Analysis
-
max time kernel
119s -
max time network
131s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 05:03
Static task
static1
Behavioral task
behavioral1
Sample
13c973de9cf0bf19bdc2166520fc9642c6b8759a604ca5971848bc10e13745b8.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
13c973de9cf0bf19bdc2166520fc9642c6b8759a604ca5971848bc10e13745b8.exe
Resource
win10v2004-en-20220112
General
-
Target
13c973de9cf0bf19bdc2166520fc9642c6b8759a604ca5971848bc10e13745b8.exe
-
Size
101KB
-
MD5
6a75ba6d9e16c05f224d3ef41d7ff143
-
SHA1
4e67625a7341475d3d28e9d6d42a74f3389a175d
-
SHA256
13c973de9cf0bf19bdc2166520fc9642c6b8759a604ca5971848bc10e13745b8
-
SHA512
1f8ba160ad1aa0030ece3e9ef44dc66d1a02cbe33e63cf6499977e2cb11b94960ebd4e7ff4fdc107eb63c6d0aef275c45f8f22146c7adf2f23cc3bc7c1bb40f9
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1212 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 776 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
13c973de9cf0bf19bdc2166520fc9642c6b8759a604ca5971848bc10e13745b8.exepid process 856 13c973de9cf0bf19bdc2166520fc9642c6b8759a604ca5971848bc10e13745b8.exe 856 13c973de9cf0bf19bdc2166520fc9642c6b8759a604ca5971848bc10e13745b8.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
13c973de9cf0bf19bdc2166520fc9642c6b8759a604ca5971848bc10e13745b8.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 13c973de9cf0bf19bdc2166520fc9642c6b8759a604ca5971848bc10e13745b8.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
13c973de9cf0bf19bdc2166520fc9642c6b8759a604ca5971848bc10e13745b8.exedescription pid process Token: SeIncBasePriorityPrivilege 856 13c973de9cf0bf19bdc2166520fc9642c6b8759a604ca5971848bc10e13745b8.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
13c973de9cf0bf19bdc2166520fc9642c6b8759a604ca5971848bc10e13745b8.execmd.exedescription pid process target process PID 856 wrote to memory of 1212 856 13c973de9cf0bf19bdc2166520fc9642c6b8759a604ca5971848bc10e13745b8.exe MediaCenter.exe PID 856 wrote to memory of 1212 856 13c973de9cf0bf19bdc2166520fc9642c6b8759a604ca5971848bc10e13745b8.exe MediaCenter.exe PID 856 wrote to memory of 1212 856 13c973de9cf0bf19bdc2166520fc9642c6b8759a604ca5971848bc10e13745b8.exe MediaCenter.exe PID 856 wrote to memory of 1212 856 13c973de9cf0bf19bdc2166520fc9642c6b8759a604ca5971848bc10e13745b8.exe MediaCenter.exe PID 856 wrote to memory of 776 856 13c973de9cf0bf19bdc2166520fc9642c6b8759a604ca5971848bc10e13745b8.exe cmd.exe PID 856 wrote to memory of 776 856 13c973de9cf0bf19bdc2166520fc9642c6b8759a604ca5971848bc10e13745b8.exe cmd.exe PID 856 wrote to memory of 776 856 13c973de9cf0bf19bdc2166520fc9642c6b8759a604ca5971848bc10e13745b8.exe cmd.exe PID 856 wrote to memory of 776 856 13c973de9cf0bf19bdc2166520fc9642c6b8759a604ca5971848bc10e13745b8.exe cmd.exe PID 776 wrote to memory of 1332 776 cmd.exe PING.EXE PID 776 wrote to memory of 1332 776 cmd.exe PING.EXE PID 776 wrote to memory of 1332 776 cmd.exe PING.EXE PID 776 wrote to memory of 1332 776 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\13c973de9cf0bf19bdc2166520fc9642c6b8759a604ca5971848bc10e13745b8.exe"C:\Users\Admin\AppData\Local\Temp\13c973de9cf0bf19bdc2166520fc9642c6b8759a604ca5971848bc10e13745b8.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:856 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1212 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\13c973de9cf0bf19bdc2166520fc9642c6b8759a604ca5971848bc10e13745b8.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:776 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1332
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
20cc3103016eaa3c9d214ba6f85753f2
SHA194edddf0f12da13575c19058405b8876dc0a73b9
SHA2564523537e42fab46c45950c1a86cde19366a1a81f6d274896c2f6e23cb7272f56
SHA5120cee0fa9c79cdbc3409c0432302166aed7eb7155390e6abfdc3986b97b3db44972aeaef55ac24e0c84bb83e557ab24fdeb465a6d1c2ef30d7182893122557751
-
MD5
20cc3103016eaa3c9d214ba6f85753f2
SHA194edddf0f12da13575c19058405b8876dc0a73b9
SHA2564523537e42fab46c45950c1a86cde19366a1a81f6d274896c2f6e23cb7272f56
SHA5120cee0fa9c79cdbc3409c0432302166aed7eb7155390e6abfdc3986b97b3db44972aeaef55ac24e0c84bb83e557ab24fdeb465a6d1c2ef30d7182893122557751
-
MD5
20cc3103016eaa3c9d214ba6f85753f2
SHA194edddf0f12da13575c19058405b8876dc0a73b9
SHA2564523537e42fab46c45950c1a86cde19366a1a81f6d274896c2f6e23cb7272f56
SHA5120cee0fa9c79cdbc3409c0432302166aed7eb7155390e6abfdc3986b97b3db44972aeaef55ac24e0c84bb83e557ab24fdeb465a6d1c2ef30d7182893122557751