Analysis
-
max time kernel
130s -
max time network
158s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 05:36
Static task
static1
Behavioral task
behavioral1
Sample
123ac4791240d699e71ae3e7ddd2c62bb5d074a8e743a09cf3794f9db85da6e8.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
123ac4791240d699e71ae3e7ddd2c62bb5d074a8e743a09cf3794f9db85da6e8.exe
Resource
win10v2004-en-20220113
General
-
Target
123ac4791240d699e71ae3e7ddd2c62bb5d074a8e743a09cf3794f9db85da6e8.exe
-
Size
99KB
-
MD5
20659c50c15dba08175904b5aa6b8d04
-
SHA1
15454620e4607f6d57c99a0023cb90b3c49aebba
-
SHA256
123ac4791240d699e71ae3e7ddd2c62bb5d074a8e743a09cf3794f9db85da6e8
-
SHA512
e70fb803d8fce08dd6c70a96197f4b4e019e4c24355602366c99f9fdb50984e860c17700a265d9691e63d1e0496346bb8bcba51f558247dce8093888c60e6e9a
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1612 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1656 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
123ac4791240d699e71ae3e7ddd2c62bb5d074a8e743a09cf3794f9db85da6e8.exepid process 880 123ac4791240d699e71ae3e7ddd2c62bb5d074a8e743a09cf3794f9db85da6e8.exe 880 123ac4791240d699e71ae3e7ddd2c62bb5d074a8e743a09cf3794f9db85da6e8.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
123ac4791240d699e71ae3e7ddd2c62bb5d074a8e743a09cf3794f9db85da6e8.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 123ac4791240d699e71ae3e7ddd2c62bb5d074a8e743a09cf3794f9db85da6e8.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
123ac4791240d699e71ae3e7ddd2c62bb5d074a8e743a09cf3794f9db85da6e8.exedescription pid process Token: SeIncBasePriorityPrivilege 880 123ac4791240d699e71ae3e7ddd2c62bb5d074a8e743a09cf3794f9db85da6e8.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
123ac4791240d699e71ae3e7ddd2c62bb5d074a8e743a09cf3794f9db85da6e8.execmd.exedescription pid process target process PID 880 wrote to memory of 1612 880 123ac4791240d699e71ae3e7ddd2c62bb5d074a8e743a09cf3794f9db85da6e8.exe MediaCenter.exe PID 880 wrote to memory of 1612 880 123ac4791240d699e71ae3e7ddd2c62bb5d074a8e743a09cf3794f9db85da6e8.exe MediaCenter.exe PID 880 wrote to memory of 1612 880 123ac4791240d699e71ae3e7ddd2c62bb5d074a8e743a09cf3794f9db85da6e8.exe MediaCenter.exe PID 880 wrote to memory of 1612 880 123ac4791240d699e71ae3e7ddd2c62bb5d074a8e743a09cf3794f9db85da6e8.exe MediaCenter.exe PID 880 wrote to memory of 1656 880 123ac4791240d699e71ae3e7ddd2c62bb5d074a8e743a09cf3794f9db85da6e8.exe cmd.exe PID 880 wrote to memory of 1656 880 123ac4791240d699e71ae3e7ddd2c62bb5d074a8e743a09cf3794f9db85da6e8.exe cmd.exe PID 880 wrote to memory of 1656 880 123ac4791240d699e71ae3e7ddd2c62bb5d074a8e743a09cf3794f9db85da6e8.exe cmd.exe PID 880 wrote to memory of 1656 880 123ac4791240d699e71ae3e7ddd2c62bb5d074a8e743a09cf3794f9db85da6e8.exe cmd.exe PID 1656 wrote to memory of 1056 1656 cmd.exe PING.EXE PID 1656 wrote to memory of 1056 1656 cmd.exe PING.EXE PID 1656 wrote to memory of 1056 1656 cmd.exe PING.EXE PID 1656 wrote to memory of 1056 1656 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\123ac4791240d699e71ae3e7ddd2c62bb5d074a8e743a09cf3794f9db85da6e8.exe"C:\Users\Admin\AppData\Local\Temp\123ac4791240d699e71ae3e7ddd2c62bb5d074a8e743a09cf3794f9db85da6e8.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:880 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1612 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\123ac4791240d699e71ae3e7ddd2c62bb5d074a8e743a09cf3794f9db85da6e8.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1656 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1056
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
8445dd523756b657214f9dcccafdd0e6
SHA10e515905c3f44c7a7a2bf6f67a397ab336f44428
SHA2567aa90ff75598d2f4b253c6aa501be242501270a0b6329a73f23166791a113e64
SHA5128cf9da2ef79fa6bd9907474fcb083ed08f11efa7aa62e617d971f985886b7e0da58a1ad64e8c9b69360a99479dab99b51b943e3fb6c850123234c0cbc9563e6f
-
MD5
8445dd523756b657214f9dcccafdd0e6
SHA10e515905c3f44c7a7a2bf6f67a397ab336f44428
SHA2567aa90ff75598d2f4b253c6aa501be242501270a0b6329a73f23166791a113e64
SHA5128cf9da2ef79fa6bd9907474fcb083ed08f11efa7aa62e617d971f985886b7e0da58a1ad64e8c9b69360a99479dab99b51b943e3fb6c850123234c0cbc9563e6f
-
MD5
8445dd523756b657214f9dcccafdd0e6
SHA10e515905c3f44c7a7a2bf6f67a397ab336f44428
SHA2567aa90ff75598d2f4b253c6aa501be242501270a0b6329a73f23166791a113e64
SHA5128cf9da2ef79fa6bd9907474fcb083ed08f11efa7aa62e617d971f985886b7e0da58a1ad64e8c9b69360a99479dab99b51b943e3fb6c850123234c0cbc9563e6f