Analysis
-
max time kernel
121s -
max time network
139s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 05:49
Static task
static1
Behavioral task
behavioral1
Sample
1198002ef94b3b15f83728036c409e013eeac0127997c841e56d29ec762beabc.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
1198002ef94b3b15f83728036c409e013eeac0127997c841e56d29ec762beabc.exe
Resource
win10v2004-en-20220113
General
-
Target
1198002ef94b3b15f83728036c409e013eeac0127997c841e56d29ec762beabc.exe
-
Size
104KB
-
MD5
14dd016d8a5d6680c7a5738a94a6dee4
-
SHA1
19ff5fd8286c86f279587d456e296cee337d2e10
-
SHA256
1198002ef94b3b15f83728036c409e013eeac0127997c841e56d29ec762beabc
-
SHA512
8f772b0cae953a0652867f9b32e2efa15f9c513b743d5c17e25fbb42ff5b54e4c559e24ea3db06b796a62f0c0721a1c96d4e09d570520c1441d9f6ef4b77f129
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1584 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1084 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
1198002ef94b3b15f83728036c409e013eeac0127997c841e56d29ec762beabc.exepid process 1604 1198002ef94b3b15f83728036c409e013eeac0127997c841e56d29ec762beabc.exe 1604 1198002ef94b3b15f83728036c409e013eeac0127997c841e56d29ec762beabc.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
1198002ef94b3b15f83728036c409e013eeac0127997c841e56d29ec762beabc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 1198002ef94b3b15f83728036c409e013eeac0127997c841e56d29ec762beabc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
1198002ef94b3b15f83728036c409e013eeac0127997c841e56d29ec762beabc.exedescription pid process Token: SeIncBasePriorityPrivilege 1604 1198002ef94b3b15f83728036c409e013eeac0127997c841e56d29ec762beabc.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
1198002ef94b3b15f83728036c409e013eeac0127997c841e56d29ec762beabc.execmd.exedescription pid process target process PID 1604 wrote to memory of 1584 1604 1198002ef94b3b15f83728036c409e013eeac0127997c841e56d29ec762beabc.exe MediaCenter.exe PID 1604 wrote to memory of 1584 1604 1198002ef94b3b15f83728036c409e013eeac0127997c841e56d29ec762beabc.exe MediaCenter.exe PID 1604 wrote to memory of 1584 1604 1198002ef94b3b15f83728036c409e013eeac0127997c841e56d29ec762beabc.exe MediaCenter.exe PID 1604 wrote to memory of 1584 1604 1198002ef94b3b15f83728036c409e013eeac0127997c841e56d29ec762beabc.exe MediaCenter.exe PID 1604 wrote to memory of 1084 1604 1198002ef94b3b15f83728036c409e013eeac0127997c841e56d29ec762beabc.exe cmd.exe PID 1604 wrote to memory of 1084 1604 1198002ef94b3b15f83728036c409e013eeac0127997c841e56d29ec762beabc.exe cmd.exe PID 1604 wrote to memory of 1084 1604 1198002ef94b3b15f83728036c409e013eeac0127997c841e56d29ec762beabc.exe cmd.exe PID 1604 wrote to memory of 1084 1604 1198002ef94b3b15f83728036c409e013eeac0127997c841e56d29ec762beabc.exe cmd.exe PID 1084 wrote to memory of 1796 1084 cmd.exe PING.EXE PID 1084 wrote to memory of 1796 1084 cmd.exe PING.EXE PID 1084 wrote to memory of 1796 1084 cmd.exe PING.EXE PID 1084 wrote to memory of 1796 1084 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\1198002ef94b3b15f83728036c409e013eeac0127997c841e56d29ec762beabc.exe"C:\Users\Admin\AppData\Local\Temp\1198002ef94b3b15f83728036c409e013eeac0127997c841e56d29ec762beabc.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1604 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1584 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\1198002ef94b3b15f83728036c409e013eeac0127997c841e56d29ec762beabc.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1084 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1796
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
64c52ddf86270839dc83fa3176d695fa
SHA18140adbe917d7e530ac66238132496f02ea35817
SHA2560900bcfdc20a5211c27ccb7fc14a2e1b81f88ec11e8e9980f2bb1af5ee3c7b9e
SHA512333ca85804e05f7f8a78df7ce5d6f22621c0ef1006e9f436a8bd572069602a858c0b99850004eeabf3d2463ef474dd6c4f4066cdeb6c5a98649d99b7b40f1e4b
-
MD5
64c52ddf86270839dc83fa3176d695fa
SHA18140adbe917d7e530ac66238132496f02ea35817
SHA2560900bcfdc20a5211c27ccb7fc14a2e1b81f88ec11e8e9980f2bb1af5ee3c7b9e
SHA512333ca85804e05f7f8a78df7ce5d6f22621c0ef1006e9f436a8bd572069602a858c0b99850004eeabf3d2463ef474dd6c4f4066cdeb6c5a98649d99b7b40f1e4b
-
MD5
64c52ddf86270839dc83fa3176d695fa
SHA18140adbe917d7e530ac66238132496f02ea35817
SHA2560900bcfdc20a5211c27ccb7fc14a2e1b81f88ec11e8e9980f2bb1af5ee3c7b9e
SHA512333ca85804e05f7f8a78df7ce5d6f22621c0ef1006e9f436a8bd572069602a858c0b99850004eeabf3d2463ef474dd6c4f4066cdeb6c5a98649d99b7b40f1e4b