Analysis
-
max time kernel
145s -
max time network
154s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 06:22
Static task
static1
Behavioral task
behavioral1
Sample
103630b1bf5950ccae2337b0d7fd61449f5022de8384a84a39ab6356d120f29a.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
103630b1bf5950ccae2337b0d7fd61449f5022de8384a84a39ab6356d120f29a.exe
Resource
win10v2004-en-20220112
General
-
Target
103630b1bf5950ccae2337b0d7fd61449f5022de8384a84a39ab6356d120f29a.exe
-
Size
99KB
-
MD5
f3a366c134ea0f76db4aa74c7dedae67
-
SHA1
d09f4e1a6976ac10509bb76cc94878d0d26ba842
-
SHA256
103630b1bf5950ccae2337b0d7fd61449f5022de8384a84a39ab6356d120f29a
-
SHA512
8e2a1f85adb0ccd896b5e4fb8bf6e6f86064008857ed9ecf9f6a9d733a2ff278fb0b945e93c87d222e19fc627aff712e5229e513a49fdca603c5584e845c8eea
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1040 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 432 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
103630b1bf5950ccae2337b0d7fd61449f5022de8384a84a39ab6356d120f29a.exepid process 1660 103630b1bf5950ccae2337b0d7fd61449f5022de8384a84a39ab6356d120f29a.exe 1660 103630b1bf5950ccae2337b0d7fd61449f5022de8384a84a39ab6356d120f29a.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
103630b1bf5950ccae2337b0d7fd61449f5022de8384a84a39ab6356d120f29a.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 103630b1bf5950ccae2337b0d7fd61449f5022de8384a84a39ab6356d120f29a.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
103630b1bf5950ccae2337b0d7fd61449f5022de8384a84a39ab6356d120f29a.exedescription pid process Token: SeIncBasePriorityPrivilege 1660 103630b1bf5950ccae2337b0d7fd61449f5022de8384a84a39ab6356d120f29a.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
103630b1bf5950ccae2337b0d7fd61449f5022de8384a84a39ab6356d120f29a.execmd.exedescription pid process target process PID 1660 wrote to memory of 1040 1660 103630b1bf5950ccae2337b0d7fd61449f5022de8384a84a39ab6356d120f29a.exe MediaCenter.exe PID 1660 wrote to memory of 1040 1660 103630b1bf5950ccae2337b0d7fd61449f5022de8384a84a39ab6356d120f29a.exe MediaCenter.exe PID 1660 wrote to memory of 1040 1660 103630b1bf5950ccae2337b0d7fd61449f5022de8384a84a39ab6356d120f29a.exe MediaCenter.exe PID 1660 wrote to memory of 1040 1660 103630b1bf5950ccae2337b0d7fd61449f5022de8384a84a39ab6356d120f29a.exe MediaCenter.exe PID 1660 wrote to memory of 432 1660 103630b1bf5950ccae2337b0d7fd61449f5022de8384a84a39ab6356d120f29a.exe cmd.exe PID 1660 wrote to memory of 432 1660 103630b1bf5950ccae2337b0d7fd61449f5022de8384a84a39ab6356d120f29a.exe cmd.exe PID 1660 wrote to memory of 432 1660 103630b1bf5950ccae2337b0d7fd61449f5022de8384a84a39ab6356d120f29a.exe cmd.exe PID 1660 wrote to memory of 432 1660 103630b1bf5950ccae2337b0d7fd61449f5022de8384a84a39ab6356d120f29a.exe cmd.exe PID 432 wrote to memory of 1068 432 cmd.exe PING.EXE PID 432 wrote to memory of 1068 432 cmd.exe PING.EXE PID 432 wrote to memory of 1068 432 cmd.exe PING.EXE PID 432 wrote to memory of 1068 432 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\103630b1bf5950ccae2337b0d7fd61449f5022de8384a84a39ab6356d120f29a.exe"C:\Users\Admin\AppData\Local\Temp\103630b1bf5950ccae2337b0d7fd61449f5022de8384a84a39ab6356d120f29a.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1660 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1040 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\103630b1bf5950ccae2337b0d7fd61449f5022de8384a84a39ab6356d120f29a.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:432 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1068
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
8b284ea5b2bed16c194cd0f659b8e9ce
SHA111a9f757a47ffb8f07ba663595c67cf6f304faeb
SHA2561949a04a539d11926405eaeac002c4e00c469f2276e0890a56965fb58ba35ce2
SHA51252394172544dc48a3a20ebc553d61e09da0b586d1a61a3ab789bbf75ca15aecafe812bf534e03dc804fe05e98ebf94b0f60b94a394a5f140b468c2c603f00237
-
MD5
8b284ea5b2bed16c194cd0f659b8e9ce
SHA111a9f757a47ffb8f07ba663595c67cf6f304faeb
SHA2561949a04a539d11926405eaeac002c4e00c469f2276e0890a56965fb58ba35ce2
SHA51252394172544dc48a3a20ebc553d61e09da0b586d1a61a3ab789bbf75ca15aecafe812bf534e03dc804fe05e98ebf94b0f60b94a394a5f140b468c2c603f00237
-
MD5
8b284ea5b2bed16c194cd0f659b8e9ce
SHA111a9f757a47ffb8f07ba663595c67cf6f304faeb
SHA2561949a04a539d11926405eaeac002c4e00c469f2276e0890a56965fb58ba35ce2
SHA51252394172544dc48a3a20ebc553d61e09da0b586d1a61a3ab789bbf75ca15aecafe812bf534e03dc804fe05e98ebf94b0f60b94a394a5f140b468c2c603f00237