Analysis
-
max time kernel
146s -
max time network
158s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 05:19
Static task
static1
Behavioral task
behavioral1
Sample
1315bd183e9112332d8f86a763c7ff8457acb08e6b8c280c0503b5fdeca5aa1d.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
1315bd183e9112332d8f86a763c7ff8457acb08e6b8c280c0503b5fdeca5aa1d.exe
Resource
win10v2004-en-20220113
General
-
Target
1315bd183e9112332d8f86a763c7ff8457acb08e6b8c280c0503b5fdeca5aa1d.exe
-
Size
92KB
-
MD5
932e9976ecbb281f67401d068eb37564
-
SHA1
3eee41ae286c6d70b8f4b810dfc40b3a8e39431b
-
SHA256
1315bd183e9112332d8f86a763c7ff8457acb08e6b8c280c0503b5fdeca5aa1d
-
SHA512
091bf17a2d875d813d2893bf7cd0ab7f9cb04e2b6c6a581d88edbbe3ac82839dcfcbe1c1f19c38b17b541a4aee620ab6bb47713d8fdc6552b46cb1f7a4dd0d43
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 592 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 640 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
1315bd183e9112332d8f86a763c7ff8457acb08e6b8c280c0503b5fdeca5aa1d.exepid process 1156 1315bd183e9112332d8f86a763c7ff8457acb08e6b8c280c0503b5fdeca5aa1d.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
1315bd183e9112332d8f86a763c7ff8457acb08e6b8c280c0503b5fdeca5aa1d.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 1315bd183e9112332d8f86a763c7ff8457acb08e6b8c280c0503b5fdeca5aa1d.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
1315bd183e9112332d8f86a763c7ff8457acb08e6b8c280c0503b5fdeca5aa1d.exedescription pid process Token: SeIncBasePriorityPrivilege 1156 1315bd183e9112332d8f86a763c7ff8457acb08e6b8c280c0503b5fdeca5aa1d.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
1315bd183e9112332d8f86a763c7ff8457acb08e6b8c280c0503b5fdeca5aa1d.execmd.exedescription pid process target process PID 1156 wrote to memory of 592 1156 1315bd183e9112332d8f86a763c7ff8457acb08e6b8c280c0503b5fdeca5aa1d.exe MediaCenter.exe PID 1156 wrote to memory of 592 1156 1315bd183e9112332d8f86a763c7ff8457acb08e6b8c280c0503b5fdeca5aa1d.exe MediaCenter.exe PID 1156 wrote to memory of 592 1156 1315bd183e9112332d8f86a763c7ff8457acb08e6b8c280c0503b5fdeca5aa1d.exe MediaCenter.exe PID 1156 wrote to memory of 592 1156 1315bd183e9112332d8f86a763c7ff8457acb08e6b8c280c0503b5fdeca5aa1d.exe MediaCenter.exe PID 1156 wrote to memory of 640 1156 1315bd183e9112332d8f86a763c7ff8457acb08e6b8c280c0503b5fdeca5aa1d.exe cmd.exe PID 1156 wrote to memory of 640 1156 1315bd183e9112332d8f86a763c7ff8457acb08e6b8c280c0503b5fdeca5aa1d.exe cmd.exe PID 1156 wrote to memory of 640 1156 1315bd183e9112332d8f86a763c7ff8457acb08e6b8c280c0503b5fdeca5aa1d.exe cmd.exe PID 1156 wrote to memory of 640 1156 1315bd183e9112332d8f86a763c7ff8457acb08e6b8c280c0503b5fdeca5aa1d.exe cmd.exe PID 640 wrote to memory of 772 640 cmd.exe PING.EXE PID 640 wrote to memory of 772 640 cmd.exe PING.EXE PID 640 wrote to memory of 772 640 cmd.exe PING.EXE PID 640 wrote to memory of 772 640 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\1315bd183e9112332d8f86a763c7ff8457acb08e6b8c280c0503b5fdeca5aa1d.exe"C:\Users\Admin\AppData\Local\Temp\1315bd183e9112332d8f86a763c7ff8457acb08e6b8c280c0503b5fdeca5aa1d.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1156 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:592 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\1315bd183e9112332d8f86a763c7ff8457acb08e6b8c280c0503b5fdeca5aa1d.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:640 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:772
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
5bb098bb72d42008c09753fcd45d1457
SHA1f29362e63a2cea46380bb2d969ed1590a10706e6
SHA25622a6b7c6dc16cf47bec283160426ce2a35d7f69e158ed9a7c8638ad50d8f0115
SHA5123e873c3b82a842a8c53890ef23c0d85ad7732733d04e52275509c64678790310cbac0354cf2f69347a166d7b31d527fc250ce86aa54a468b87d36b153173f67f
-
MD5
5bb098bb72d42008c09753fcd45d1457
SHA1f29362e63a2cea46380bb2d969ed1590a10706e6
SHA25622a6b7c6dc16cf47bec283160426ce2a35d7f69e158ed9a7c8638ad50d8f0115
SHA5123e873c3b82a842a8c53890ef23c0d85ad7732733d04e52275509c64678790310cbac0354cf2f69347a166d7b31d527fc250ce86aa54a468b87d36b153173f67f