Analysis
-
max time kernel
156s -
max time network
171s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 06:19
Static task
static1
Behavioral task
behavioral1
Sample
10513915fb034803d53e8406800074799527206cf504bcf8034a5804c3b336c1.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
10513915fb034803d53e8406800074799527206cf504bcf8034a5804c3b336c1.exe
Resource
win10v2004-en-20220113
General
-
Target
10513915fb034803d53e8406800074799527206cf504bcf8034a5804c3b336c1.exe
-
Size
99KB
-
MD5
6be173a143ea8e2724c54d7d789efbe1
-
SHA1
ee48b3bcb4458e29db33b2ac02180f195eb93ac1
-
SHA256
10513915fb034803d53e8406800074799527206cf504bcf8034a5804c3b336c1
-
SHA512
1933b402c1a23322005c3ae7b55f609605334f8d3b60ef3ba77acbb927999994bbc1f8f4677fed21a75f5a3fb3cb9ed94171a9aa3b9fd8927b123c824dfc2dd4
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1968 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1216 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
10513915fb034803d53e8406800074799527206cf504bcf8034a5804c3b336c1.exepid process 1480 10513915fb034803d53e8406800074799527206cf504bcf8034a5804c3b336c1.exe 1480 10513915fb034803d53e8406800074799527206cf504bcf8034a5804c3b336c1.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
10513915fb034803d53e8406800074799527206cf504bcf8034a5804c3b336c1.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 10513915fb034803d53e8406800074799527206cf504bcf8034a5804c3b336c1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
10513915fb034803d53e8406800074799527206cf504bcf8034a5804c3b336c1.exedescription pid process Token: SeIncBasePriorityPrivilege 1480 10513915fb034803d53e8406800074799527206cf504bcf8034a5804c3b336c1.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
10513915fb034803d53e8406800074799527206cf504bcf8034a5804c3b336c1.execmd.exedescription pid process target process PID 1480 wrote to memory of 1968 1480 10513915fb034803d53e8406800074799527206cf504bcf8034a5804c3b336c1.exe MediaCenter.exe PID 1480 wrote to memory of 1968 1480 10513915fb034803d53e8406800074799527206cf504bcf8034a5804c3b336c1.exe MediaCenter.exe PID 1480 wrote to memory of 1968 1480 10513915fb034803d53e8406800074799527206cf504bcf8034a5804c3b336c1.exe MediaCenter.exe PID 1480 wrote to memory of 1968 1480 10513915fb034803d53e8406800074799527206cf504bcf8034a5804c3b336c1.exe MediaCenter.exe PID 1480 wrote to memory of 1216 1480 10513915fb034803d53e8406800074799527206cf504bcf8034a5804c3b336c1.exe cmd.exe PID 1480 wrote to memory of 1216 1480 10513915fb034803d53e8406800074799527206cf504bcf8034a5804c3b336c1.exe cmd.exe PID 1480 wrote to memory of 1216 1480 10513915fb034803d53e8406800074799527206cf504bcf8034a5804c3b336c1.exe cmd.exe PID 1480 wrote to memory of 1216 1480 10513915fb034803d53e8406800074799527206cf504bcf8034a5804c3b336c1.exe cmd.exe PID 1216 wrote to memory of 1552 1216 cmd.exe PING.EXE PID 1216 wrote to memory of 1552 1216 cmd.exe PING.EXE PID 1216 wrote to memory of 1552 1216 cmd.exe PING.EXE PID 1216 wrote to memory of 1552 1216 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\10513915fb034803d53e8406800074799527206cf504bcf8034a5804c3b336c1.exe"C:\Users\Admin\AppData\Local\Temp\10513915fb034803d53e8406800074799527206cf504bcf8034a5804c3b336c1.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1480 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1968 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\10513915fb034803d53e8406800074799527206cf504bcf8034a5804c3b336c1.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1216 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1552
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
46eca08b877aca2f5c22623154ffe624
SHA17929f6aac27eb1850f3a5d4ae009f4a682260cd3
SHA256e6fefaa8f61a4a15c9b4dcc325713fb84b93bf6631ac04fe8ce520893b2ea5a9
SHA51212231c5635759de08a51781a8f6c09295231663ce0c61bcd84fbae633fcdf5f5afeef297e95209a1e9c38f2250211d4e067766cd2aa047a0e243cd9e6a56e81f
-
MD5
46eca08b877aca2f5c22623154ffe624
SHA17929f6aac27eb1850f3a5d4ae009f4a682260cd3
SHA256e6fefaa8f61a4a15c9b4dcc325713fb84b93bf6631ac04fe8ce520893b2ea5a9
SHA51212231c5635759de08a51781a8f6c09295231663ce0c61bcd84fbae633fcdf5f5afeef297e95209a1e9c38f2250211d4e067766cd2aa047a0e243cd9e6a56e81f
-
MD5
46eca08b877aca2f5c22623154ffe624
SHA17929f6aac27eb1850f3a5d4ae009f4a682260cd3
SHA256e6fefaa8f61a4a15c9b4dcc325713fb84b93bf6631ac04fe8ce520893b2ea5a9
SHA51212231c5635759de08a51781a8f6c09295231663ce0c61bcd84fbae633fcdf5f5afeef297e95209a1e9c38f2250211d4e067766cd2aa047a0e243cd9e6a56e81f