Analysis
-
max time kernel
154s -
max time network
171s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 05:47
Static task
static1
Behavioral task
behavioral1
Sample
11ab26444c74aed3a3e9e1e4c5a106543cb5febf99d104a3eb36239a0446505c.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
11ab26444c74aed3a3e9e1e4c5a106543cb5febf99d104a3eb36239a0446505c.exe
Resource
win10v2004-en-20220113
General
-
Target
11ab26444c74aed3a3e9e1e4c5a106543cb5febf99d104a3eb36239a0446505c.exe
-
Size
101KB
-
MD5
2fcca85025d6cf84b630e932fbb22497
-
SHA1
4c55a600518373adb68de3057b4cc4ddea66136d
-
SHA256
11ab26444c74aed3a3e9e1e4c5a106543cb5febf99d104a3eb36239a0446505c
-
SHA512
42770c230860231887360fd5afa13b886840530ac604f5bb70321e7138f18f5b28577b9ea548266f4c255cb4bdce193f23b2bf6a91ddf8bf2f337964d2143904
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 524 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 776 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
11ab26444c74aed3a3e9e1e4c5a106543cb5febf99d104a3eb36239a0446505c.exepid process 1680 11ab26444c74aed3a3e9e1e4c5a106543cb5febf99d104a3eb36239a0446505c.exe 1680 11ab26444c74aed3a3e9e1e4c5a106543cb5febf99d104a3eb36239a0446505c.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
11ab26444c74aed3a3e9e1e4c5a106543cb5febf99d104a3eb36239a0446505c.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 11ab26444c74aed3a3e9e1e4c5a106543cb5febf99d104a3eb36239a0446505c.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
11ab26444c74aed3a3e9e1e4c5a106543cb5febf99d104a3eb36239a0446505c.exedescription pid process Token: SeIncBasePriorityPrivilege 1680 11ab26444c74aed3a3e9e1e4c5a106543cb5febf99d104a3eb36239a0446505c.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
11ab26444c74aed3a3e9e1e4c5a106543cb5febf99d104a3eb36239a0446505c.execmd.exedescription pid process target process PID 1680 wrote to memory of 524 1680 11ab26444c74aed3a3e9e1e4c5a106543cb5febf99d104a3eb36239a0446505c.exe MediaCenter.exe PID 1680 wrote to memory of 524 1680 11ab26444c74aed3a3e9e1e4c5a106543cb5febf99d104a3eb36239a0446505c.exe MediaCenter.exe PID 1680 wrote to memory of 524 1680 11ab26444c74aed3a3e9e1e4c5a106543cb5febf99d104a3eb36239a0446505c.exe MediaCenter.exe PID 1680 wrote to memory of 524 1680 11ab26444c74aed3a3e9e1e4c5a106543cb5febf99d104a3eb36239a0446505c.exe MediaCenter.exe PID 1680 wrote to memory of 776 1680 11ab26444c74aed3a3e9e1e4c5a106543cb5febf99d104a3eb36239a0446505c.exe cmd.exe PID 1680 wrote to memory of 776 1680 11ab26444c74aed3a3e9e1e4c5a106543cb5febf99d104a3eb36239a0446505c.exe cmd.exe PID 1680 wrote to memory of 776 1680 11ab26444c74aed3a3e9e1e4c5a106543cb5febf99d104a3eb36239a0446505c.exe cmd.exe PID 1680 wrote to memory of 776 1680 11ab26444c74aed3a3e9e1e4c5a106543cb5febf99d104a3eb36239a0446505c.exe cmd.exe PID 776 wrote to memory of 1992 776 cmd.exe PING.EXE PID 776 wrote to memory of 1992 776 cmd.exe PING.EXE PID 776 wrote to memory of 1992 776 cmd.exe PING.EXE PID 776 wrote to memory of 1992 776 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\11ab26444c74aed3a3e9e1e4c5a106543cb5febf99d104a3eb36239a0446505c.exe"C:\Users\Admin\AppData\Local\Temp\11ab26444c74aed3a3e9e1e4c5a106543cb5febf99d104a3eb36239a0446505c.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:524 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\11ab26444c74aed3a3e9e1e4c5a106543cb5febf99d104a3eb36239a0446505c.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:776 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1992
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
295da45ed02796777a7b4f10e353ea54
SHA17a3746289d7d8e9fe6266a9bf7fc093fba3e5986
SHA256aa786b350127bb464ea80a5817ded5983c0f71f14688a1c526bd531352ff774e
SHA5126b48bcae334d4e50ff1d49f637b93904483ed200a35cf756b22037b153389e006100ae1a7443ae8b8e24c2a88d755d02a40c2662cf69b6597b62514cf4a11958
-
MD5
295da45ed02796777a7b4f10e353ea54
SHA17a3746289d7d8e9fe6266a9bf7fc093fba3e5986
SHA256aa786b350127bb464ea80a5817ded5983c0f71f14688a1c526bd531352ff774e
SHA5126b48bcae334d4e50ff1d49f637b93904483ed200a35cf756b22037b153389e006100ae1a7443ae8b8e24c2a88d755d02a40c2662cf69b6597b62514cf4a11958
-
MD5
295da45ed02796777a7b4f10e353ea54
SHA17a3746289d7d8e9fe6266a9bf7fc093fba3e5986
SHA256aa786b350127bb464ea80a5817ded5983c0f71f14688a1c526bd531352ff774e
SHA5126b48bcae334d4e50ff1d49f637b93904483ed200a35cf756b22037b153389e006100ae1a7443ae8b8e24c2a88d755d02a40c2662cf69b6597b62514cf4a11958