Analysis
-
max time kernel
148s -
max time network
161s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 05:38
Static task
static1
Behavioral task
behavioral1
Sample
122e4c6cf6fccd34bf90d11f2bdded33370b2ab9df1034f88fafd29f8b956f5f.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
122e4c6cf6fccd34bf90d11f2bdded33370b2ab9df1034f88fafd29f8b956f5f.exe
Resource
win10v2004-en-20220113
General
-
Target
122e4c6cf6fccd34bf90d11f2bdded33370b2ab9df1034f88fafd29f8b956f5f.exe
-
Size
92KB
-
MD5
3185b19ff1e5e4a55fb1254fd9eaaf19
-
SHA1
7e254965b052837c0271cc157cb81c860b4ef73e
-
SHA256
122e4c6cf6fccd34bf90d11f2bdded33370b2ab9df1034f88fafd29f8b956f5f
-
SHA512
3d819906739a4dcc131460651d6def3cca7a3b1725d882659680bb936a8d95a470ac9a8074a3aa3084ef57726741378c992788dc133cd8c3cfe6b43da6ef5e2e
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1148 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1160 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
122e4c6cf6fccd34bf90d11f2bdded33370b2ab9df1034f88fafd29f8b956f5f.exepid process 1660 122e4c6cf6fccd34bf90d11f2bdded33370b2ab9df1034f88fafd29f8b956f5f.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
122e4c6cf6fccd34bf90d11f2bdded33370b2ab9df1034f88fafd29f8b956f5f.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 122e4c6cf6fccd34bf90d11f2bdded33370b2ab9df1034f88fafd29f8b956f5f.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
122e4c6cf6fccd34bf90d11f2bdded33370b2ab9df1034f88fafd29f8b956f5f.exedescription pid process Token: SeIncBasePriorityPrivilege 1660 122e4c6cf6fccd34bf90d11f2bdded33370b2ab9df1034f88fafd29f8b956f5f.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
122e4c6cf6fccd34bf90d11f2bdded33370b2ab9df1034f88fafd29f8b956f5f.execmd.exedescription pid process target process PID 1660 wrote to memory of 1148 1660 122e4c6cf6fccd34bf90d11f2bdded33370b2ab9df1034f88fafd29f8b956f5f.exe MediaCenter.exe PID 1660 wrote to memory of 1148 1660 122e4c6cf6fccd34bf90d11f2bdded33370b2ab9df1034f88fafd29f8b956f5f.exe MediaCenter.exe PID 1660 wrote to memory of 1148 1660 122e4c6cf6fccd34bf90d11f2bdded33370b2ab9df1034f88fafd29f8b956f5f.exe MediaCenter.exe PID 1660 wrote to memory of 1148 1660 122e4c6cf6fccd34bf90d11f2bdded33370b2ab9df1034f88fafd29f8b956f5f.exe MediaCenter.exe PID 1660 wrote to memory of 1160 1660 122e4c6cf6fccd34bf90d11f2bdded33370b2ab9df1034f88fafd29f8b956f5f.exe cmd.exe PID 1660 wrote to memory of 1160 1660 122e4c6cf6fccd34bf90d11f2bdded33370b2ab9df1034f88fafd29f8b956f5f.exe cmd.exe PID 1660 wrote to memory of 1160 1660 122e4c6cf6fccd34bf90d11f2bdded33370b2ab9df1034f88fafd29f8b956f5f.exe cmd.exe PID 1660 wrote to memory of 1160 1660 122e4c6cf6fccd34bf90d11f2bdded33370b2ab9df1034f88fafd29f8b956f5f.exe cmd.exe PID 1160 wrote to memory of 1516 1160 cmd.exe PING.EXE PID 1160 wrote to memory of 1516 1160 cmd.exe PING.EXE PID 1160 wrote to memory of 1516 1160 cmd.exe PING.EXE PID 1160 wrote to memory of 1516 1160 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\122e4c6cf6fccd34bf90d11f2bdded33370b2ab9df1034f88fafd29f8b956f5f.exe"C:\Users\Admin\AppData\Local\Temp\122e4c6cf6fccd34bf90d11f2bdded33370b2ab9df1034f88fafd29f8b956f5f.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1660 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1148 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\122e4c6cf6fccd34bf90d11f2bdded33370b2ab9df1034f88fafd29f8b956f5f.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1160 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1516
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
6a524d71d1ac65cb9f9abe3fa1c04a9c
SHA1f7c6b0660188121af7fdef7bfdb84a762ed7529d
SHA25608209a1b4c9f1b318706c191bd244e0d6cbabdeb16e0d9b653e7a8a52a6ceb7e
SHA512d8b7f6ba5d26192aa4436aba43d4814ae216fc4923c373fc8015b485c958569348a56dac84226007467052883119517967e83f36a85de773e0b81113b8d6460c
-
MD5
6a524d71d1ac65cb9f9abe3fa1c04a9c
SHA1f7c6b0660188121af7fdef7bfdb84a762ed7529d
SHA25608209a1b4c9f1b318706c191bd244e0d6cbabdeb16e0d9b653e7a8a52a6ceb7e
SHA512d8b7f6ba5d26192aa4436aba43d4814ae216fc4923c373fc8015b485c958569348a56dac84226007467052883119517967e83f36a85de773e0b81113b8d6460c