Analysis
-
max time kernel
148s -
max time network
156s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 04:55
Static task
static1
Behavioral task
behavioral1
Sample
1409c7202531a29a64ea6b31360e9f29e807c1d5381f257b33310e045695c352.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
1409c7202531a29a64ea6b31360e9f29e807c1d5381f257b33310e045695c352.exe
Resource
win10v2004-en-20220112
General
-
Target
1409c7202531a29a64ea6b31360e9f29e807c1d5381f257b33310e045695c352.exe
-
Size
80KB
-
MD5
a2e6dc688612eb075828acf9e62e0903
-
SHA1
973e4216bb68ffd8610076ba8e6bc17be586a2b9
-
SHA256
1409c7202531a29a64ea6b31360e9f29e807c1d5381f257b33310e045695c352
-
SHA512
84675b2ff48cbc16e14af6a1009b2913fef08a525f3cc74c80803e94d809be2b4d4126a7090d0b00b3711649f76d6f40363fea9c6b2ee6df7358d5744f015a26
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1172 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 436 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
1409c7202531a29a64ea6b31360e9f29e807c1d5381f257b33310e045695c352.exepid process 1904 1409c7202531a29a64ea6b31360e9f29e807c1d5381f257b33310e045695c352.exe 1904 1409c7202531a29a64ea6b31360e9f29e807c1d5381f257b33310e045695c352.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
1409c7202531a29a64ea6b31360e9f29e807c1d5381f257b33310e045695c352.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 1409c7202531a29a64ea6b31360e9f29e807c1d5381f257b33310e045695c352.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
1409c7202531a29a64ea6b31360e9f29e807c1d5381f257b33310e045695c352.exedescription pid process Token: SeIncBasePriorityPrivilege 1904 1409c7202531a29a64ea6b31360e9f29e807c1d5381f257b33310e045695c352.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
1409c7202531a29a64ea6b31360e9f29e807c1d5381f257b33310e045695c352.execmd.exedescription pid process target process PID 1904 wrote to memory of 1172 1904 1409c7202531a29a64ea6b31360e9f29e807c1d5381f257b33310e045695c352.exe MediaCenter.exe PID 1904 wrote to memory of 1172 1904 1409c7202531a29a64ea6b31360e9f29e807c1d5381f257b33310e045695c352.exe MediaCenter.exe PID 1904 wrote to memory of 1172 1904 1409c7202531a29a64ea6b31360e9f29e807c1d5381f257b33310e045695c352.exe MediaCenter.exe PID 1904 wrote to memory of 1172 1904 1409c7202531a29a64ea6b31360e9f29e807c1d5381f257b33310e045695c352.exe MediaCenter.exe PID 1904 wrote to memory of 436 1904 1409c7202531a29a64ea6b31360e9f29e807c1d5381f257b33310e045695c352.exe cmd.exe PID 1904 wrote to memory of 436 1904 1409c7202531a29a64ea6b31360e9f29e807c1d5381f257b33310e045695c352.exe cmd.exe PID 1904 wrote to memory of 436 1904 1409c7202531a29a64ea6b31360e9f29e807c1d5381f257b33310e045695c352.exe cmd.exe PID 1904 wrote to memory of 436 1904 1409c7202531a29a64ea6b31360e9f29e807c1d5381f257b33310e045695c352.exe cmd.exe PID 436 wrote to memory of 1856 436 cmd.exe PING.EXE PID 436 wrote to memory of 1856 436 cmd.exe PING.EXE PID 436 wrote to memory of 1856 436 cmd.exe PING.EXE PID 436 wrote to memory of 1856 436 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\1409c7202531a29a64ea6b31360e9f29e807c1d5381f257b33310e045695c352.exe"C:\Users\Admin\AppData\Local\Temp\1409c7202531a29a64ea6b31360e9f29e807c1d5381f257b33310e045695c352.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1904 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1172 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\1409c7202531a29a64ea6b31360e9f29e807c1d5381f257b33310e045695c352.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:436 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1856
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
c055adc90fa017eb03f45317217ab605
SHA1931206f12ccb75e7d121d34ee1dfbb43849d1ce3
SHA256fee0ddffdfa2dcedd987dee374bfb416ba9b98baee84a0d34b6b5eb29bbee9c5
SHA512d382dab8aa23b224a1eb8f3782b1c93d9ab27bc8fa4d391d23edcf5496b1434c2af77f52574056ccaa6d8aceae1138a8076616219908198ed6180887d3e3d1bf
-
MD5
c055adc90fa017eb03f45317217ab605
SHA1931206f12ccb75e7d121d34ee1dfbb43849d1ce3
SHA256fee0ddffdfa2dcedd987dee374bfb416ba9b98baee84a0d34b6b5eb29bbee9c5
SHA512d382dab8aa23b224a1eb8f3782b1c93d9ab27bc8fa4d391d23edcf5496b1434c2af77f52574056ccaa6d8aceae1138a8076616219908198ed6180887d3e3d1bf
-
MD5
c055adc90fa017eb03f45317217ab605
SHA1931206f12ccb75e7d121d34ee1dfbb43849d1ce3
SHA256fee0ddffdfa2dcedd987dee374bfb416ba9b98baee84a0d34b6b5eb29bbee9c5
SHA512d382dab8aa23b224a1eb8f3782b1c93d9ab27bc8fa4d391d23edcf5496b1434c2af77f52574056ccaa6d8aceae1138a8076616219908198ed6180887d3e3d1bf