Analysis
-
max time kernel
150s -
max time network
167s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 06:25
Static task
static1
Behavioral task
behavioral1
Sample
100a0ecf0a794e803898f890767a28dee5a472fa6ab54d12ef2d1649108ac115.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
100a0ecf0a794e803898f890767a28dee5a472fa6ab54d12ef2d1649108ac115.exe
Resource
win10v2004-en-20220113
General
-
Target
100a0ecf0a794e803898f890767a28dee5a472fa6ab54d12ef2d1649108ac115.exe
-
Size
89KB
-
MD5
d564e67e8cc4bee4200f7aa5c6d244b3
-
SHA1
d07cde44cf51683baa350dd1128d4df609f0e3ec
-
SHA256
100a0ecf0a794e803898f890767a28dee5a472fa6ab54d12ef2d1649108ac115
-
SHA512
c78389cf2c48a531e3e04e5e729495cf6fba1d7a3398eae10c99a33debe6d1a9e0ef37476718052803526f6d2d789076f10f354d7cf05535a7712395c58da0c7
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral1/memory/1704-59-0x0000000000400000-0x000000000041B000-memory.dmp family_sakula behavioral1/memory/944-60-0x0000000000400000-0x000000000041B000-memory.dmp family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 944 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 360 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
100a0ecf0a794e803898f890767a28dee5a472fa6ab54d12ef2d1649108ac115.exepid process 1704 100a0ecf0a794e803898f890767a28dee5a472fa6ab54d12ef2d1649108ac115.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
100a0ecf0a794e803898f890767a28dee5a472fa6ab54d12ef2d1649108ac115.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 100a0ecf0a794e803898f890767a28dee5a472fa6ab54d12ef2d1649108ac115.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
100a0ecf0a794e803898f890767a28dee5a472fa6ab54d12ef2d1649108ac115.exedescription pid process Token: SeIncBasePriorityPrivilege 1704 100a0ecf0a794e803898f890767a28dee5a472fa6ab54d12ef2d1649108ac115.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
100a0ecf0a794e803898f890767a28dee5a472fa6ab54d12ef2d1649108ac115.execmd.exedescription pid process target process PID 1704 wrote to memory of 944 1704 100a0ecf0a794e803898f890767a28dee5a472fa6ab54d12ef2d1649108ac115.exe MediaCenter.exe PID 1704 wrote to memory of 944 1704 100a0ecf0a794e803898f890767a28dee5a472fa6ab54d12ef2d1649108ac115.exe MediaCenter.exe PID 1704 wrote to memory of 944 1704 100a0ecf0a794e803898f890767a28dee5a472fa6ab54d12ef2d1649108ac115.exe MediaCenter.exe PID 1704 wrote to memory of 944 1704 100a0ecf0a794e803898f890767a28dee5a472fa6ab54d12ef2d1649108ac115.exe MediaCenter.exe PID 1704 wrote to memory of 360 1704 100a0ecf0a794e803898f890767a28dee5a472fa6ab54d12ef2d1649108ac115.exe cmd.exe PID 1704 wrote to memory of 360 1704 100a0ecf0a794e803898f890767a28dee5a472fa6ab54d12ef2d1649108ac115.exe cmd.exe PID 1704 wrote to memory of 360 1704 100a0ecf0a794e803898f890767a28dee5a472fa6ab54d12ef2d1649108ac115.exe cmd.exe PID 1704 wrote to memory of 360 1704 100a0ecf0a794e803898f890767a28dee5a472fa6ab54d12ef2d1649108ac115.exe cmd.exe PID 360 wrote to memory of 620 360 cmd.exe PING.EXE PID 360 wrote to memory of 620 360 cmd.exe PING.EXE PID 360 wrote to memory of 620 360 cmd.exe PING.EXE PID 360 wrote to memory of 620 360 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\100a0ecf0a794e803898f890767a28dee5a472fa6ab54d12ef2d1649108ac115.exe"C:\Users\Admin\AppData\Local\Temp\100a0ecf0a794e803898f890767a28dee5a472fa6ab54d12ef2d1649108ac115.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1704 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:944 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\100a0ecf0a794e803898f890767a28dee5a472fa6ab54d12ef2d1649108ac115.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:360 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:620
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
f2bef54fde8cfe4f11c83f07a40d727d
SHA1c014f48bc0ffe54fb1f5f5916750453c943b012a
SHA256c8ddeacf01dba9b4de31d385d6c2ffab8680d3c6021fa0e22eb23c9ab812cf89
SHA512fb4bdbe0e5034fe27ea7403c0bae6c531fdf8f9146e33b18f1db37c62b94605d64a0f320c825df28e6aaa11c0099f05143eb33d486a00c7db36ee4baab09cb85
-
MD5
f2bef54fde8cfe4f11c83f07a40d727d
SHA1c014f48bc0ffe54fb1f5f5916750453c943b012a
SHA256c8ddeacf01dba9b4de31d385d6c2ffab8680d3c6021fa0e22eb23c9ab812cf89
SHA512fb4bdbe0e5034fe27ea7403c0bae6c531fdf8f9146e33b18f1db37c62b94605d64a0f320c825df28e6aaa11c0099f05143eb33d486a00c7db36ee4baab09cb85