Analysis
-
max time kernel
140s -
max time network
165s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 05:36
Static task
static1
Behavioral task
behavioral1
Sample
123c7c3efb7cc9d09637b354c2d15d33bb80ff7b2e8afcd5e388b6dd1d509dc0.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
123c7c3efb7cc9d09637b354c2d15d33bb80ff7b2e8afcd5e388b6dd1d509dc0.exe
Resource
win10v2004-en-20220113
General
-
Target
123c7c3efb7cc9d09637b354c2d15d33bb80ff7b2e8afcd5e388b6dd1d509dc0.exe
-
Size
80KB
-
MD5
0811c8f899b710859de5bc0bcf3da43f
-
SHA1
6549f7bb3a2ea25290284a0113d012d01e58356e
-
SHA256
123c7c3efb7cc9d09637b354c2d15d33bb80ff7b2e8afcd5e388b6dd1d509dc0
-
SHA512
1a52ddfa0c8823cbcc0416f3eea52f3f1eba5420c4b980c340fec7e4ba5e544508c5fcda6e3d73f175db311174d5b8ad8aab184cc9123bab0d13dde1af739feb
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 832 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1556 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
123c7c3efb7cc9d09637b354c2d15d33bb80ff7b2e8afcd5e388b6dd1d509dc0.exepid process 1160 123c7c3efb7cc9d09637b354c2d15d33bb80ff7b2e8afcd5e388b6dd1d509dc0.exe 1160 123c7c3efb7cc9d09637b354c2d15d33bb80ff7b2e8afcd5e388b6dd1d509dc0.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
123c7c3efb7cc9d09637b354c2d15d33bb80ff7b2e8afcd5e388b6dd1d509dc0.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 123c7c3efb7cc9d09637b354c2d15d33bb80ff7b2e8afcd5e388b6dd1d509dc0.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
123c7c3efb7cc9d09637b354c2d15d33bb80ff7b2e8afcd5e388b6dd1d509dc0.exedescription pid process Token: SeIncBasePriorityPrivilege 1160 123c7c3efb7cc9d09637b354c2d15d33bb80ff7b2e8afcd5e388b6dd1d509dc0.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
123c7c3efb7cc9d09637b354c2d15d33bb80ff7b2e8afcd5e388b6dd1d509dc0.execmd.exedescription pid process target process PID 1160 wrote to memory of 832 1160 123c7c3efb7cc9d09637b354c2d15d33bb80ff7b2e8afcd5e388b6dd1d509dc0.exe MediaCenter.exe PID 1160 wrote to memory of 832 1160 123c7c3efb7cc9d09637b354c2d15d33bb80ff7b2e8afcd5e388b6dd1d509dc0.exe MediaCenter.exe PID 1160 wrote to memory of 832 1160 123c7c3efb7cc9d09637b354c2d15d33bb80ff7b2e8afcd5e388b6dd1d509dc0.exe MediaCenter.exe PID 1160 wrote to memory of 832 1160 123c7c3efb7cc9d09637b354c2d15d33bb80ff7b2e8afcd5e388b6dd1d509dc0.exe MediaCenter.exe PID 1160 wrote to memory of 1556 1160 123c7c3efb7cc9d09637b354c2d15d33bb80ff7b2e8afcd5e388b6dd1d509dc0.exe cmd.exe PID 1160 wrote to memory of 1556 1160 123c7c3efb7cc9d09637b354c2d15d33bb80ff7b2e8afcd5e388b6dd1d509dc0.exe cmd.exe PID 1160 wrote to memory of 1556 1160 123c7c3efb7cc9d09637b354c2d15d33bb80ff7b2e8afcd5e388b6dd1d509dc0.exe cmd.exe PID 1160 wrote to memory of 1556 1160 123c7c3efb7cc9d09637b354c2d15d33bb80ff7b2e8afcd5e388b6dd1d509dc0.exe cmd.exe PID 1556 wrote to memory of 816 1556 cmd.exe PING.EXE PID 1556 wrote to memory of 816 1556 cmd.exe PING.EXE PID 1556 wrote to memory of 816 1556 cmd.exe PING.EXE PID 1556 wrote to memory of 816 1556 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\123c7c3efb7cc9d09637b354c2d15d33bb80ff7b2e8afcd5e388b6dd1d509dc0.exe"C:\Users\Admin\AppData\Local\Temp\123c7c3efb7cc9d09637b354c2d15d33bb80ff7b2e8afcd5e388b6dd1d509dc0.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1160 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:832 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\123c7c3efb7cc9d09637b354c2d15d33bb80ff7b2e8afcd5e388b6dd1d509dc0.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1556 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:816
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
cc5d6b7146ee1b72db806258764697e9
SHA118791ddbd52ac80ead1980113b49a3c6b7ccb3c6
SHA2565cc5cf806bf82ea284a8a1174d01583a68f43707c6c24a94b32feb3717f28401
SHA5126770628b9d42aea5bc809036cf926b366cbe11310074df6ed37aa534f866246d98b7c452ce488b778940b431eb21cc848fe58f83353d4fd1f8fe2a89d9e92e42
-
MD5
cc5d6b7146ee1b72db806258764697e9
SHA118791ddbd52ac80ead1980113b49a3c6b7ccb3c6
SHA2565cc5cf806bf82ea284a8a1174d01583a68f43707c6c24a94b32feb3717f28401
SHA5126770628b9d42aea5bc809036cf926b366cbe11310074df6ed37aa534f866246d98b7c452ce488b778940b431eb21cc848fe58f83353d4fd1f8fe2a89d9e92e42
-
MD5
cc5d6b7146ee1b72db806258764697e9
SHA118791ddbd52ac80ead1980113b49a3c6b7ccb3c6
SHA2565cc5cf806bf82ea284a8a1174d01583a68f43707c6c24a94b32feb3717f28401
SHA5126770628b9d42aea5bc809036cf926b366cbe11310074df6ed37aa534f866246d98b7c452ce488b778940b431eb21cc848fe58f83353d4fd1f8fe2a89d9e92e42