Analysis
-
max time kernel
154s -
max time network
175s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 04:54
Static task
static1
Behavioral task
behavioral1
Sample
14157bdaeedffc11eb014cd8f02387c82e9c15180b1ba96fc87993e626ae5fbf.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
14157bdaeedffc11eb014cd8f02387c82e9c15180b1ba96fc87993e626ae5fbf.exe
Resource
win10v2004-en-20220113
General
-
Target
14157bdaeedffc11eb014cd8f02387c82e9c15180b1ba96fc87993e626ae5fbf.exe
-
Size
176KB
-
MD5
642bddbcdcbc18474571390c40e5fbe9
-
SHA1
907f98c071a59ba8d1753d04dc40136d359dd8ea
-
SHA256
14157bdaeedffc11eb014cd8f02387c82e9c15180b1ba96fc87993e626ae5fbf
-
SHA512
7204a10a665fe8c8cdd86ebed446328b50047d37517dad5d42177b97c3f5bd0efcb498070a67c8d2582d049c56426c19f943d6f24f7194e4c05f32dd91055830
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral1/memory/1180-59-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral1/memory/1204-60-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1204 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1708 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
14157bdaeedffc11eb014cd8f02387c82e9c15180b1ba96fc87993e626ae5fbf.exepid process 1180 14157bdaeedffc11eb014cd8f02387c82e9c15180b1ba96fc87993e626ae5fbf.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
14157bdaeedffc11eb014cd8f02387c82e9c15180b1ba96fc87993e626ae5fbf.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 14157bdaeedffc11eb014cd8f02387c82e9c15180b1ba96fc87993e626ae5fbf.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
14157bdaeedffc11eb014cd8f02387c82e9c15180b1ba96fc87993e626ae5fbf.exedescription pid process Token: SeIncBasePriorityPrivilege 1180 14157bdaeedffc11eb014cd8f02387c82e9c15180b1ba96fc87993e626ae5fbf.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
14157bdaeedffc11eb014cd8f02387c82e9c15180b1ba96fc87993e626ae5fbf.execmd.exedescription pid process target process PID 1180 wrote to memory of 1204 1180 14157bdaeedffc11eb014cd8f02387c82e9c15180b1ba96fc87993e626ae5fbf.exe MediaCenter.exe PID 1180 wrote to memory of 1204 1180 14157bdaeedffc11eb014cd8f02387c82e9c15180b1ba96fc87993e626ae5fbf.exe MediaCenter.exe PID 1180 wrote to memory of 1204 1180 14157bdaeedffc11eb014cd8f02387c82e9c15180b1ba96fc87993e626ae5fbf.exe MediaCenter.exe PID 1180 wrote to memory of 1204 1180 14157bdaeedffc11eb014cd8f02387c82e9c15180b1ba96fc87993e626ae5fbf.exe MediaCenter.exe PID 1180 wrote to memory of 1708 1180 14157bdaeedffc11eb014cd8f02387c82e9c15180b1ba96fc87993e626ae5fbf.exe cmd.exe PID 1180 wrote to memory of 1708 1180 14157bdaeedffc11eb014cd8f02387c82e9c15180b1ba96fc87993e626ae5fbf.exe cmd.exe PID 1180 wrote to memory of 1708 1180 14157bdaeedffc11eb014cd8f02387c82e9c15180b1ba96fc87993e626ae5fbf.exe cmd.exe PID 1180 wrote to memory of 1708 1180 14157bdaeedffc11eb014cd8f02387c82e9c15180b1ba96fc87993e626ae5fbf.exe cmd.exe PID 1708 wrote to memory of 276 1708 cmd.exe PING.EXE PID 1708 wrote to memory of 276 1708 cmd.exe PING.EXE PID 1708 wrote to memory of 276 1708 cmd.exe PING.EXE PID 1708 wrote to memory of 276 1708 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\14157bdaeedffc11eb014cd8f02387c82e9c15180b1ba96fc87993e626ae5fbf.exe"C:\Users\Admin\AppData\Local\Temp\14157bdaeedffc11eb014cd8f02387c82e9c15180b1ba96fc87993e626ae5fbf.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1180 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1204 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\14157bdaeedffc11eb014cd8f02387c82e9c15180b1ba96fc87993e626ae5fbf.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1708 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:276
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
71c6324f8c70713f2e67a603e4c6837e
SHA182eaa7fc611c461b005f1eed7a860a4f6cde2bf7
SHA256b23af6824724388d26887412deb83ed170dc540d43744307fd5ba951f88de2a6
SHA5125e72e1d698e259b18a2f15729b342b435bd80e50b8ac62d51d3cafac88796ed74f5efb37045bba073cc4c1387f43b70c8a4425ba5a09efce34ea5a9d1c56c6fc
-
MD5
71c6324f8c70713f2e67a603e4c6837e
SHA182eaa7fc611c461b005f1eed7a860a4f6cde2bf7
SHA256b23af6824724388d26887412deb83ed170dc540d43744307fd5ba951f88de2a6
SHA5125e72e1d698e259b18a2f15729b342b435bd80e50b8ac62d51d3cafac88796ed74f5efb37045bba073cc4c1387f43b70c8a4425ba5a09efce34ea5a9d1c56c6fc