Analysis
-
max time kernel
148s -
max time network
160s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 04:59
Static task
static1
Behavioral task
behavioral1
Sample
13e9ab0d9afb78256fcb3507b369a91db3adab00d35a1c6ce1ea13bfd0bb20ce.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
13e9ab0d9afb78256fcb3507b369a91db3adab00d35a1c6ce1ea13bfd0bb20ce.exe
Resource
win10v2004-en-20220112
General
-
Target
13e9ab0d9afb78256fcb3507b369a91db3adab00d35a1c6ce1ea13bfd0bb20ce.exe
-
Size
79KB
-
MD5
14628935ff245209e97ca97bc77dbe2c
-
SHA1
190d46c11b3c719242389c38b8e6470bf7afb060
-
SHA256
13e9ab0d9afb78256fcb3507b369a91db3adab00d35a1c6ce1ea13bfd0bb20ce
-
SHA512
179a0202471d6edac02d7aa57e2357cfd212677713595efdb2273b127ca9558ae5270d26afc4bd98a628079e015b59e349f2befb468265dec0f37a7614caa341
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 288 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 432 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
13e9ab0d9afb78256fcb3507b369a91db3adab00d35a1c6ce1ea13bfd0bb20ce.exepid process 744 13e9ab0d9afb78256fcb3507b369a91db3adab00d35a1c6ce1ea13bfd0bb20ce.exe 744 13e9ab0d9afb78256fcb3507b369a91db3adab00d35a1c6ce1ea13bfd0bb20ce.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
13e9ab0d9afb78256fcb3507b369a91db3adab00d35a1c6ce1ea13bfd0bb20ce.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 13e9ab0d9afb78256fcb3507b369a91db3adab00d35a1c6ce1ea13bfd0bb20ce.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
13e9ab0d9afb78256fcb3507b369a91db3adab00d35a1c6ce1ea13bfd0bb20ce.exedescription pid process Token: SeIncBasePriorityPrivilege 744 13e9ab0d9afb78256fcb3507b369a91db3adab00d35a1c6ce1ea13bfd0bb20ce.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
13e9ab0d9afb78256fcb3507b369a91db3adab00d35a1c6ce1ea13bfd0bb20ce.execmd.exedescription pid process target process PID 744 wrote to memory of 288 744 13e9ab0d9afb78256fcb3507b369a91db3adab00d35a1c6ce1ea13bfd0bb20ce.exe MediaCenter.exe PID 744 wrote to memory of 288 744 13e9ab0d9afb78256fcb3507b369a91db3adab00d35a1c6ce1ea13bfd0bb20ce.exe MediaCenter.exe PID 744 wrote to memory of 288 744 13e9ab0d9afb78256fcb3507b369a91db3adab00d35a1c6ce1ea13bfd0bb20ce.exe MediaCenter.exe PID 744 wrote to memory of 288 744 13e9ab0d9afb78256fcb3507b369a91db3adab00d35a1c6ce1ea13bfd0bb20ce.exe MediaCenter.exe PID 744 wrote to memory of 432 744 13e9ab0d9afb78256fcb3507b369a91db3adab00d35a1c6ce1ea13bfd0bb20ce.exe cmd.exe PID 744 wrote to memory of 432 744 13e9ab0d9afb78256fcb3507b369a91db3adab00d35a1c6ce1ea13bfd0bb20ce.exe cmd.exe PID 744 wrote to memory of 432 744 13e9ab0d9afb78256fcb3507b369a91db3adab00d35a1c6ce1ea13bfd0bb20ce.exe cmd.exe PID 744 wrote to memory of 432 744 13e9ab0d9afb78256fcb3507b369a91db3adab00d35a1c6ce1ea13bfd0bb20ce.exe cmd.exe PID 432 wrote to memory of 1996 432 cmd.exe PING.EXE PID 432 wrote to memory of 1996 432 cmd.exe PING.EXE PID 432 wrote to memory of 1996 432 cmd.exe PING.EXE PID 432 wrote to memory of 1996 432 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\13e9ab0d9afb78256fcb3507b369a91db3adab00d35a1c6ce1ea13bfd0bb20ce.exe"C:\Users\Admin\AppData\Local\Temp\13e9ab0d9afb78256fcb3507b369a91db3adab00d35a1c6ce1ea13bfd0bb20ce.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:744 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:288 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\13e9ab0d9afb78256fcb3507b369a91db3adab00d35a1c6ce1ea13bfd0bb20ce.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:432 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1996
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
e41d3e26a6a1024bc0a601c7276b5271
SHA12db78357dd5eccf2d16a51e1baae8d05042692d4
SHA25663144025b5b68f9fe9b77c2fdfa0d7e1df4c32fc50a5b663a3335763a17338d2
SHA512286dc5f669652482f0e7012257bafbd8738a924e582e25ae46b427f1f096f556a19f535f7272591039f05b4334a03381b68aaf7557eb0770e5d14365c94a00bc
-
MD5
e41d3e26a6a1024bc0a601c7276b5271
SHA12db78357dd5eccf2d16a51e1baae8d05042692d4
SHA25663144025b5b68f9fe9b77c2fdfa0d7e1df4c32fc50a5b663a3335763a17338d2
SHA512286dc5f669652482f0e7012257bafbd8738a924e582e25ae46b427f1f096f556a19f535f7272591039f05b4334a03381b68aaf7557eb0770e5d14365c94a00bc
-
MD5
e41d3e26a6a1024bc0a601c7276b5271
SHA12db78357dd5eccf2d16a51e1baae8d05042692d4
SHA25663144025b5b68f9fe9b77c2fdfa0d7e1df4c32fc50a5b663a3335763a17338d2
SHA512286dc5f669652482f0e7012257bafbd8738a924e582e25ae46b427f1f096f556a19f535f7272591039f05b4334a03381b68aaf7557eb0770e5d14365c94a00bc