Analysis
-
max time kernel
145s -
max time network
157s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 06:20
Static task
static1
Behavioral task
behavioral1
Sample
1042c5fe5dccec7989029519511bb12fb1974b07d213c8ca3d070bdf4cdff9b3.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
1042c5fe5dccec7989029519511bb12fb1974b07d213c8ca3d070bdf4cdff9b3.exe
Resource
win10v2004-en-20220113
General
-
Target
1042c5fe5dccec7989029519511bb12fb1974b07d213c8ca3d070bdf4cdff9b3.exe
-
Size
192KB
-
MD5
f2fff3676c8521c9df0f035bb48df22b
-
SHA1
c990e49f43681fdd269718692f3771c2534652d6
-
SHA256
1042c5fe5dccec7989029519511bb12fb1974b07d213c8ca3d070bdf4cdff9b3
-
SHA512
3ca67db89d277bd51c22b9bac98f796a9dc83a936b4d8dfdeed8997e71e3c3b679722e6d6f7b061227e95c28a9cf2fcd544f6f2707243574991aca0805ea00cc
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1516 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2008 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
1042c5fe5dccec7989029519511bb12fb1974b07d213c8ca3d070bdf4cdff9b3.exepid process 1552 1042c5fe5dccec7989029519511bb12fb1974b07d213c8ca3d070bdf4cdff9b3.exe 1552 1042c5fe5dccec7989029519511bb12fb1974b07d213c8ca3d070bdf4cdff9b3.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
1042c5fe5dccec7989029519511bb12fb1974b07d213c8ca3d070bdf4cdff9b3.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 1042c5fe5dccec7989029519511bb12fb1974b07d213c8ca3d070bdf4cdff9b3.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
1042c5fe5dccec7989029519511bb12fb1974b07d213c8ca3d070bdf4cdff9b3.exedescription pid process Token: SeIncBasePriorityPrivilege 1552 1042c5fe5dccec7989029519511bb12fb1974b07d213c8ca3d070bdf4cdff9b3.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
1042c5fe5dccec7989029519511bb12fb1974b07d213c8ca3d070bdf4cdff9b3.execmd.exedescription pid process target process PID 1552 wrote to memory of 1516 1552 1042c5fe5dccec7989029519511bb12fb1974b07d213c8ca3d070bdf4cdff9b3.exe MediaCenter.exe PID 1552 wrote to memory of 1516 1552 1042c5fe5dccec7989029519511bb12fb1974b07d213c8ca3d070bdf4cdff9b3.exe MediaCenter.exe PID 1552 wrote to memory of 1516 1552 1042c5fe5dccec7989029519511bb12fb1974b07d213c8ca3d070bdf4cdff9b3.exe MediaCenter.exe PID 1552 wrote to memory of 1516 1552 1042c5fe5dccec7989029519511bb12fb1974b07d213c8ca3d070bdf4cdff9b3.exe MediaCenter.exe PID 1552 wrote to memory of 2008 1552 1042c5fe5dccec7989029519511bb12fb1974b07d213c8ca3d070bdf4cdff9b3.exe cmd.exe PID 1552 wrote to memory of 2008 1552 1042c5fe5dccec7989029519511bb12fb1974b07d213c8ca3d070bdf4cdff9b3.exe cmd.exe PID 1552 wrote to memory of 2008 1552 1042c5fe5dccec7989029519511bb12fb1974b07d213c8ca3d070bdf4cdff9b3.exe cmd.exe PID 1552 wrote to memory of 2008 1552 1042c5fe5dccec7989029519511bb12fb1974b07d213c8ca3d070bdf4cdff9b3.exe cmd.exe PID 2008 wrote to memory of 1156 2008 cmd.exe PING.EXE PID 2008 wrote to memory of 1156 2008 cmd.exe PING.EXE PID 2008 wrote to memory of 1156 2008 cmd.exe PING.EXE PID 2008 wrote to memory of 1156 2008 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\1042c5fe5dccec7989029519511bb12fb1974b07d213c8ca3d070bdf4cdff9b3.exe"C:\Users\Admin\AppData\Local\Temp\1042c5fe5dccec7989029519511bb12fb1974b07d213c8ca3d070bdf4cdff9b3.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1552 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1516 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\1042c5fe5dccec7989029519511bb12fb1974b07d213c8ca3d070bdf4cdff9b3.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1156
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
1910d894420b17d267e21628194e65df
SHA1a1141e0dde7631f3339e10c363da1d07cc05cc2a
SHA2567c98e4222963c58c63ef819a52de1d1f6945875c636d0acaede07f82ee97eee2
SHA5126b3261bb0f9baaff987b31169e30e2a44f85115860dc9d393c29fcbf7c4082eb528cb374363d3fb6a121eb28f4d04bc5536efcd841c85a008229fb8cc2dc014d
-
MD5
1910d894420b17d267e21628194e65df
SHA1a1141e0dde7631f3339e10c363da1d07cc05cc2a
SHA2567c98e4222963c58c63ef819a52de1d1f6945875c636d0acaede07f82ee97eee2
SHA5126b3261bb0f9baaff987b31169e30e2a44f85115860dc9d393c29fcbf7c4082eb528cb374363d3fb6a121eb28f4d04bc5536efcd841c85a008229fb8cc2dc014d
-
MD5
1910d894420b17d267e21628194e65df
SHA1a1141e0dde7631f3339e10c363da1d07cc05cc2a
SHA2567c98e4222963c58c63ef819a52de1d1f6945875c636d0acaede07f82ee97eee2
SHA5126b3261bb0f9baaff987b31169e30e2a44f85115860dc9d393c29fcbf7c4082eb528cb374363d3fb6a121eb28f4d04bc5536efcd841c85a008229fb8cc2dc014d