Analysis
-
max time kernel
123s -
max time network
148s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 04:50
Static task
static1
Behavioral task
behavioral1
Sample
1442b9ad225e76be88804df9f5ae55681eee48ef73aa53250e290b2d43d82860.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
1442b9ad225e76be88804df9f5ae55681eee48ef73aa53250e290b2d43d82860.exe
Resource
win10v2004-en-20220113
General
-
Target
1442b9ad225e76be88804df9f5ae55681eee48ef73aa53250e290b2d43d82860.exe
-
Size
100KB
-
MD5
dfa7ee82da68f8dba1d2f9f3bbefed38
-
SHA1
af2b244a1150f89c7ef702305b2c63123eda7128
-
SHA256
1442b9ad225e76be88804df9f5ae55681eee48ef73aa53250e290b2d43d82860
-
SHA512
ef493f10453880a7caabf978382182437cba4a16c865c8fd9e1dde69c026569bef0720d3410f93b665b6f37fea66e143e2d22e673bc1d26f8fc063abb77198bc
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1608 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 780 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
1442b9ad225e76be88804df9f5ae55681eee48ef73aa53250e290b2d43d82860.exepid process 1548 1442b9ad225e76be88804df9f5ae55681eee48ef73aa53250e290b2d43d82860.exe 1548 1442b9ad225e76be88804df9f5ae55681eee48ef73aa53250e290b2d43d82860.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
1442b9ad225e76be88804df9f5ae55681eee48ef73aa53250e290b2d43d82860.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 1442b9ad225e76be88804df9f5ae55681eee48ef73aa53250e290b2d43d82860.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
1442b9ad225e76be88804df9f5ae55681eee48ef73aa53250e290b2d43d82860.exedescription pid process Token: SeIncBasePriorityPrivilege 1548 1442b9ad225e76be88804df9f5ae55681eee48ef73aa53250e290b2d43d82860.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
1442b9ad225e76be88804df9f5ae55681eee48ef73aa53250e290b2d43d82860.execmd.exedescription pid process target process PID 1548 wrote to memory of 1608 1548 1442b9ad225e76be88804df9f5ae55681eee48ef73aa53250e290b2d43d82860.exe MediaCenter.exe PID 1548 wrote to memory of 1608 1548 1442b9ad225e76be88804df9f5ae55681eee48ef73aa53250e290b2d43d82860.exe MediaCenter.exe PID 1548 wrote to memory of 1608 1548 1442b9ad225e76be88804df9f5ae55681eee48ef73aa53250e290b2d43d82860.exe MediaCenter.exe PID 1548 wrote to memory of 1608 1548 1442b9ad225e76be88804df9f5ae55681eee48ef73aa53250e290b2d43d82860.exe MediaCenter.exe PID 1548 wrote to memory of 780 1548 1442b9ad225e76be88804df9f5ae55681eee48ef73aa53250e290b2d43d82860.exe cmd.exe PID 1548 wrote to memory of 780 1548 1442b9ad225e76be88804df9f5ae55681eee48ef73aa53250e290b2d43d82860.exe cmd.exe PID 1548 wrote to memory of 780 1548 1442b9ad225e76be88804df9f5ae55681eee48ef73aa53250e290b2d43d82860.exe cmd.exe PID 1548 wrote to memory of 780 1548 1442b9ad225e76be88804df9f5ae55681eee48ef73aa53250e290b2d43d82860.exe cmd.exe PID 780 wrote to memory of 1668 780 cmd.exe PING.EXE PID 780 wrote to memory of 1668 780 cmd.exe PING.EXE PID 780 wrote to memory of 1668 780 cmd.exe PING.EXE PID 780 wrote to memory of 1668 780 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\1442b9ad225e76be88804df9f5ae55681eee48ef73aa53250e290b2d43d82860.exe"C:\Users\Admin\AppData\Local\Temp\1442b9ad225e76be88804df9f5ae55681eee48ef73aa53250e290b2d43d82860.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1548 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1608 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\1442b9ad225e76be88804df9f5ae55681eee48ef73aa53250e290b2d43d82860.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:780 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1668
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
56fda27efa4b60c7a38be5a58cfb59b9
SHA196ebc04dbd563b413eed641554455259f6a8903d
SHA256bb41fa8b799f1d18bdf7ac250566cac50432882d11a6b08b78db0b0f6aa607cb
SHA512960780d5bd41b895df011ba4f00c4bb3212c063b816ecdf4d62bd6ffeca3b266a2954b0ba072c28d3325931418d40fdd98ae254b31a380636c45ea7b1cd34dc3
-
MD5
56fda27efa4b60c7a38be5a58cfb59b9
SHA196ebc04dbd563b413eed641554455259f6a8903d
SHA256bb41fa8b799f1d18bdf7ac250566cac50432882d11a6b08b78db0b0f6aa607cb
SHA512960780d5bd41b895df011ba4f00c4bb3212c063b816ecdf4d62bd6ffeca3b266a2954b0ba072c28d3325931418d40fdd98ae254b31a380636c45ea7b1cd34dc3
-
MD5
56fda27efa4b60c7a38be5a58cfb59b9
SHA196ebc04dbd563b413eed641554455259f6a8903d
SHA256bb41fa8b799f1d18bdf7ac250566cac50432882d11a6b08b78db0b0f6aa607cb
SHA512960780d5bd41b895df011ba4f00c4bb3212c063b816ecdf4d62bd6ffeca3b266a2954b0ba072c28d3325931418d40fdd98ae254b31a380636c45ea7b1cd34dc3