Analysis
-
max time kernel
120s -
max time network
136s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 04:54
Static task
static1
Behavioral task
behavioral1
Sample
1411f380acce00ac3ae8c85a3e628b8ce4271b01bea564468b24c01253dee020.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
1411f380acce00ac3ae8c85a3e628b8ce4271b01bea564468b24c01253dee020.exe
Resource
win10v2004-en-20220112
General
-
Target
1411f380acce00ac3ae8c85a3e628b8ce4271b01bea564468b24c01253dee020.exe
-
Size
80KB
-
MD5
81add44057e00363e572e1acefbfb9b4
-
SHA1
f0d7dd557f4be6c5840ac7e149edf740a12dea11
-
SHA256
1411f380acce00ac3ae8c85a3e628b8ce4271b01bea564468b24c01253dee020
-
SHA512
3fcf6b6568f80fb581c0b9e27a6ac16a502a1dd06f3d3a0d03ea581f301c9dadb03d1370e151a832e4ba4db979c840e0e3f8ab5ca1a99b1b88751db20d5a2865
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1388 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1796 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
1411f380acce00ac3ae8c85a3e628b8ce4271b01bea564468b24c01253dee020.exepid process 1680 1411f380acce00ac3ae8c85a3e628b8ce4271b01bea564468b24c01253dee020.exe 1680 1411f380acce00ac3ae8c85a3e628b8ce4271b01bea564468b24c01253dee020.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
1411f380acce00ac3ae8c85a3e628b8ce4271b01bea564468b24c01253dee020.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 1411f380acce00ac3ae8c85a3e628b8ce4271b01bea564468b24c01253dee020.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
1411f380acce00ac3ae8c85a3e628b8ce4271b01bea564468b24c01253dee020.exedescription pid process Token: SeIncBasePriorityPrivilege 1680 1411f380acce00ac3ae8c85a3e628b8ce4271b01bea564468b24c01253dee020.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
1411f380acce00ac3ae8c85a3e628b8ce4271b01bea564468b24c01253dee020.execmd.exedescription pid process target process PID 1680 wrote to memory of 1388 1680 1411f380acce00ac3ae8c85a3e628b8ce4271b01bea564468b24c01253dee020.exe MediaCenter.exe PID 1680 wrote to memory of 1388 1680 1411f380acce00ac3ae8c85a3e628b8ce4271b01bea564468b24c01253dee020.exe MediaCenter.exe PID 1680 wrote to memory of 1388 1680 1411f380acce00ac3ae8c85a3e628b8ce4271b01bea564468b24c01253dee020.exe MediaCenter.exe PID 1680 wrote to memory of 1388 1680 1411f380acce00ac3ae8c85a3e628b8ce4271b01bea564468b24c01253dee020.exe MediaCenter.exe PID 1680 wrote to memory of 1796 1680 1411f380acce00ac3ae8c85a3e628b8ce4271b01bea564468b24c01253dee020.exe cmd.exe PID 1680 wrote to memory of 1796 1680 1411f380acce00ac3ae8c85a3e628b8ce4271b01bea564468b24c01253dee020.exe cmd.exe PID 1680 wrote to memory of 1796 1680 1411f380acce00ac3ae8c85a3e628b8ce4271b01bea564468b24c01253dee020.exe cmd.exe PID 1680 wrote to memory of 1796 1680 1411f380acce00ac3ae8c85a3e628b8ce4271b01bea564468b24c01253dee020.exe cmd.exe PID 1796 wrote to memory of 816 1796 cmd.exe PING.EXE PID 1796 wrote to memory of 816 1796 cmd.exe PING.EXE PID 1796 wrote to memory of 816 1796 cmd.exe PING.EXE PID 1796 wrote to memory of 816 1796 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\1411f380acce00ac3ae8c85a3e628b8ce4271b01bea564468b24c01253dee020.exe"C:\Users\Admin\AppData\Local\Temp\1411f380acce00ac3ae8c85a3e628b8ce4271b01bea564468b24c01253dee020.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1388 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\1411f380acce00ac3ae8c85a3e628b8ce4271b01bea564468b24c01253dee020.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1796 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:816
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
b125f96c5bdfddf5c02dffa14aa8418d
SHA19a734a9dbe7c7bf2702f77bd21b15b78976d21c4
SHA25616ec6d467dc4e939f8ee792802d41a645f2335dc8ad3aedbf42d27a574e59d0b
SHA512b24073f8264e793519376f5a981c1ab273d23c5383c4af30b8bd6fdf9cf17d82013586461840cf8aad58f24d97b5a7cef7cc9f84617ddbb2d6a1a050cff46e9b
-
MD5
b125f96c5bdfddf5c02dffa14aa8418d
SHA19a734a9dbe7c7bf2702f77bd21b15b78976d21c4
SHA25616ec6d467dc4e939f8ee792802d41a645f2335dc8ad3aedbf42d27a574e59d0b
SHA512b24073f8264e793519376f5a981c1ab273d23c5383c4af30b8bd6fdf9cf17d82013586461840cf8aad58f24d97b5a7cef7cc9f84617ddbb2d6a1a050cff46e9b
-
MD5
b125f96c5bdfddf5c02dffa14aa8418d
SHA19a734a9dbe7c7bf2702f77bd21b15b78976d21c4
SHA25616ec6d467dc4e939f8ee792802d41a645f2335dc8ad3aedbf42d27a574e59d0b
SHA512b24073f8264e793519376f5a981c1ab273d23c5383c4af30b8bd6fdf9cf17d82013586461840cf8aad58f24d97b5a7cef7cc9f84617ddbb2d6a1a050cff46e9b