Analysis
-
max time kernel
122s -
max time network
141s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 06:26
Static task
static1
Behavioral task
behavioral1
Sample
10099ef82d2cf92495ab585db094876b82a188eed1225952eed51e34bde356cf.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
10099ef82d2cf92495ab585db094876b82a188eed1225952eed51e34bde356cf.exe
Resource
win10v2004-en-20220112
General
-
Target
10099ef82d2cf92495ab585db094876b82a188eed1225952eed51e34bde356cf.exe
-
Size
79KB
-
MD5
950ad2942634671b940b5c1f9d6a25e4
-
SHA1
d7817d04e0f90b0b6a45004893597d280bbddc3a
-
SHA256
10099ef82d2cf92495ab585db094876b82a188eed1225952eed51e34bde356cf
-
SHA512
164689245d1ed06ce30797f1681047ad555ee2d6d0c17e7b479664a8f6f615ae4d5015c5f2fdabaf74cba9131dd882d7bf077cacac2553e3a7a9a705929800e1
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 780 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1836 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
10099ef82d2cf92495ab585db094876b82a188eed1225952eed51e34bde356cf.exepid process 1636 10099ef82d2cf92495ab585db094876b82a188eed1225952eed51e34bde356cf.exe 1636 10099ef82d2cf92495ab585db094876b82a188eed1225952eed51e34bde356cf.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
10099ef82d2cf92495ab585db094876b82a188eed1225952eed51e34bde356cf.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 10099ef82d2cf92495ab585db094876b82a188eed1225952eed51e34bde356cf.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
10099ef82d2cf92495ab585db094876b82a188eed1225952eed51e34bde356cf.exedescription pid process Token: SeIncBasePriorityPrivilege 1636 10099ef82d2cf92495ab585db094876b82a188eed1225952eed51e34bde356cf.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
10099ef82d2cf92495ab585db094876b82a188eed1225952eed51e34bde356cf.execmd.exedescription pid process target process PID 1636 wrote to memory of 780 1636 10099ef82d2cf92495ab585db094876b82a188eed1225952eed51e34bde356cf.exe MediaCenter.exe PID 1636 wrote to memory of 780 1636 10099ef82d2cf92495ab585db094876b82a188eed1225952eed51e34bde356cf.exe MediaCenter.exe PID 1636 wrote to memory of 780 1636 10099ef82d2cf92495ab585db094876b82a188eed1225952eed51e34bde356cf.exe MediaCenter.exe PID 1636 wrote to memory of 780 1636 10099ef82d2cf92495ab585db094876b82a188eed1225952eed51e34bde356cf.exe MediaCenter.exe PID 1636 wrote to memory of 1836 1636 10099ef82d2cf92495ab585db094876b82a188eed1225952eed51e34bde356cf.exe cmd.exe PID 1636 wrote to memory of 1836 1636 10099ef82d2cf92495ab585db094876b82a188eed1225952eed51e34bde356cf.exe cmd.exe PID 1636 wrote to memory of 1836 1636 10099ef82d2cf92495ab585db094876b82a188eed1225952eed51e34bde356cf.exe cmd.exe PID 1636 wrote to memory of 1836 1636 10099ef82d2cf92495ab585db094876b82a188eed1225952eed51e34bde356cf.exe cmd.exe PID 1836 wrote to memory of 1820 1836 cmd.exe PING.EXE PID 1836 wrote to memory of 1820 1836 cmd.exe PING.EXE PID 1836 wrote to memory of 1820 1836 cmd.exe PING.EXE PID 1836 wrote to memory of 1820 1836 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\10099ef82d2cf92495ab585db094876b82a188eed1225952eed51e34bde356cf.exe"C:\Users\Admin\AppData\Local\Temp\10099ef82d2cf92495ab585db094876b82a188eed1225952eed51e34bde356cf.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:780 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\10099ef82d2cf92495ab585db094876b82a188eed1225952eed51e34bde356cf.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1836 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1820
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
9d690cfef14e44ea275812a3fb7360d2
SHA1e9f0049071d5a294f82727d4008065d835d1d0b0
SHA256660214efc53a54bfacc9952db330b34c9640d5bd3af0ec721a5f551bcb5e706a
SHA51204e7948d1115f43b53ca45f5f3e6970c9dec4918bdf17527f62df21bf24721fd3a08b08203c325894035a56bde3fcc0a72fb575db8ac8011a14a64794eb75ba2
-
MD5
9d690cfef14e44ea275812a3fb7360d2
SHA1e9f0049071d5a294f82727d4008065d835d1d0b0
SHA256660214efc53a54bfacc9952db330b34c9640d5bd3af0ec721a5f551bcb5e706a
SHA51204e7948d1115f43b53ca45f5f3e6970c9dec4918bdf17527f62df21bf24721fd3a08b08203c325894035a56bde3fcc0a72fb575db8ac8011a14a64794eb75ba2
-
MD5
9d690cfef14e44ea275812a3fb7360d2
SHA1e9f0049071d5a294f82727d4008065d835d1d0b0
SHA256660214efc53a54bfacc9952db330b34c9640d5bd3af0ec721a5f551bcb5e706a
SHA51204e7948d1115f43b53ca45f5f3e6970c9dec4918bdf17527f62df21bf24721fd3a08b08203c325894035a56bde3fcc0a72fb575db8ac8011a14a64794eb75ba2