Analysis
-
max time kernel
130s -
max time network
146s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 05:47
Static task
static1
Behavioral task
behavioral1
Sample
11aeebae552dfc6c7989ddc773eac887d162050457f99bac6eedf08436c3de70.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
11aeebae552dfc6c7989ddc773eac887d162050457f99bac6eedf08436c3de70.exe
Resource
win10v2004-en-20220112
General
-
Target
11aeebae552dfc6c7989ddc773eac887d162050457f99bac6eedf08436c3de70.exe
-
Size
216KB
-
MD5
23a561d8e5d90eb1da6a532c6cf0a641
-
SHA1
d8db4cc832c5078f1954bb72ed2506b67fc82c26
-
SHA256
11aeebae552dfc6c7989ddc773eac887d162050457f99bac6eedf08436c3de70
-
SHA512
d2866e3c20ea962e9af37e26cab49cda89b8f38bebf1528c759a27c44ce7d79da8fd501d26475e4ef034894fe7d4ec6aa94c4ccf4e731fe6d095fd4ab535ee04
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral1/memory/624-59-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral1/memory/1768-60-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1768 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1088 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
11aeebae552dfc6c7989ddc773eac887d162050457f99bac6eedf08436c3de70.exepid process 624 11aeebae552dfc6c7989ddc773eac887d162050457f99bac6eedf08436c3de70.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
11aeebae552dfc6c7989ddc773eac887d162050457f99bac6eedf08436c3de70.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 11aeebae552dfc6c7989ddc773eac887d162050457f99bac6eedf08436c3de70.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
11aeebae552dfc6c7989ddc773eac887d162050457f99bac6eedf08436c3de70.exedescription pid process Token: SeIncBasePriorityPrivilege 624 11aeebae552dfc6c7989ddc773eac887d162050457f99bac6eedf08436c3de70.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
11aeebae552dfc6c7989ddc773eac887d162050457f99bac6eedf08436c3de70.execmd.exedescription pid process target process PID 624 wrote to memory of 1768 624 11aeebae552dfc6c7989ddc773eac887d162050457f99bac6eedf08436c3de70.exe MediaCenter.exe PID 624 wrote to memory of 1768 624 11aeebae552dfc6c7989ddc773eac887d162050457f99bac6eedf08436c3de70.exe MediaCenter.exe PID 624 wrote to memory of 1768 624 11aeebae552dfc6c7989ddc773eac887d162050457f99bac6eedf08436c3de70.exe MediaCenter.exe PID 624 wrote to memory of 1768 624 11aeebae552dfc6c7989ddc773eac887d162050457f99bac6eedf08436c3de70.exe MediaCenter.exe PID 624 wrote to memory of 1088 624 11aeebae552dfc6c7989ddc773eac887d162050457f99bac6eedf08436c3de70.exe cmd.exe PID 624 wrote to memory of 1088 624 11aeebae552dfc6c7989ddc773eac887d162050457f99bac6eedf08436c3de70.exe cmd.exe PID 624 wrote to memory of 1088 624 11aeebae552dfc6c7989ddc773eac887d162050457f99bac6eedf08436c3de70.exe cmd.exe PID 624 wrote to memory of 1088 624 11aeebae552dfc6c7989ddc773eac887d162050457f99bac6eedf08436c3de70.exe cmd.exe PID 1088 wrote to memory of 2020 1088 cmd.exe PING.EXE PID 1088 wrote to memory of 2020 1088 cmd.exe PING.EXE PID 1088 wrote to memory of 2020 1088 cmd.exe PING.EXE PID 1088 wrote to memory of 2020 1088 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\11aeebae552dfc6c7989ddc773eac887d162050457f99bac6eedf08436c3de70.exe"C:\Users\Admin\AppData\Local\Temp\11aeebae552dfc6c7989ddc773eac887d162050457f99bac6eedf08436c3de70.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:624 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1768 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\11aeebae552dfc6c7989ddc773eac887d162050457f99bac6eedf08436c3de70.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1088 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:2020
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
1608278731b797f44189ffdeade2fa71
SHA112d12613133be6f04b0b43a276722c159ee0d8dc
SHA25631d087015d945b651d0cf491b23907d807f0db49ba4c3a1142eeafb0238e419a
SHA512caaf5dbe0aac76b27fdfcac7d3f764eb99c1f762277f6b58d15f03ee35b4d300721f5611b89c8b4429e695cf75d3b112a69bbdf4fc9d54e6187eacaf9310edf0
-
MD5
1608278731b797f44189ffdeade2fa71
SHA112d12613133be6f04b0b43a276722c159ee0d8dc
SHA25631d087015d945b651d0cf491b23907d807f0db49ba4c3a1142eeafb0238e419a
SHA512caaf5dbe0aac76b27fdfcac7d3f764eb99c1f762277f6b58d15f03ee35b4d300721f5611b89c8b4429e695cf75d3b112a69bbdf4fc9d54e6187eacaf9310edf0