Analysis
-
max time kernel
158s -
max time network
174s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 05:47
Static task
static1
Behavioral task
behavioral1
Sample
11ae4eb76a3eba4e08dfc99f6e2b136cbed61425e079236e8f4c0a82c0ee642d.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
11ae4eb76a3eba4e08dfc99f6e2b136cbed61425e079236e8f4c0a82c0ee642d.exe
Resource
win10v2004-en-20220113
General
-
Target
11ae4eb76a3eba4e08dfc99f6e2b136cbed61425e079236e8f4c0a82c0ee642d.exe
-
Size
80KB
-
MD5
50103ae6c1b1f0e06a40eb4ee3d96526
-
SHA1
b1944b695062408e03b661d42f6554606e88daa1
-
SHA256
11ae4eb76a3eba4e08dfc99f6e2b136cbed61425e079236e8f4c0a82c0ee642d
-
SHA512
f13ed7562e04f0b3e493f697fa2c39362ba5aacf7c2aaff630e313ac9e42f4caaeaf351a5c418f6607f060f392c07cba48d467a5abd87885051ec78d7fb8735b
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1664 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1212 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
11ae4eb76a3eba4e08dfc99f6e2b136cbed61425e079236e8f4c0a82c0ee642d.exepid process 1096 11ae4eb76a3eba4e08dfc99f6e2b136cbed61425e079236e8f4c0a82c0ee642d.exe 1096 11ae4eb76a3eba4e08dfc99f6e2b136cbed61425e079236e8f4c0a82c0ee642d.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
11ae4eb76a3eba4e08dfc99f6e2b136cbed61425e079236e8f4c0a82c0ee642d.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 11ae4eb76a3eba4e08dfc99f6e2b136cbed61425e079236e8f4c0a82c0ee642d.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
11ae4eb76a3eba4e08dfc99f6e2b136cbed61425e079236e8f4c0a82c0ee642d.exedescription pid process Token: SeIncBasePriorityPrivilege 1096 11ae4eb76a3eba4e08dfc99f6e2b136cbed61425e079236e8f4c0a82c0ee642d.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
11ae4eb76a3eba4e08dfc99f6e2b136cbed61425e079236e8f4c0a82c0ee642d.execmd.exedescription pid process target process PID 1096 wrote to memory of 1664 1096 11ae4eb76a3eba4e08dfc99f6e2b136cbed61425e079236e8f4c0a82c0ee642d.exe MediaCenter.exe PID 1096 wrote to memory of 1664 1096 11ae4eb76a3eba4e08dfc99f6e2b136cbed61425e079236e8f4c0a82c0ee642d.exe MediaCenter.exe PID 1096 wrote to memory of 1664 1096 11ae4eb76a3eba4e08dfc99f6e2b136cbed61425e079236e8f4c0a82c0ee642d.exe MediaCenter.exe PID 1096 wrote to memory of 1664 1096 11ae4eb76a3eba4e08dfc99f6e2b136cbed61425e079236e8f4c0a82c0ee642d.exe MediaCenter.exe PID 1096 wrote to memory of 1212 1096 11ae4eb76a3eba4e08dfc99f6e2b136cbed61425e079236e8f4c0a82c0ee642d.exe cmd.exe PID 1096 wrote to memory of 1212 1096 11ae4eb76a3eba4e08dfc99f6e2b136cbed61425e079236e8f4c0a82c0ee642d.exe cmd.exe PID 1096 wrote to memory of 1212 1096 11ae4eb76a3eba4e08dfc99f6e2b136cbed61425e079236e8f4c0a82c0ee642d.exe cmd.exe PID 1096 wrote to memory of 1212 1096 11ae4eb76a3eba4e08dfc99f6e2b136cbed61425e079236e8f4c0a82c0ee642d.exe cmd.exe PID 1212 wrote to memory of 980 1212 cmd.exe PING.EXE PID 1212 wrote to memory of 980 1212 cmd.exe PING.EXE PID 1212 wrote to memory of 980 1212 cmd.exe PING.EXE PID 1212 wrote to memory of 980 1212 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\11ae4eb76a3eba4e08dfc99f6e2b136cbed61425e079236e8f4c0a82c0ee642d.exe"C:\Users\Admin\AppData\Local\Temp\11ae4eb76a3eba4e08dfc99f6e2b136cbed61425e079236e8f4c0a82c0ee642d.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1096 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1664 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\11ae4eb76a3eba4e08dfc99f6e2b136cbed61425e079236e8f4c0a82c0ee642d.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1212 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:980
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
2351d831055aca0f344752634e8364e1
SHA13e74c7cbef8042ae220727510d29b3d335ff3c36
SHA25685e82f6fda6b5d0a0f9366313a3531564f6b39a519994fd9f5c440f6db024124
SHA512f4d37894c90536922fa3ce18c2b1e7dde31f49e066481950f2fdcb1581208eca9d05117aa446c034eefddfd28cc1b5507e9c2ddb77c98c24dff42c3eaeb5eece
-
MD5
2351d831055aca0f344752634e8364e1
SHA13e74c7cbef8042ae220727510d29b3d335ff3c36
SHA25685e82f6fda6b5d0a0f9366313a3531564f6b39a519994fd9f5c440f6db024124
SHA512f4d37894c90536922fa3ce18c2b1e7dde31f49e066481950f2fdcb1581208eca9d05117aa446c034eefddfd28cc1b5507e9c2ddb77c98c24dff42c3eaeb5eece
-
MD5
2351d831055aca0f344752634e8364e1
SHA13e74c7cbef8042ae220727510d29b3d335ff3c36
SHA25685e82f6fda6b5d0a0f9366313a3531564f6b39a519994fd9f5c440f6db024124
SHA512f4d37894c90536922fa3ce18c2b1e7dde31f49e066481950f2fdcb1581208eca9d05117aa446c034eefddfd28cc1b5507e9c2ddb77c98c24dff42c3eaeb5eece