Analysis
-
max time kernel
151s -
max time network
160s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 05:38
Static task
static1
Behavioral task
behavioral1
Sample
1227d9e9bd44b5729d146fa61bd30109ff65da4dc8201f32ebc3d33dd4f7f5df.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
1227d9e9bd44b5729d146fa61bd30109ff65da4dc8201f32ebc3d33dd4f7f5df.exe
Resource
win10v2004-en-20220113
General
-
Target
1227d9e9bd44b5729d146fa61bd30109ff65da4dc8201f32ebc3d33dd4f7f5df.exe
-
Size
216KB
-
MD5
db386bda4296fbe51a3450466e11452c
-
SHA1
3bd9881529c981d9bb39a2f7f2c3189f13dc452d
-
SHA256
1227d9e9bd44b5729d146fa61bd30109ff65da4dc8201f32ebc3d33dd4f7f5df
-
SHA512
b0d1ba679e9e9c1b56de703cf801538025026f99602347d5a2bddb01703eaeb9e4f960e8ff34d6c63405bf20843f94739edfe4a37bb5ffe712975e50f97f312d
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral1/memory/868-58-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral1/memory/1684-59-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1684 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 928 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
1227d9e9bd44b5729d146fa61bd30109ff65da4dc8201f32ebc3d33dd4f7f5df.exepid process 868 1227d9e9bd44b5729d146fa61bd30109ff65da4dc8201f32ebc3d33dd4f7f5df.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
1227d9e9bd44b5729d146fa61bd30109ff65da4dc8201f32ebc3d33dd4f7f5df.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 1227d9e9bd44b5729d146fa61bd30109ff65da4dc8201f32ebc3d33dd4f7f5df.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
1227d9e9bd44b5729d146fa61bd30109ff65da4dc8201f32ebc3d33dd4f7f5df.exedescription pid process Token: SeIncBasePriorityPrivilege 868 1227d9e9bd44b5729d146fa61bd30109ff65da4dc8201f32ebc3d33dd4f7f5df.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
1227d9e9bd44b5729d146fa61bd30109ff65da4dc8201f32ebc3d33dd4f7f5df.execmd.exedescription pid process target process PID 868 wrote to memory of 1684 868 1227d9e9bd44b5729d146fa61bd30109ff65da4dc8201f32ebc3d33dd4f7f5df.exe MediaCenter.exe PID 868 wrote to memory of 1684 868 1227d9e9bd44b5729d146fa61bd30109ff65da4dc8201f32ebc3d33dd4f7f5df.exe MediaCenter.exe PID 868 wrote to memory of 1684 868 1227d9e9bd44b5729d146fa61bd30109ff65da4dc8201f32ebc3d33dd4f7f5df.exe MediaCenter.exe PID 868 wrote to memory of 1684 868 1227d9e9bd44b5729d146fa61bd30109ff65da4dc8201f32ebc3d33dd4f7f5df.exe MediaCenter.exe PID 868 wrote to memory of 928 868 1227d9e9bd44b5729d146fa61bd30109ff65da4dc8201f32ebc3d33dd4f7f5df.exe cmd.exe PID 868 wrote to memory of 928 868 1227d9e9bd44b5729d146fa61bd30109ff65da4dc8201f32ebc3d33dd4f7f5df.exe cmd.exe PID 868 wrote to memory of 928 868 1227d9e9bd44b5729d146fa61bd30109ff65da4dc8201f32ebc3d33dd4f7f5df.exe cmd.exe PID 868 wrote to memory of 928 868 1227d9e9bd44b5729d146fa61bd30109ff65da4dc8201f32ebc3d33dd4f7f5df.exe cmd.exe PID 928 wrote to memory of 880 928 cmd.exe PING.EXE PID 928 wrote to memory of 880 928 cmd.exe PING.EXE PID 928 wrote to memory of 880 928 cmd.exe PING.EXE PID 928 wrote to memory of 880 928 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\1227d9e9bd44b5729d146fa61bd30109ff65da4dc8201f32ebc3d33dd4f7f5df.exe"C:\Users\Admin\AppData\Local\Temp\1227d9e9bd44b5729d146fa61bd30109ff65da4dc8201f32ebc3d33dd4f7f5df.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:868 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1684 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\1227d9e9bd44b5729d146fa61bd30109ff65da4dc8201f32ebc3d33dd4f7f5df.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:928 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:880
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
ec29972f2be34bc5de125c33175b9817
SHA10ba782583993f510f2ee706edf06c2db45365c1b
SHA2567d6afc6597b399cae79b063ee32b5653097bb6aa75c4a41b8fa6fe6b9471d7ff
SHA512223ca45b6c19942761edf99bd73b75f89fa46deb0ad9808697c8b297dd21eafe3dfc8feb521f4a7e4e353b00aeb36430fabf8652e40b411cfcb3c3f10eeb653f
-
MD5
ec29972f2be34bc5de125c33175b9817
SHA10ba782583993f510f2ee706edf06c2db45365c1b
SHA2567d6afc6597b399cae79b063ee32b5653097bb6aa75c4a41b8fa6fe6b9471d7ff
SHA512223ca45b6c19942761edf99bd73b75f89fa46deb0ad9808697c8b297dd21eafe3dfc8feb521f4a7e4e353b00aeb36430fabf8652e40b411cfcb3c3f10eeb653f