Analysis
-
max time kernel
119s -
max time network
138s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 04:52
Static task
static1
Behavioral task
behavioral1
Sample
142a6c8c0e21839773b7abfd86e5e906e9d91731e9a4aca16390778fc9e50688.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
142a6c8c0e21839773b7abfd86e5e906e9d91731e9a4aca16390778fc9e50688.exe
Resource
win10v2004-en-20220113
General
-
Target
142a6c8c0e21839773b7abfd86e5e906e9d91731e9a4aca16390778fc9e50688.exe
-
Size
80KB
-
MD5
acae58670ef65628947dad9f8cd6d91c
-
SHA1
18d32fa885b0898ffbc8c1244032e1b71bfdfce5
-
SHA256
142a6c8c0e21839773b7abfd86e5e906e9d91731e9a4aca16390778fc9e50688
-
SHA512
f0d27381f9a85905b9e5acc1ba90ffef3ff77011bdfa3a3aeb80a1a59807403061312f4386d38f7a1e6548e5dde34fd9f48a49ecab3b1f66165057feb26c87a7
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1032 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1852 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
142a6c8c0e21839773b7abfd86e5e906e9d91731e9a4aca16390778fc9e50688.exepid process 1592 142a6c8c0e21839773b7abfd86e5e906e9d91731e9a4aca16390778fc9e50688.exe 1592 142a6c8c0e21839773b7abfd86e5e906e9d91731e9a4aca16390778fc9e50688.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
142a6c8c0e21839773b7abfd86e5e906e9d91731e9a4aca16390778fc9e50688.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 142a6c8c0e21839773b7abfd86e5e906e9d91731e9a4aca16390778fc9e50688.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
142a6c8c0e21839773b7abfd86e5e906e9d91731e9a4aca16390778fc9e50688.exedescription pid process Token: SeIncBasePriorityPrivilege 1592 142a6c8c0e21839773b7abfd86e5e906e9d91731e9a4aca16390778fc9e50688.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
142a6c8c0e21839773b7abfd86e5e906e9d91731e9a4aca16390778fc9e50688.execmd.exedescription pid process target process PID 1592 wrote to memory of 1032 1592 142a6c8c0e21839773b7abfd86e5e906e9d91731e9a4aca16390778fc9e50688.exe MediaCenter.exe PID 1592 wrote to memory of 1032 1592 142a6c8c0e21839773b7abfd86e5e906e9d91731e9a4aca16390778fc9e50688.exe MediaCenter.exe PID 1592 wrote to memory of 1032 1592 142a6c8c0e21839773b7abfd86e5e906e9d91731e9a4aca16390778fc9e50688.exe MediaCenter.exe PID 1592 wrote to memory of 1032 1592 142a6c8c0e21839773b7abfd86e5e906e9d91731e9a4aca16390778fc9e50688.exe MediaCenter.exe PID 1592 wrote to memory of 1852 1592 142a6c8c0e21839773b7abfd86e5e906e9d91731e9a4aca16390778fc9e50688.exe cmd.exe PID 1592 wrote to memory of 1852 1592 142a6c8c0e21839773b7abfd86e5e906e9d91731e9a4aca16390778fc9e50688.exe cmd.exe PID 1592 wrote to memory of 1852 1592 142a6c8c0e21839773b7abfd86e5e906e9d91731e9a4aca16390778fc9e50688.exe cmd.exe PID 1592 wrote to memory of 1852 1592 142a6c8c0e21839773b7abfd86e5e906e9d91731e9a4aca16390778fc9e50688.exe cmd.exe PID 1852 wrote to memory of 1280 1852 cmd.exe PING.EXE PID 1852 wrote to memory of 1280 1852 cmd.exe PING.EXE PID 1852 wrote to memory of 1280 1852 cmd.exe PING.EXE PID 1852 wrote to memory of 1280 1852 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\142a6c8c0e21839773b7abfd86e5e906e9d91731e9a4aca16390778fc9e50688.exe"C:\Users\Admin\AppData\Local\Temp\142a6c8c0e21839773b7abfd86e5e906e9d91731e9a4aca16390778fc9e50688.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1592 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1032 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\142a6c8c0e21839773b7abfd86e5e906e9d91731e9a4aca16390778fc9e50688.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1852 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1280
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
7ebf12161d1dd36ee6b4fb015c9a67d8
SHA17e351fb9764a857cdc36a647ced3016be30043df
SHA2566cbe02b929ae2ed903415d48e0ae220c81a69266ac250ef271c39de7ed25e266
SHA512e006db80bf5286215c95b337a36867a7e8e0fe4da27daf4dfd93718f0f8241751d0236f996801746ed84bcbf9c0b5b2090b5e00d3d3337df37e4ff84fcc92087
-
MD5
7ebf12161d1dd36ee6b4fb015c9a67d8
SHA17e351fb9764a857cdc36a647ced3016be30043df
SHA2566cbe02b929ae2ed903415d48e0ae220c81a69266ac250ef271c39de7ed25e266
SHA512e006db80bf5286215c95b337a36867a7e8e0fe4da27daf4dfd93718f0f8241751d0236f996801746ed84bcbf9c0b5b2090b5e00d3d3337df37e4ff84fcc92087
-
MD5
7ebf12161d1dd36ee6b4fb015c9a67d8
SHA17e351fb9764a857cdc36a647ced3016be30043df
SHA2566cbe02b929ae2ed903415d48e0ae220c81a69266ac250ef271c39de7ed25e266
SHA512e006db80bf5286215c95b337a36867a7e8e0fe4da27daf4dfd93718f0f8241751d0236f996801746ed84bcbf9c0b5b2090b5e00d3d3337df37e4ff84fcc92087