Analysis
-
max time kernel
151s -
max time network
168s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 06:18
Static task
static1
Behavioral task
behavioral1
Sample
1057c73bbc03b4f59229ab0c631a1aff5e12cf56c6264d3176823f8bc4cdee27.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
1057c73bbc03b4f59229ab0c631a1aff5e12cf56c6264d3176823f8bc4cdee27.exe
Resource
win10v2004-en-20220113
General
-
Target
1057c73bbc03b4f59229ab0c631a1aff5e12cf56c6264d3176823f8bc4cdee27.exe
-
Size
176KB
-
MD5
50baff36f4161c259c6ea5af2866d21e
-
SHA1
ed98d04b39145a603d1896a866b9ef3bccc1eb11
-
SHA256
1057c73bbc03b4f59229ab0c631a1aff5e12cf56c6264d3176823f8bc4cdee27
-
SHA512
41d154c6b98a0003459b28f19453143b4992018b4c86de270fa77ceea7caab97b2ca7b312620935cafe1b3671930c196ad2aca82c15a25fd1ff0342cbf61b6b1
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral1/memory/948-58-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral1/memory/2032-59-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 2032 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 956 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
1057c73bbc03b4f59229ab0c631a1aff5e12cf56c6264d3176823f8bc4cdee27.exepid process 948 1057c73bbc03b4f59229ab0c631a1aff5e12cf56c6264d3176823f8bc4cdee27.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
1057c73bbc03b4f59229ab0c631a1aff5e12cf56c6264d3176823f8bc4cdee27.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 1057c73bbc03b4f59229ab0c631a1aff5e12cf56c6264d3176823f8bc4cdee27.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
1057c73bbc03b4f59229ab0c631a1aff5e12cf56c6264d3176823f8bc4cdee27.exedescription pid process Token: SeIncBasePriorityPrivilege 948 1057c73bbc03b4f59229ab0c631a1aff5e12cf56c6264d3176823f8bc4cdee27.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
1057c73bbc03b4f59229ab0c631a1aff5e12cf56c6264d3176823f8bc4cdee27.execmd.exedescription pid process target process PID 948 wrote to memory of 2032 948 1057c73bbc03b4f59229ab0c631a1aff5e12cf56c6264d3176823f8bc4cdee27.exe MediaCenter.exe PID 948 wrote to memory of 2032 948 1057c73bbc03b4f59229ab0c631a1aff5e12cf56c6264d3176823f8bc4cdee27.exe MediaCenter.exe PID 948 wrote to memory of 2032 948 1057c73bbc03b4f59229ab0c631a1aff5e12cf56c6264d3176823f8bc4cdee27.exe MediaCenter.exe PID 948 wrote to memory of 2032 948 1057c73bbc03b4f59229ab0c631a1aff5e12cf56c6264d3176823f8bc4cdee27.exe MediaCenter.exe PID 948 wrote to memory of 956 948 1057c73bbc03b4f59229ab0c631a1aff5e12cf56c6264d3176823f8bc4cdee27.exe cmd.exe PID 948 wrote to memory of 956 948 1057c73bbc03b4f59229ab0c631a1aff5e12cf56c6264d3176823f8bc4cdee27.exe cmd.exe PID 948 wrote to memory of 956 948 1057c73bbc03b4f59229ab0c631a1aff5e12cf56c6264d3176823f8bc4cdee27.exe cmd.exe PID 948 wrote to memory of 956 948 1057c73bbc03b4f59229ab0c631a1aff5e12cf56c6264d3176823f8bc4cdee27.exe cmd.exe PID 956 wrote to memory of 1588 956 cmd.exe PING.EXE PID 956 wrote to memory of 1588 956 cmd.exe PING.EXE PID 956 wrote to memory of 1588 956 cmd.exe PING.EXE PID 956 wrote to memory of 1588 956 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\1057c73bbc03b4f59229ab0c631a1aff5e12cf56c6264d3176823f8bc4cdee27.exe"C:\Users\Admin\AppData\Local\Temp\1057c73bbc03b4f59229ab0c631a1aff5e12cf56c6264d3176823f8bc4cdee27.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:948 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:2032 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\1057c73bbc03b4f59229ab0c631a1aff5e12cf56c6264d3176823f8bc4cdee27.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:956 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1588
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
3063447c3e8db23c9058b031e94f817d
SHA18621d68a7c11dff1b7c376a9a971f1686e789437
SHA2561e934c34b2d580ab41d2697ee2e7b2befb4b09b21c8f68e555c75eb83f34733c
SHA512e72b7e8cb0da51a2fe727d1024102874e2f501e5bb11685e3a7d79427413825eb81d73a9f9a635162f3d25e3b31a66829121cdc04022af26dd7798fa494851a5
-
MD5
3063447c3e8db23c9058b031e94f817d
SHA18621d68a7c11dff1b7c376a9a971f1686e789437
SHA2561e934c34b2d580ab41d2697ee2e7b2befb4b09b21c8f68e555c75eb83f34733c
SHA512e72b7e8cb0da51a2fe727d1024102874e2f501e5bb11685e3a7d79427413825eb81d73a9f9a635162f3d25e3b31a66829121cdc04022af26dd7798fa494851a5