8a7a333818f15597acfaafee950a1a8aea7df3003c2e45bce605ca31753cae85ea3668dd2
-
MD5
e9d2e93188d6e0a814671536a18b1461
SHA15009dca32e5664ad4cabf205d65f2c0dad06c25f
SHA2560e8cb7b9d2d157cf3f4a8cd5b3837a32946738ed710a05670dd1eed1822308fb
SHA5122ddc08e34a9523038adb77c7d328ca100e8291d4a9f15e2dbd3487d8a7a333818f15597acfaafee950a1a8aea7df3003c2e45bce605ca31753cae85ea3668dd2
-
MD5
e9d2e93188d6e0a814671536a18b1461
SHA15009dca32e5664ad4cabf205d65f2c0dad06c25f
SHA2560e8cb7b9d2d157cf3f4a8cd5b3837a32946738ed710a05670dd1eed1822308fb
SHA5122ddc08e34a9523038adb77c7d328ca100e8291d4a9f15e2dbd3487d8a7a333818f15597acfaafee950a1a8aea7df3003c2e45bce605ca31753cae85ea3668dd2