Analysis
-
max time kernel
121s -
max time network
143s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 05:37
Static task
static1
Behavioral task
behavioral1
Sample
1230f2b6ed5501b992cb3bf6e1b35a6ddac1bcd393e5cc8e8e53d29c07cb59f9.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
1230f2b6ed5501b992cb3bf6e1b35a6ddac1bcd393e5cc8e8e53d29c07cb59f9.exe
Resource
win10v2004-en-20220112
General
-
Target
1230f2b6ed5501b992cb3bf6e1b35a6ddac1bcd393e5cc8e8e53d29c07cb59f9.exe
-
Size
101KB
-
MD5
8bcb4a4f62e89f8d5ecce505d38af12d
-
SHA1
cf293e63617ca82e2eb1c841f753d72af59cddef
-
SHA256
1230f2b6ed5501b992cb3bf6e1b35a6ddac1bcd393e5cc8e8e53d29c07cb59f9
-
SHA512
b9349b94b9272b56c91e846ae06d8a7c90cd9efd3eb66e63f4eda275afac9286ee166dbe7d7a92ed79268c6fd2c597b6125a5bccc0dcdb92f9ea7d65429216b2
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 320 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1552 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
1230f2b6ed5501b992cb3bf6e1b35a6ddac1bcd393e5cc8e8e53d29c07cb59f9.exepid process 812 1230f2b6ed5501b992cb3bf6e1b35a6ddac1bcd393e5cc8e8e53d29c07cb59f9.exe 812 1230f2b6ed5501b992cb3bf6e1b35a6ddac1bcd393e5cc8e8e53d29c07cb59f9.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
1230f2b6ed5501b992cb3bf6e1b35a6ddac1bcd393e5cc8e8e53d29c07cb59f9.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 1230f2b6ed5501b992cb3bf6e1b35a6ddac1bcd393e5cc8e8e53d29c07cb59f9.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
1230f2b6ed5501b992cb3bf6e1b35a6ddac1bcd393e5cc8e8e53d29c07cb59f9.exedescription pid process Token: SeIncBasePriorityPrivilege 812 1230f2b6ed5501b992cb3bf6e1b35a6ddac1bcd393e5cc8e8e53d29c07cb59f9.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
1230f2b6ed5501b992cb3bf6e1b35a6ddac1bcd393e5cc8e8e53d29c07cb59f9.execmd.exedescription pid process target process PID 812 wrote to memory of 320 812 1230f2b6ed5501b992cb3bf6e1b35a6ddac1bcd393e5cc8e8e53d29c07cb59f9.exe MediaCenter.exe PID 812 wrote to memory of 320 812 1230f2b6ed5501b992cb3bf6e1b35a6ddac1bcd393e5cc8e8e53d29c07cb59f9.exe MediaCenter.exe PID 812 wrote to memory of 320 812 1230f2b6ed5501b992cb3bf6e1b35a6ddac1bcd393e5cc8e8e53d29c07cb59f9.exe MediaCenter.exe PID 812 wrote to memory of 320 812 1230f2b6ed5501b992cb3bf6e1b35a6ddac1bcd393e5cc8e8e53d29c07cb59f9.exe MediaCenter.exe PID 812 wrote to memory of 1552 812 1230f2b6ed5501b992cb3bf6e1b35a6ddac1bcd393e5cc8e8e53d29c07cb59f9.exe cmd.exe PID 812 wrote to memory of 1552 812 1230f2b6ed5501b992cb3bf6e1b35a6ddac1bcd393e5cc8e8e53d29c07cb59f9.exe cmd.exe PID 812 wrote to memory of 1552 812 1230f2b6ed5501b992cb3bf6e1b35a6ddac1bcd393e5cc8e8e53d29c07cb59f9.exe cmd.exe PID 812 wrote to memory of 1552 812 1230f2b6ed5501b992cb3bf6e1b35a6ddac1bcd393e5cc8e8e53d29c07cb59f9.exe cmd.exe PID 1552 wrote to memory of 1192 1552 cmd.exe PING.EXE PID 1552 wrote to memory of 1192 1552 cmd.exe PING.EXE PID 1552 wrote to memory of 1192 1552 cmd.exe PING.EXE PID 1552 wrote to memory of 1192 1552 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\1230f2b6ed5501b992cb3bf6e1b35a6ddac1bcd393e5cc8e8e53d29c07cb59f9.exe"C:\Users\Admin\AppData\Local\Temp\1230f2b6ed5501b992cb3bf6e1b35a6ddac1bcd393e5cc8e8e53d29c07cb59f9.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:812 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:320 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\1230f2b6ed5501b992cb3bf6e1b35a6ddac1bcd393e5cc8e8e53d29c07cb59f9.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1552 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1192
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
40e9d93ca77fa4ffff15156511f411c5
SHA14d32900c45482c61639b935a8fb197b979507e44
SHA2561a7905fd7cf2b273d6c7fbde10af19098eb43958ca57ad9623ddc396303e3a65
SHA512020e1a90f8461a620bceebc868eb126fed2c8b77d08a7539395bfcca33d9e51c309efde5e80aea177c578ba3a0bf83f2fbda67d514faec163fae62af3eeb0f83
-
MD5
40e9d93ca77fa4ffff15156511f411c5
SHA14d32900c45482c61639b935a8fb197b979507e44
SHA2561a7905fd7cf2b273d6c7fbde10af19098eb43958ca57ad9623ddc396303e3a65
SHA512020e1a90f8461a620bceebc868eb126fed2c8b77d08a7539395bfcca33d9e51c309efde5e80aea177c578ba3a0bf83f2fbda67d514faec163fae62af3eeb0f83
-
MD5
40e9d93ca77fa4ffff15156511f411c5
SHA14d32900c45482c61639b935a8fb197b979507e44
SHA2561a7905fd7cf2b273d6c7fbde10af19098eb43958ca57ad9623ddc396303e3a65
SHA512020e1a90f8461a620bceebc868eb126fed2c8b77d08a7539395bfcca33d9e51c309efde5e80aea177c578ba3a0bf83f2fbda67d514faec163fae62af3eeb0f83