Analysis
-
max time kernel
133s -
max time network
166s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 05:35
Static task
static1
Behavioral task
behavioral1
Sample
123fadfe9af30b2b5d090e611d2b14500b552201d1ca40e3b39a701846bccf6b.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
123fadfe9af30b2b5d090e611d2b14500b552201d1ca40e3b39a701846bccf6b.exe
Resource
win10v2004-en-20220113
General
-
Target
123fadfe9af30b2b5d090e611d2b14500b552201d1ca40e3b39a701846bccf6b.exe
-
Size
192KB
-
MD5
519f6d91a3307561113afa714a8c0407
-
SHA1
f46db8aa6c13e89ee168cbb72564278e8f56e14a
-
SHA256
123fadfe9af30b2b5d090e611d2b14500b552201d1ca40e3b39a701846bccf6b
-
SHA512
8f08d83a2dfc1ea476f4d9ed5a869ff4cc3c943ac4f3f3cdf45f3c65511bee3995dc8934c4da9f08d57333f3d463e973d58dc0dbb8fdb6ce9dca3188fa024e6a
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1344 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1212 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
123fadfe9af30b2b5d090e611d2b14500b552201d1ca40e3b39a701846bccf6b.exepid process 1632 123fadfe9af30b2b5d090e611d2b14500b552201d1ca40e3b39a701846bccf6b.exe 1632 123fadfe9af30b2b5d090e611d2b14500b552201d1ca40e3b39a701846bccf6b.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
123fadfe9af30b2b5d090e611d2b14500b552201d1ca40e3b39a701846bccf6b.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 123fadfe9af30b2b5d090e611d2b14500b552201d1ca40e3b39a701846bccf6b.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
123fadfe9af30b2b5d090e611d2b14500b552201d1ca40e3b39a701846bccf6b.exedescription pid process Token: SeIncBasePriorityPrivilege 1632 123fadfe9af30b2b5d090e611d2b14500b552201d1ca40e3b39a701846bccf6b.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
123fadfe9af30b2b5d090e611d2b14500b552201d1ca40e3b39a701846bccf6b.execmd.exedescription pid process target process PID 1632 wrote to memory of 1344 1632 123fadfe9af30b2b5d090e611d2b14500b552201d1ca40e3b39a701846bccf6b.exe MediaCenter.exe PID 1632 wrote to memory of 1344 1632 123fadfe9af30b2b5d090e611d2b14500b552201d1ca40e3b39a701846bccf6b.exe MediaCenter.exe PID 1632 wrote to memory of 1344 1632 123fadfe9af30b2b5d090e611d2b14500b552201d1ca40e3b39a701846bccf6b.exe MediaCenter.exe PID 1632 wrote to memory of 1344 1632 123fadfe9af30b2b5d090e611d2b14500b552201d1ca40e3b39a701846bccf6b.exe MediaCenter.exe PID 1632 wrote to memory of 1212 1632 123fadfe9af30b2b5d090e611d2b14500b552201d1ca40e3b39a701846bccf6b.exe cmd.exe PID 1632 wrote to memory of 1212 1632 123fadfe9af30b2b5d090e611d2b14500b552201d1ca40e3b39a701846bccf6b.exe cmd.exe PID 1632 wrote to memory of 1212 1632 123fadfe9af30b2b5d090e611d2b14500b552201d1ca40e3b39a701846bccf6b.exe cmd.exe PID 1632 wrote to memory of 1212 1632 123fadfe9af30b2b5d090e611d2b14500b552201d1ca40e3b39a701846bccf6b.exe cmd.exe PID 1212 wrote to memory of 1144 1212 cmd.exe PING.EXE PID 1212 wrote to memory of 1144 1212 cmd.exe PING.EXE PID 1212 wrote to memory of 1144 1212 cmd.exe PING.EXE PID 1212 wrote to memory of 1144 1212 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\123fadfe9af30b2b5d090e611d2b14500b552201d1ca40e3b39a701846bccf6b.exe"C:\Users\Admin\AppData\Local\Temp\123fadfe9af30b2b5d090e611d2b14500b552201d1ca40e3b39a701846bccf6b.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1632 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1344 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\123fadfe9af30b2b5d090e611d2b14500b552201d1ca40e3b39a701846bccf6b.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1212 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1144
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
b5a7b1e95587fa5085d38e00a0eff95a
SHA1e6b491b30e65b60b00aaa8607f32e9a3902baa9d
SHA256fd7b4ea0061a44370c61f43d858e96f5e9cab8058f6779f6bb902eacb39c90a9
SHA512d37518ba8b449a9bafff56036dc9805a023d31b2da5105ff25208f57fec9147693cae8dbc21263f3bd5ca6547d7c9de9137b459bc524bfc7f3214dc4b86e6d1e
-
MD5
b5a7b1e95587fa5085d38e00a0eff95a
SHA1e6b491b30e65b60b00aaa8607f32e9a3902baa9d
SHA256fd7b4ea0061a44370c61f43d858e96f5e9cab8058f6779f6bb902eacb39c90a9
SHA512d37518ba8b449a9bafff56036dc9805a023d31b2da5105ff25208f57fec9147693cae8dbc21263f3bd5ca6547d7c9de9137b459bc524bfc7f3214dc4b86e6d1e
-
MD5
b5a7b1e95587fa5085d38e00a0eff95a
SHA1e6b491b30e65b60b00aaa8607f32e9a3902baa9d
SHA256fd7b4ea0061a44370c61f43d858e96f5e9cab8058f6779f6bb902eacb39c90a9
SHA512d37518ba8b449a9bafff56036dc9805a023d31b2da5105ff25208f57fec9147693cae8dbc21263f3bd5ca6547d7c9de9137b459bc524bfc7f3214dc4b86e6d1e