Analysis
-
max time kernel
118s -
max time network
134s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 05:41
Static task
static1
Behavioral task
behavioral1
Sample
11feef37d7314fa182595b6d815e82a00e168cd4f1cbe5400621c7eedc0a1e99.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
11feef37d7314fa182595b6d815e82a00e168cd4f1cbe5400621c7eedc0a1e99.exe
Resource
win10v2004-en-20220113
General
-
Target
11feef37d7314fa182595b6d815e82a00e168cd4f1cbe5400621c7eedc0a1e99.exe
-
Size
99KB
-
MD5
19044820870b2d56edf45d0c6787c146
-
SHA1
71eb56012f98e04dff55e259c56656d4c2d90567
-
SHA256
11feef37d7314fa182595b6d815e82a00e168cd4f1cbe5400621c7eedc0a1e99
-
SHA512
66d76af31924632dbb20d8f75c5b849fdef7b2e1f8065df569f73306022f90d6666efbe40104c2dd3a20eb2af90a4999597982fc7eb475d459cf5f3c940af644
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1668 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1552 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
11feef37d7314fa182595b6d815e82a00e168cd4f1cbe5400621c7eedc0a1e99.exepid process 308 11feef37d7314fa182595b6d815e82a00e168cd4f1cbe5400621c7eedc0a1e99.exe 308 11feef37d7314fa182595b6d815e82a00e168cd4f1cbe5400621c7eedc0a1e99.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
11feef37d7314fa182595b6d815e82a00e168cd4f1cbe5400621c7eedc0a1e99.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 11feef37d7314fa182595b6d815e82a00e168cd4f1cbe5400621c7eedc0a1e99.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
11feef37d7314fa182595b6d815e82a00e168cd4f1cbe5400621c7eedc0a1e99.exedescription pid process Token: SeIncBasePriorityPrivilege 308 11feef37d7314fa182595b6d815e82a00e168cd4f1cbe5400621c7eedc0a1e99.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
11feef37d7314fa182595b6d815e82a00e168cd4f1cbe5400621c7eedc0a1e99.execmd.exedescription pid process target process PID 308 wrote to memory of 1668 308 11feef37d7314fa182595b6d815e82a00e168cd4f1cbe5400621c7eedc0a1e99.exe MediaCenter.exe PID 308 wrote to memory of 1668 308 11feef37d7314fa182595b6d815e82a00e168cd4f1cbe5400621c7eedc0a1e99.exe MediaCenter.exe PID 308 wrote to memory of 1668 308 11feef37d7314fa182595b6d815e82a00e168cd4f1cbe5400621c7eedc0a1e99.exe MediaCenter.exe PID 308 wrote to memory of 1668 308 11feef37d7314fa182595b6d815e82a00e168cd4f1cbe5400621c7eedc0a1e99.exe MediaCenter.exe PID 308 wrote to memory of 1552 308 11feef37d7314fa182595b6d815e82a00e168cd4f1cbe5400621c7eedc0a1e99.exe cmd.exe PID 308 wrote to memory of 1552 308 11feef37d7314fa182595b6d815e82a00e168cd4f1cbe5400621c7eedc0a1e99.exe cmd.exe PID 308 wrote to memory of 1552 308 11feef37d7314fa182595b6d815e82a00e168cd4f1cbe5400621c7eedc0a1e99.exe cmd.exe PID 308 wrote to memory of 1552 308 11feef37d7314fa182595b6d815e82a00e168cd4f1cbe5400621c7eedc0a1e99.exe cmd.exe PID 1552 wrote to memory of 428 1552 cmd.exe PING.EXE PID 1552 wrote to memory of 428 1552 cmd.exe PING.EXE PID 1552 wrote to memory of 428 1552 cmd.exe PING.EXE PID 1552 wrote to memory of 428 1552 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\11feef37d7314fa182595b6d815e82a00e168cd4f1cbe5400621c7eedc0a1e99.exe"C:\Users\Admin\AppData\Local\Temp\11feef37d7314fa182595b6d815e82a00e168cd4f1cbe5400621c7eedc0a1e99.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:308 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1668 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\11feef37d7314fa182595b6d815e82a00e168cd4f1cbe5400621c7eedc0a1e99.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1552 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:428
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
84301bfc5fb70e53d6d4e9d927beaae2
SHA107e0595573811c5fe3cf535e83446cd54d26bcdd
SHA256b945ea5ed4956b1dd6a62b4bf4fedcd7096ed0de401b2b59f3460572eea68cc7
SHA512b403c37534d597fc37525f1fdf41606d249447878160f7530144ab89e3f4c52472909dda4d70bb2f7c34f6b3a3b4d9b0b2c910205fe805e4cfc0f1e48e33144f
-
MD5
84301bfc5fb70e53d6d4e9d927beaae2
SHA107e0595573811c5fe3cf535e83446cd54d26bcdd
SHA256b945ea5ed4956b1dd6a62b4bf4fedcd7096ed0de401b2b59f3460572eea68cc7
SHA512b403c37534d597fc37525f1fdf41606d249447878160f7530144ab89e3f4c52472909dda4d70bb2f7c34f6b3a3b4d9b0b2c910205fe805e4cfc0f1e48e33144f
-
MD5
84301bfc5fb70e53d6d4e9d927beaae2
SHA107e0595573811c5fe3cf535e83446cd54d26bcdd
SHA256b945ea5ed4956b1dd6a62b4bf4fedcd7096ed0de401b2b59f3460572eea68cc7
SHA512b403c37534d597fc37525f1fdf41606d249447878160f7530144ab89e3f4c52472909dda4d70bb2f7c34f6b3a3b4d9b0b2c910205fe805e4cfc0f1e48e33144f