Analysis
-
max time kernel
141s -
max time network
152s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 06:23
Static task
static1
Behavioral task
behavioral1
Sample
101e33509e688508c996ce344e61f2765fd01491cbabdfff536a781898a97b53.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
101e33509e688508c996ce344e61f2765fd01491cbabdfff536a781898a97b53.exe
Resource
win10v2004-en-20220113
General
-
Target
101e33509e688508c996ce344e61f2765fd01491cbabdfff536a781898a97b53.exe
-
Size
216KB
-
MD5
4b84392c6de66c2d73f9213fed639a50
-
SHA1
370670b28287e2db55e33937e7f54f5cd2a5b3a7
-
SHA256
101e33509e688508c996ce344e61f2765fd01491cbabdfff536a781898a97b53
-
SHA512
309c117a9c1013a84c28e211f64d69afdef6b6ba3cea57e9341921b396722d059aee800045321e51880d8f9d686a4e09a97f780550a7747093f412ce33d20c16
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral1/memory/528-58-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral1/memory/1684-59-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1684 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1984 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
101e33509e688508c996ce344e61f2765fd01491cbabdfff536a781898a97b53.exepid process 528 101e33509e688508c996ce344e61f2765fd01491cbabdfff536a781898a97b53.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
101e33509e688508c996ce344e61f2765fd01491cbabdfff536a781898a97b53.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 101e33509e688508c996ce344e61f2765fd01491cbabdfff536a781898a97b53.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
101e33509e688508c996ce344e61f2765fd01491cbabdfff536a781898a97b53.exedescription pid process Token: SeIncBasePriorityPrivilege 528 101e33509e688508c996ce344e61f2765fd01491cbabdfff536a781898a97b53.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
101e33509e688508c996ce344e61f2765fd01491cbabdfff536a781898a97b53.execmd.exedescription pid process target process PID 528 wrote to memory of 1684 528 101e33509e688508c996ce344e61f2765fd01491cbabdfff536a781898a97b53.exe MediaCenter.exe PID 528 wrote to memory of 1684 528 101e33509e688508c996ce344e61f2765fd01491cbabdfff536a781898a97b53.exe MediaCenter.exe PID 528 wrote to memory of 1684 528 101e33509e688508c996ce344e61f2765fd01491cbabdfff536a781898a97b53.exe MediaCenter.exe PID 528 wrote to memory of 1684 528 101e33509e688508c996ce344e61f2765fd01491cbabdfff536a781898a97b53.exe MediaCenter.exe PID 528 wrote to memory of 1984 528 101e33509e688508c996ce344e61f2765fd01491cbabdfff536a781898a97b53.exe cmd.exe PID 528 wrote to memory of 1984 528 101e33509e688508c996ce344e61f2765fd01491cbabdfff536a781898a97b53.exe cmd.exe PID 528 wrote to memory of 1984 528 101e33509e688508c996ce344e61f2765fd01491cbabdfff536a781898a97b53.exe cmd.exe PID 528 wrote to memory of 1984 528 101e33509e688508c996ce344e61f2765fd01491cbabdfff536a781898a97b53.exe cmd.exe PID 1984 wrote to memory of 1944 1984 cmd.exe PING.EXE PID 1984 wrote to memory of 1944 1984 cmd.exe PING.EXE PID 1984 wrote to memory of 1944 1984 cmd.exe PING.EXE PID 1984 wrote to memory of 1944 1984 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\101e33509e688508c996ce344e61f2765fd01491cbabdfff536a781898a97b53.exe"C:\Users\Admin\AppData\Local\Temp\101e33509e688508c996ce344e61f2765fd01491cbabdfff536a781898a97b53.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:528 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1684 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\101e33509e688508c996ce344e61f2765fd01491cbabdfff536a781898a97b53.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1984 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1944
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
365dd4d72dd0154e3c0282f425854f44
SHA152371030492fa63850b225a82d392b921431ac8d
SHA2569f3dc5da42826a1539bfa02dbe1df50dde61e663c2c55611d7d48be78004f710
SHA51247f4a88fa4bfa48b7ae6ebe7e25a7a3cadf63d4a0315338abfc168b90eaec8344631f94ada7c64e4839109ab41257aa7ebe248ceac17ee69a69080af3fc7fb7e
-
MD5
365dd4d72dd0154e3c0282f425854f44
SHA152371030492fa63850b225a82d392b921431ac8d
SHA2569f3dc5da42826a1539bfa02dbe1df50dde61e663c2c55611d7d48be78004f710
SHA51247f4a88fa4bfa48b7ae6ebe7e25a7a3cadf63d4a0315338abfc168b90eaec8344631f94ada7c64e4839109ab41257aa7ebe248ceac17ee69a69080af3fc7fb7e