Analysis
-
max time kernel
126s -
max time network
155s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 04:51
Static task
static1
Behavioral task
behavioral1
Sample
14381d0f0947debf6c0cf0408f7bb4e03a587279b23f189e930fc192ba5f7d0f.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
14381d0f0947debf6c0cf0408f7bb4e03a587279b23f189e930fc192ba5f7d0f.exe
Resource
win10v2004-en-20220113
General
-
Target
14381d0f0947debf6c0cf0408f7bb4e03a587279b23f189e930fc192ba5f7d0f.exe
-
Size
100KB
-
MD5
046131040d496d26ca236437f7f2a6b3
-
SHA1
0a25e7042fa3ba86511020a247b6e13cab516833
-
SHA256
14381d0f0947debf6c0cf0408f7bb4e03a587279b23f189e930fc192ba5f7d0f
-
SHA512
0098501dc859a9c06402fb71034bd00a4f89e0f12b632acf5847f50f81978b6f51683ce3ea69531f1d84c7a828c94fb2a258c582d758a25484fb5cfaede754ba
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1224 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1988 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
14381d0f0947debf6c0cf0408f7bb4e03a587279b23f189e930fc192ba5f7d0f.exepid process 1848 14381d0f0947debf6c0cf0408f7bb4e03a587279b23f189e930fc192ba5f7d0f.exe 1848 14381d0f0947debf6c0cf0408f7bb4e03a587279b23f189e930fc192ba5f7d0f.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
14381d0f0947debf6c0cf0408f7bb4e03a587279b23f189e930fc192ba5f7d0f.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 14381d0f0947debf6c0cf0408f7bb4e03a587279b23f189e930fc192ba5f7d0f.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
14381d0f0947debf6c0cf0408f7bb4e03a587279b23f189e930fc192ba5f7d0f.exedescription pid process Token: SeIncBasePriorityPrivilege 1848 14381d0f0947debf6c0cf0408f7bb4e03a587279b23f189e930fc192ba5f7d0f.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
14381d0f0947debf6c0cf0408f7bb4e03a587279b23f189e930fc192ba5f7d0f.execmd.exedescription pid process target process PID 1848 wrote to memory of 1224 1848 14381d0f0947debf6c0cf0408f7bb4e03a587279b23f189e930fc192ba5f7d0f.exe MediaCenter.exe PID 1848 wrote to memory of 1224 1848 14381d0f0947debf6c0cf0408f7bb4e03a587279b23f189e930fc192ba5f7d0f.exe MediaCenter.exe PID 1848 wrote to memory of 1224 1848 14381d0f0947debf6c0cf0408f7bb4e03a587279b23f189e930fc192ba5f7d0f.exe MediaCenter.exe PID 1848 wrote to memory of 1224 1848 14381d0f0947debf6c0cf0408f7bb4e03a587279b23f189e930fc192ba5f7d0f.exe MediaCenter.exe PID 1848 wrote to memory of 1988 1848 14381d0f0947debf6c0cf0408f7bb4e03a587279b23f189e930fc192ba5f7d0f.exe cmd.exe PID 1848 wrote to memory of 1988 1848 14381d0f0947debf6c0cf0408f7bb4e03a587279b23f189e930fc192ba5f7d0f.exe cmd.exe PID 1848 wrote to memory of 1988 1848 14381d0f0947debf6c0cf0408f7bb4e03a587279b23f189e930fc192ba5f7d0f.exe cmd.exe PID 1848 wrote to memory of 1988 1848 14381d0f0947debf6c0cf0408f7bb4e03a587279b23f189e930fc192ba5f7d0f.exe cmd.exe PID 1988 wrote to memory of 2044 1988 cmd.exe PING.EXE PID 1988 wrote to memory of 2044 1988 cmd.exe PING.EXE PID 1988 wrote to memory of 2044 1988 cmd.exe PING.EXE PID 1988 wrote to memory of 2044 1988 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\14381d0f0947debf6c0cf0408f7bb4e03a587279b23f189e930fc192ba5f7d0f.exe"C:\Users\Admin\AppData\Local\Temp\14381d0f0947debf6c0cf0408f7bb4e03a587279b23f189e930fc192ba5f7d0f.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1848 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1224 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\14381d0f0947debf6c0cf0408f7bb4e03a587279b23f189e930fc192ba5f7d0f.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1988 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:2044
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
ca3ae1fbd4e5286525e0e09c63dd939c
SHA13ddc6f7edc058f553b91afaa850c88b05d5f3f15
SHA256901b00d4878056a4da91987b544bdecd55fdeed6c58c8c0d72997ec9d71c880e
SHA512dcf45e603a3066ee261c10fa007e64044ba07a42e1ef34f456546ddd5fbbffeecd6011abb9aa6aaeb06e9ee41f3fb3da4ee67bb3fab6abdaf1ade5dbe7811972
-
MD5
ca3ae1fbd4e5286525e0e09c63dd939c
SHA13ddc6f7edc058f553b91afaa850c88b05d5f3f15
SHA256901b00d4878056a4da91987b544bdecd55fdeed6c58c8c0d72997ec9d71c880e
SHA512dcf45e603a3066ee261c10fa007e64044ba07a42e1ef34f456546ddd5fbbffeecd6011abb9aa6aaeb06e9ee41f3fb3da4ee67bb3fab6abdaf1ade5dbe7811972
-
MD5
ca3ae1fbd4e5286525e0e09c63dd939c
SHA13ddc6f7edc058f553b91afaa850c88b05d5f3f15
SHA256901b00d4878056a4da91987b544bdecd55fdeed6c58c8c0d72997ec9d71c880e
SHA512dcf45e603a3066ee261c10fa007e64044ba07a42e1ef34f456546ddd5fbbffeecd6011abb9aa6aaeb06e9ee41f3fb3da4ee67bb3fab6abdaf1ade5dbe7811972