Analysis
-
max time kernel
147s -
max time network
156s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 04:55
Static task
static1
Behavioral task
behavioral1
Sample
1403a75d871b755cfd20c4f7fb15040a9ab1a60fb313ebd0a5e65f5824082970.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
1403a75d871b755cfd20c4f7fb15040a9ab1a60fb313ebd0a5e65f5824082970.exe
Resource
win10v2004-en-20220113
General
-
Target
1403a75d871b755cfd20c4f7fb15040a9ab1a60fb313ebd0a5e65f5824082970.exe
-
Size
192KB
-
MD5
fa25b3354c3c9c3636af9e4a018e7800
-
SHA1
bae748452d905464f250054bec73ba01f43a3796
-
SHA256
1403a75d871b755cfd20c4f7fb15040a9ab1a60fb313ebd0a5e65f5824082970
-
SHA512
46c67ebdc01566345bcaa33c89a270add2bb72c6a5a4ba857888da345a0cf209a240decdf3265c3765809328dae1217af54aa65a4d8e063c58913fb4c3ab7303
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1576 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 432 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
1403a75d871b755cfd20c4f7fb15040a9ab1a60fb313ebd0a5e65f5824082970.exepid process 1664 1403a75d871b755cfd20c4f7fb15040a9ab1a60fb313ebd0a5e65f5824082970.exe 1664 1403a75d871b755cfd20c4f7fb15040a9ab1a60fb313ebd0a5e65f5824082970.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
1403a75d871b755cfd20c4f7fb15040a9ab1a60fb313ebd0a5e65f5824082970.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 1403a75d871b755cfd20c4f7fb15040a9ab1a60fb313ebd0a5e65f5824082970.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
1403a75d871b755cfd20c4f7fb15040a9ab1a60fb313ebd0a5e65f5824082970.exedescription pid process Token: SeIncBasePriorityPrivilege 1664 1403a75d871b755cfd20c4f7fb15040a9ab1a60fb313ebd0a5e65f5824082970.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
1403a75d871b755cfd20c4f7fb15040a9ab1a60fb313ebd0a5e65f5824082970.execmd.exedescription pid process target process PID 1664 wrote to memory of 1576 1664 1403a75d871b755cfd20c4f7fb15040a9ab1a60fb313ebd0a5e65f5824082970.exe MediaCenter.exe PID 1664 wrote to memory of 1576 1664 1403a75d871b755cfd20c4f7fb15040a9ab1a60fb313ebd0a5e65f5824082970.exe MediaCenter.exe PID 1664 wrote to memory of 1576 1664 1403a75d871b755cfd20c4f7fb15040a9ab1a60fb313ebd0a5e65f5824082970.exe MediaCenter.exe PID 1664 wrote to memory of 1576 1664 1403a75d871b755cfd20c4f7fb15040a9ab1a60fb313ebd0a5e65f5824082970.exe MediaCenter.exe PID 1664 wrote to memory of 432 1664 1403a75d871b755cfd20c4f7fb15040a9ab1a60fb313ebd0a5e65f5824082970.exe cmd.exe PID 1664 wrote to memory of 432 1664 1403a75d871b755cfd20c4f7fb15040a9ab1a60fb313ebd0a5e65f5824082970.exe cmd.exe PID 1664 wrote to memory of 432 1664 1403a75d871b755cfd20c4f7fb15040a9ab1a60fb313ebd0a5e65f5824082970.exe cmd.exe PID 1664 wrote to memory of 432 1664 1403a75d871b755cfd20c4f7fb15040a9ab1a60fb313ebd0a5e65f5824082970.exe cmd.exe PID 432 wrote to memory of 1932 432 cmd.exe PING.EXE PID 432 wrote to memory of 1932 432 cmd.exe PING.EXE PID 432 wrote to memory of 1932 432 cmd.exe PING.EXE PID 432 wrote to memory of 1932 432 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\1403a75d871b755cfd20c4f7fb15040a9ab1a60fb313ebd0a5e65f5824082970.exe"C:\Users\Admin\AppData\Local\Temp\1403a75d871b755cfd20c4f7fb15040a9ab1a60fb313ebd0a5e65f5824082970.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1576 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\1403a75d871b755cfd20c4f7fb15040a9ab1a60fb313ebd0a5e65f5824082970.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:432 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1932
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
dc0defac02136a4c7299d0749da7eba2
SHA14e21e8cb2a462d0cce9e752ab829297e32b131b4
SHA256f478de69abbcc4f50ca80f349af5617f13c2c74663885695309ba5a86c38fc67
SHA51253092e41b6f3cd7dcd4e0a8c88932e681c3dfd69ae84cd091d6fb240300ff7b40f92da703edff8022ab34e6b559b7729d74844ff4681e39034cc2fe2936ba4fa
-
MD5
dc0defac02136a4c7299d0749da7eba2
SHA14e21e8cb2a462d0cce9e752ab829297e32b131b4
SHA256f478de69abbcc4f50ca80f349af5617f13c2c74663885695309ba5a86c38fc67
SHA51253092e41b6f3cd7dcd4e0a8c88932e681c3dfd69ae84cd091d6fb240300ff7b40f92da703edff8022ab34e6b559b7729d74844ff4681e39034cc2fe2936ba4fa
-
MD5
dc0defac02136a4c7299d0749da7eba2
SHA14e21e8cb2a462d0cce9e752ab829297e32b131b4
SHA256f478de69abbcc4f50ca80f349af5617f13c2c74663885695309ba5a86c38fc67
SHA51253092e41b6f3cd7dcd4e0a8c88932e681c3dfd69ae84cd091d6fb240300ff7b40f92da703edff8022ab34e6b559b7729d74844ff4681e39034cc2fe2936ba4fa