Analysis
-
max time kernel
159s -
max time network
170s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 06:25
Static task
static1
Behavioral task
behavioral1
Sample
100c1d367329693cb1dc305c6a2ddf3fd42dcc920564305d03c06400b25f0950.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
100c1d367329693cb1dc305c6a2ddf3fd42dcc920564305d03c06400b25f0950.exe
Resource
win10v2004-en-20220112
General
-
Target
100c1d367329693cb1dc305c6a2ddf3fd42dcc920564305d03c06400b25f0950.exe
-
Size
79KB
-
MD5
7d6def0580d252d7bc98643925de7131
-
SHA1
1c5143987e1f1ccbb3ae0566132fe14ca6fe8d29
-
SHA256
100c1d367329693cb1dc305c6a2ddf3fd42dcc920564305d03c06400b25f0950
-
SHA512
45c44e5a6a767c9dbb1e99468e8b6abf5b351f2c711030db1ade11c3dcc56983324907639b85a410f39e54eb5e6e0302658da89dc32de6c9f30a1bf5d4609d00
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 656 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 820 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
100c1d367329693cb1dc305c6a2ddf3fd42dcc920564305d03c06400b25f0950.exepid process 1500 100c1d367329693cb1dc305c6a2ddf3fd42dcc920564305d03c06400b25f0950.exe 1500 100c1d367329693cb1dc305c6a2ddf3fd42dcc920564305d03c06400b25f0950.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
100c1d367329693cb1dc305c6a2ddf3fd42dcc920564305d03c06400b25f0950.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 100c1d367329693cb1dc305c6a2ddf3fd42dcc920564305d03c06400b25f0950.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
100c1d367329693cb1dc305c6a2ddf3fd42dcc920564305d03c06400b25f0950.exedescription pid process Token: SeIncBasePriorityPrivilege 1500 100c1d367329693cb1dc305c6a2ddf3fd42dcc920564305d03c06400b25f0950.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
100c1d367329693cb1dc305c6a2ddf3fd42dcc920564305d03c06400b25f0950.execmd.exedescription pid process target process PID 1500 wrote to memory of 656 1500 100c1d367329693cb1dc305c6a2ddf3fd42dcc920564305d03c06400b25f0950.exe MediaCenter.exe PID 1500 wrote to memory of 656 1500 100c1d367329693cb1dc305c6a2ddf3fd42dcc920564305d03c06400b25f0950.exe MediaCenter.exe PID 1500 wrote to memory of 656 1500 100c1d367329693cb1dc305c6a2ddf3fd42dcc920564305d03c06400b25f0950.exe MediaCenter.exe PID 1500 wrote to memory of 656 1500 100c1d367329693cb1dc305c6a2ddf3fd42dcc920564305d03c06400b25f0950.exe MediaCenter.exe PID 1500 wrote to memory of 820 1500 100c1d367329693cb1dc305c6a2ddf3fd42dcc920564305d03c06400b25f0950.exe cmd.exe PID 1500 wrote to memory of 820 1500 100c1d367329693cb1dc305c6a2ddf3fd42dcc920564305d03c06400b25f0950.exe cmd.exe PID 1500 wrote to memory of 820 1500 100c1d367329693cb1dc305c6a2ddf3fd42dcc920564305d03c06400b25f0950.exe cmd.exe PID 1500 wrote to memory of 820 1500 100c1d367329693cb1dc305c6a2ddf3fd42dcc920564305d03c06400b25f0950.exe cmd.exe PID 820 wrote to memory of 1976 820 cmd.exe PING.EXE PID 820 wrote to memory of 1976 820 cmd.exe PING.EXE PID 820 wrote to memory of 1976 820 cmd.exe PING.EXE PID 820 wrote to memory of 1976 820 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\100c1d367329693cb1dc305c6a2ddf3fd42dcc920564305d03c06400b25f0950.exe"C:\Users\Admin\AppData\Local\Temp\100c1d367329693cb1dc305c6a2ddf3fd42dcc920564305d03c06400b25f0950.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1500 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:656 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\100c1d367329693cb1dc305c6a2ddf3fd42dcc920564305d03c06400b25f0950.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:820 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1976
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
87db621a3ad76df3571c2d27f43e8bc2
SHA158d20d37a00822e535b3213c78f34f748dd27c74
SHA256a6ba764dcb9f2aa1f5e2ea1ff1d20b5578b95adfc702bdb7bf44982cc64934b4
SHA512a8a53912c4ed90b0e034219f962a58d74b47203402f242e8c54d7ce46b3296809a5f5cc4f11929a458a556cd6e037f93393b18268b11013aef7e843fed029cf5
-
MD5
87db621a3ad76df3571c2d27f43e8bc2
SHA158d20d37a00822e535b3213c78f34f748dd27c74
SHA256a6ba764dcb9f2aa1f5e2ea1ff1d20b5578b95adfc702bdb7bf44982cc64934b4
SHA512a8a53912c4ed90b0e034219f962a58d74b47203402f242e8c54d7ce46b3296809a5f5cc4f11929a458a556cd6e037f93393b18268b11013aef7e843fed029cf5
-
MD5
87db621a3ad76df3571c2d27f43e8bc2
SHA158d20d37a00822e535b3213c78f34f748dd27c74
SHA256a6ba764dcb9f2aa1f5e2ea1ff1d20b5578b95adfc702bdb7bf44982cc64934b4
SHA512a8a53912c4ed90b0e034219f962a58d74b47203402f242e8c54d7ce46b3296809a5f5cc4f11929a458a556cd6e037f93393b18268b11013aef7e843fed029cf5