Analysis
-
max time kernel
143s -
max time network
169s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 05:45
Static task
static1
Behavioral task
behavioral1
Sample
11be013a99859014b8499cbbff89fc487b76f4cfeac4320ffa9787a011135563.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
11be013a99859014b8499cbbff89fc487b76f4cfeac4320ffa9787a011135563.exe
Resource
win10v2004-en-20220113
General
-
Target
11be013a99859014b8499cbbff89fc487b76f4cfeac4320ffa9787a011135563.exe
-
Size
101KB
-
MD5
2b09de2051e2bf90bc53cf6c01e0bc9e
-
SHA1
69aa8f2062d8e776dae5086aa82888d021984c9f
-
SHA256
11be013a99859014b8499cbbff89fc487b76f4cfeac4320ffa9787a011135563
-
SHA512
5cb594ddcd70e2e6f3ab82885a1b470c2037ce302442fef60c6f9664c442fa58b0c52708272f6d6f7548fd6d458e44a05753b17eb6934af6fcfceaa983c79e29
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 944 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 852 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
11be013a99859014b8499cbbff89fc487b76f4cfeac4320ffa9787a011135563.exepid process 1704 11be013a99859014b8499cbbff89fc487b76f4cfeac4320ffa9787a011135563.exe 1704 11be013a99859014b8499cbbff89fc487b76f4cfeac4320ffa9787a011135563.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
11be013a99859014b8499cbbff89fc487b76f4cfeac4320ffa9787a011135563.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 11be013a99859014b8499cbbff89fc487b76f4cfeac4320ffa9787a011135563.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
11be013a99859014b8499cbbff89fc487b76f4cfeac4320ffa9787a011135563.exedescription pid process Token: SeIncBasePriorityPrivilege 1704 11be013a99859014b8499cbbff89fc487b76f4cfeac4320ffa9787a011135563.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
11be013a99859014b8499cbbff89fc487b76f4cfeac4320ffa9787a011135563.execmd.exedescription pid process target process PID 1704 wrote to memory of 944 1704 11be013a99859014b8499cbbff89fc487b76f4cfeac4320ffa9787a011135563.exe MediaCenter.exe PID 1704 wrote to memory of 944 1704 11be013a99859014b8499cbbff89fc487b76f4cfeac4320ffa9787a011135563.exe MediaCenter.exe PID 1704 wrote to memory of 944 1704 11be013a99859014b8499cbbff89fc487b76f4cfeac4320ffa9787a011135563.exe MediaCenter.exe PID 1704 wrote to memory of 944 1704 11be013a99859014b8499cbbff89fc487b76f4cfeac4320ffa9787a011135563.exe MediaCenter.exe PID 1704 wrote to memory of 852 1704 11be013a99859014b8499cbbff89fc487b76f4cfeac4320ffa9787a011135563.exe cmd.exe PID 1704 wrote to memory of 852 1704 11be013a99859014b8499cbbff89fc487b76f4cfeac4320ffa9787a011135563.exe cmd.exe PID 1704 wrote to memory of 852 1704 11be013a99859014b8499cbbff89fc487b76f4cfeac4320ffa9787a011135563.exe cmd.exe PID 1704 wrote to memory of 852 1704 11be013a99859014b8499cbbff89fc487b76f4cfeac4320ffa9787a011135563.exe cmd.exe PID 852 wrote to memory of 620 852 cmd.exe PING.EXE PID 852 wrote to memory of 620 852 cmd.exe PING.EXE PID 852 wrote to memory of 620 852 cmd.exe PING.EXE PID 852 wrote to memory of 620 852 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\11be013a99859014b8499cbbff89fc487b76f4cfeac4320ffa9787a011135563.exe"C:\Users\Admin\AppData\Local\Temp\11be013a99859014b8499cbbff89fc487b76f4cfeac4320ffa9787a011135563.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1704 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:944 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\11be013a99859014b8499cbbff89fc487b76f4cfeac4320ffa9787a011135563.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:852 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:620
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
dd7f0972260eec19fb287425a88b1c40
SHA17c79b813a1edc1d045a7d1e406b476f9b46f87c4
SHA25634e5a087e2cebe32cf403bf4cf43ae68b41ad85f675d78d4307de11dce8c55f2
SHA5122cea2a3ef121bd9c4d2a2659cefaa6a1aea9a4caa5e1ffe0862d56c8903bf711e4a228b939422db0dc0a3b4dd190f1d5ac4331bcaf4a25550aa0962d6c8b57bd
-
MD5
dd7f0972260eec19fb287425a88b1c40
SHA17c79b813a1edc1d045a7d1e406b476f9b46f87c4
SHA25634e5a087e2cebe32cf403bf4cf43ae68b41ad85f675d78d4307de11dce8c55f2
SHA5122cea2a3ef121bd9c4d2a2659cefaa6a1aea9a4caa5e1ffe0862d56c8903bf711e4a228b939422db0dc0a3b4dd190f1d5ac4331bcaf4a25550aa0962d6c8b57bd
-
MD5
dd7f0972260eec19fb287425a88b1c40
SHA17c79b813a1edc1d045a7d1e406b476f9b46f87c4
SHA25634e5a087e2cebe32cf403bf4cf43ae68b41ad85f675d78d4307de11dce8c55f2
SHA5122cea2a3ef121bd9c4d2a2659cefaa6a1aea9a4caa5e1ffe0862d56c8903bf711e4a228b939422db0dc0a3b4dd190f1d5ac4331bcaf4a25550aa0962d6c8b57bd