Analysis
-
max time kernel
147s -
max time network
159s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 04:51
Static task
static1
Behavioral task
behavioral1
Sample
14387baff1602d057a8e5f864315ab7c208b1508c8156cf461438ad9b13c9bd2.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
14387baff1602d057a8e5f864315ab7c208b1508c8156cf461438ad9b13c9bd2.exe
Resource
win10v2004-en-20220112
General
-
Target
14387baff1602d057a8e5f864315ab7c208b1508c8156cf461438ad9b13c9bd2.exe
-
Size
104KB
-
MD5
c649e1d21d12048161d55c229c7a51dc
-
SHA1
063fa58d6bf1c1b3b58ab100d826fd79590185c5
-
SHA256
14387baff1602d057a8e5f864315ab7c208b1508c8156cf461438ad9b13c9bd2
-
SHA512
cd0b023189dd2512146d09c290e56c75650713a91f2c3fcd23deaba26e0445d910fc17c7dd6405398b30d3d20e3c220922da762781fc1ee42d60461bc1bfc7cd
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 832 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1768 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
14387baff1602d057a8e5f864315ab7c208b1508c8156cf461438ad9b13c9bd2.exepid process 1628 14387baff1602d057a8e5f864315ab7c208b1508c8156cf461438ad9b13c9bd2.exe 1628 14387baff1602d057a8e5f864315ab7c208b1508c8156cf461438ad9b13c9bd2.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
14387baff1602d057a8e5f864315ab7c208b1508c8156cf461438ad9b13c9bd2.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 14387baff1602d057a8e5f864315ab7c208b1508c8156cf461438ad9b13c9bd2.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
14387baff1602d057a8e5f864315ab7c208b1508c8156cf461438ad9b13c9bd2.exedescription pid process Token: SeIncBasePriorityPrivilege 1628 14387baff1602d057a8e5f864315ab7c208b1508c8156cf461438ad9b13c9bd2.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
14387baff1602d057a8e5f864315ab7c208b1508c8156cf461438ad9b13c9bd2.execmd.exedescription pid process target process PID 1628 wrote to memory of 832 1628 14387baff1602d057a8e5f864315ab7c208b1508c8156cf461438ad9b13c9bd2.exe MediaCenter.exe PID 1628 wrote to memory of 832 1628 14387baff1602d057a8e5f864315ab7c208b1508c8156cf461438ad9b13c9bd2.exe MediaCenter.exe PID 1628 wrote to memory of 832 1628 14387baff1602d057a8e5f864315ab7c208b1508c8156cf461438ad9b13c9bd2.exe MediaCenter.exe PID 1628 wrote to memory of 832 1628 14387baff1602d057a8e5f864315ab7c208b1508c8156cf461438ad9b13c9bd2.exe MediaCenter.exe PID 1628 wrote to memory of 1768 1628 14387baff1602d057a8e5f864315ab7c208b1508c8156cf461438ad9b13c9bd2.exe cmd.exe PID 1628 wrote to memory of 1768 1628 14387baff1602d057a8e5f864315ab7c208b1508c8156cf461438ad9b13c9bd2.exe cmd.exe PID 1628 wrote to memory of 1768 1628 14387baff1602d057a8e5f864315ab7c208b1508c8156cf461438ad9b13c9bd2.exe cmd.exe PID 1628 wrote to memory of 1768 1628 14387baff1602d057a8e5f864315ab7c208b1508c8156cf461438ad9b13c9bd2.exe cmd.exe PID 1768 wrote to memory of 1272 1768 cmd.exe PING.EXE PID 1768 wrote to memory of 1272 1768 cmd.exe PING.EXE PID 1768 wrote to memory of 1272 1768 cmd.exe PING.EXE PID 1768 wrote to memory of 1272 1768 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\14387baff1602d057a8e5f864315ab7c208b1508c8156cf461438ad9b13c9bd2.exe"C:\Users\Admin\AppData\Local\Temp\14387baff1602d057a8e5f864315ab7c208b1508c8156cf461438ad9b13c9bd2.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1628 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:832 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\14387baff1602d057a8e5f864315ab7c208b1508c8156cf461438ad9b13c9bd2.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1768 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1272
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
cd6f2c96828c4a580668ec88756623a9
SHA174794431d792ba4d8961dab9c681bbc7e811a5c9
SHA256194f80fea047dda5e5c8d1efeb207462a2247f2cf448b27d26cceed5ef619c41
SHA5121e73d5980361d59a80f458aee6b6d1df078b6bdf3d61ee78af50df15edfe6ff4d8fbf1d224ac03bf0e1374c2355fe82975722d295a8b90d52dcea3dff0fe6433
-
MD5
cd6f2c96828c4a580668ec88756623a9
SHA174794431d792ba4d8961dab9c681bbc7e811a5c9
SHA256194f80fea047dda5e5c8d1efeb207462a2247f2cf448b27d26cceed5ef619c41
SHA5121e73d5980361d59a80f458aee6b6d1df078b6bdf3d61ee78af50df15edfe6ff4d8fbf1d224ac03bf0e1374c2355fe82975722d295a8b90d52dcea3dff0fe6433
-
MD5
cd6f2c96828c4a580668ec88756623a9
SHA174794431d792ba4d8961dab9c681bbc7e811a5c9
SHA256194f80fea047dda5e5c8d1efeb207462a2247f2cf448b27d26cceed5ef619c41
SHA5121e73d5980361d59a80f458aee6b6d1df078b6bdf3d61ee78af50df15edfe6ff4d8fbf1d224ac03bf0e1374c2355fe82975722d295a8b90d52dcea3dff0fe6433