Analysis
-
max time kernel
149s -
max time network
163s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 05:01
Static task
static1
Behavioral task
behavioral1
Sample
13d4c8f14026e0ede5d291f15b8d90a481dcc02bd0b4f24afabae964d2b5dcfd.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
13d4c8f14026e0ede5d291f15b8d90a481dcc02bd0b4f24afabae964d2b5dcfd.exe
Resource
win10v2004-en-20220113
General
-
Target
13d4c8f14026e0ede5d291f15b8d90a481dcc02bd0b4f24afabae964d2b5dcfd.exe
-
Size
80KB
-
MD5
a2774bb7dc3b7384c8c71f02a6c59d06
-
SHA1
b22ba85f467ef8ecc843dbf791fb949406847e5e
-
SHA256
13d4c8f14026e0ede5d291f15b8d90a481dcc02bd0b4f24afabae964d2b5dcfd
-
SHA512
ab5e8d7feb4f0a878c6ce362028362220347cca2615b94730903b8e39cb06375d90b94dacc44673cb774b654220609f08bae718ec1c48188ab23bcd497e45e3b
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 516 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1188 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
13d4c8f14026e0ede5d291f15b8d90a481dcc02bd0b4f24afabae964d2b5dcfd.exepid process 956 13d4c8f14026e0ede5d291f15b8d90a481dcc02bd0b4f24afabae964d2b5dcfd.exe 956 13d4c8f14026e0ede5d291f15b8d90a481dcc02bd0b4f24afabae964d2b5dcfd.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
13d4c8f14026e0ede5d291f15b8d90a481dcc02bd0b4f24afabae964d2b5dcfd.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 13d4c8f14026e0ede5d291f15b8d90a481dcc02bd0b4f24afabae964d2b5dcfd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
13d4c8f14026e0ede5d291f15b8d90a481dcc02bd0b4f24afabae964d2b5dcfd.exedescription pid process Token: SeIncBasePriorityPrivilege 956 13d4c8f14026e0ede5d291f15b8d90a481dcc02bd0b4f24afabae964d2b5dcfd.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
13d4c8f14026e0ede5d291f15b8d90a481dcc02bd0b4f24afabae964d2b5dcfd.execmd.exedescription pid process target process PID 956 wrote to memory of 516 956 13d4c8f14026e0ede5d291f15b8d90a481dcc02bd0b4f24afabae964d2b5dcfd.exe MediaCenter.exe PID 956 wrote to memory of 516 956 13d4c8f14026e0ede5d291f15b8d90a481dcc02bd0b4f24afabae964d2b5dcfd.exe MediaCenter.exe PID 956 wrote to memory of 516 956 13d4c8f14026e0ede5d291f15b8d90a481dcc02bd0b4f24afabae964d2b5dcfd.exe MediaCenter.exe PID 956 wrote to memory of 516 956 13d4c8f14026e0ede5d291f15b8d90a481dcc02bd0b4f24afabae964d2b5dcfd.exe MediaCenter.exe PID 956 wrote to memory of 1188 956 13d4c8f14026e0ede5d291f15b8d90a481dcc02bd0b4f24afabae964d2b5dcfd.exe cmd.exe PID 956 wrote to memory of 1188 956 13d4c8f14026e0ede5d291f15b8d90a481dcc02bd0b4f24afabae964d2b5dcfd.exe cmd.exe PID 956 wrote to memory of 1188 956 13d4c8f14026e0ede5d291f15b8d90a481dcc02bd0b4f24afabae964d2b5dcfd.exe cmd.exe PID 956 wrote to memory of 1188 956 13d4c8f14026e0ede5d291f15b8d90a481dcc02bd0b4f24afabae964d2b5dcfd.exe cmd.exe PID 1188 wrote to memory of 1184 1188 cmd.exe PING.EXE PID 1188 wrote to memory of 1184 1188 cmd.exe PING.EXE PID 1188 wrote to memory of 1184 1188 cmd.exe PING.EXE PID 1188 wrote to memory of 1184 1188 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\13d4c8f14026e0ede5d291f15b8d90a481dcc02bd0b4f24afabae964d2b5dcfd.exe"C:\Users\Admin\AppData\Local\Temp\13d4c8f14026e0ede5d291f15b8d90a481dcc02bd0b4f24afabae964d2b5dcfd.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:956 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:516 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\13d4c8f14026e0ede5d291f15b8d90a481dcc02bd0b4f24afabae964d2b5dcfd.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1188 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1184
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
fd38a0d2af9ccaa67d1e5aef9f9ff44c
SHA19f2640bd5723c0b56d34d154d52eb7bc2900e6fc
SHA2562569a42d0e5394a8724eaf9be73530ea084700b532306b2ff7bf288d76eeb66a
SHA512aacd803e02418ccb717265c18b6a5770473356dbb2cc897c49aff3356c9382f0855b4fe21c4ece04ada0801515cd76ededbfb4e2334a0704fc268cd7f7e97ecf
-
MD5
fd38a0d2af9ccaa67d1e5aef9f9ff44c
SHA19f2640bd5723c0b56d34d154d52eb7bc2900e6fc
SHA2562569a42d0e5394a8724eaf9be73530ea084700b532306b2ff7bf288d76eeb66a
SHA512aacd803e02418ccb717265c18b6a5770473356dbb2cc897c49aff3356c9382f0855b4fe21c4ece04ada0801515cd76ededbfb4e2334a0704fc268cd7f7e97ecf
-
MD5
fd38a0d2af9ccaa67d1e5aef9f9ff44c
SHA19f2640bd5723c0b56d34d154d52eb7bc2900e6fc
SHA2562569a42d0e5394a8724eaf9be73530ea084700b532306b2ff7bf288d76eeb66a
SHA512aacd803e02418ccb717265c18b6a5770473356dbb2cc897c49aff3356c9382f0855b4fe21c4ece04ada0801515cd76ededbfb4e2334a0704fc268cd7f7e97ecf