Analysis
-
max time kernel
156s -
max time network
171s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 05:47
Static task
static1
Behavioral task
behavioral1
Sample
11aabd6563e4b5659a014b7eb615862a9ad7637d60d6e45d38447a511b8f1a7c.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
11aabd6563e4b5659a014b7eb615862a9ad7637d60d6e45d38447a511b8f1a7c.exe
Resource
win10v2004-en-20220112
General
-
Target
11aabd6563e4b5659a014b7eb615862a9ad7637d60d6e45d38447a511b8f1a7c.exe
-
Size
99KB
-
MD5
10b59510839dbfbd39946f1907d338a3
-
SHA1
7d107f82b510abe8a16c8f114766795b97101135
-
SHA256
11aabd6563e4b5659a014b7eb615862a9ad7637d60d6e45d38447a511b8f1a7c
-
SHA512
85db32eb56a417b7f686b895dc83a38d32d364b711dd181624ae16d9f4ebd1bf413f535553e0123dd415f81a33ec1d765f9da146e6fb194a8d9e6e28a9edc983
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 976 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 684 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
11aabd6563e4b5659a014b7eb615862a9ad7637d60d6e45d38447a511b8f1a7c.exepid process 1624 11aabd6563e4b5659a014b7eb615862a9ad7637d60d6e45d38447a511b8f1a7c.exe 1624 11aabd6563e4b5659a014b7eb615862a9ad7637d60d6e45d38447a511b8f1a7c.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
11aabd6563e4b5659a014b7eb615862a9ad7637d60d6e45d38447a511b8f1a7c.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 11aabd6563e4b5659a014b7eb615862a9ad7637d60d6e45d38447a511b8f1a7c.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
11aabd6563e4b5659a014b7eb615862a9ad7637d60d6e45d38447a511b8f1a7c.exedescription pid process Token: SeIncBasePriorityPrivilege 1624 11aabd6563e4b5659a014b7eb615862a9ad7637d60d6e45d38447a511b8f1a7c.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
11aabd6563e4b5659a014b7eb615862a9ad7637d60d6e45d38447a511b8f1a7c.execmd.exedescription pid process target process PID 1624 wrote to memory of 976 1624 11aabd6563e4b5659a014b7eb615862a9ad7637d60d6e45d38447a511b8f1a7c.exe MediaCenter.exe PID 1624 wrote to memory of 976 1624 11aabd6563e4b5659a014b7eb615862a9ad7637d60d6e45d38447a511b8f1a7c.exe MediaCenter.exe PID 1624 wrote to memory of 976 1624 11aabd6563e4b5659a014b7eb615862a9ad7637d60d6e45d38447a511b8f1a7c.exe MediaCenter.exe PID 1624 wrote to memory of 976 1624 11aabd6563e4b5659a014b7eb615862a9ad7637d60d6e45d38447a511b8f1a7c.exe MediaCenter.exe PID 1624 wrote to memory of 684 1624 11aabd6563e4b5659a014b7eb615862a9ad7637d60d6e45d38447a511b8f1a7c.exe cmd.exe PID 1624 wrote to memory of 684 1624 11aabd6563e4b5659a014b7eb615862a9ad7637d60d6e45d38447a511b8f1a7c.exe cmd.exe PID 1624 wrote to memory of 684 1624 11aabd6563e4b5659a014b7eb615862a9ad7637d60d6e45d38447a511b8f1a7c.exe cmd.exe PID 1624 wrote to memory of 684 1624 11aabd6563e4b5659a014b7eb615862a9ad7637d60d6e45d38447a511b8f1a7c.exe cmd.exe PID 684 wrote to memory of 1108 684 cmd.exe PING.EXE PID 684 wrote to memory of 1108 684 cmd.exe PING.EXE PID 684 wrote to memory of 1108 684 cmd.exe PING.EXE PID 684 wrote to memory of 1108 684 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\11aabd6563e4b5659a014b7eb615862a9ad7637d60d6e45d38447a511b8f1a7c.exe"C:\Users\Admin\AppData\Local\Temp\11aabd6563e4b5659a014b7eb615862a9ad7637d60d6e45d38447a511b8f1a7c.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1624 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:976 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\11aabd6563e4b5659a014b7eb615862a9ad7637d60d6e45d38447a511b8f1a7c.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:684 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1108
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
db0b08d51581cf9555e70765b0b9d6ae
SHA10c24a07f153a9931667da0e6309b8af57724d27e
SHA256a40fd65c7f7aec5a5f842a9093fedf6823d54962c0484d6af889840f65c782a8
SHA512840ccd6202eafed85ebc6ead58dcb2a08cff48501c54686d394c91a226ff4bedc56893fddaf91167fee552a5bf64ecc193a1318e04728f4d3f2dc3e07c1be37a
-
MD5
db0b08d51581cf9555e70765b0b9d6ae
SHA10c24a07f153a9931667da0e6309b8af57724d27e
SHA256a40fd65c7f7aec5a5f842a9093fedf6823d54962c0484d6af889840f65c782a8
SHA512840ccd6202eafed85ebc6ead58dcb2a08cff48501c54686d394c91a226ff4bedc56893fddaf91167fee552a5bf64ecc193a1318e04728f4d3f2dc3e07c1be37a
-
MD5
db0b08d51581cf9555e70765b0b9d6ae
SHA10c24a07f153a9931667da0e6309b8af57724d27e
SHA256a40fd65c7f7aec5a5f842a9093fedf6823d54962c0484d6af889840f65c782a8
SHA512840ccd6202eafed85ebc6ead58dcb2a08cff48501c54686d394c91a226ff4bedc56893fddaf91167fee552a5bf64ecc193a1318e04728f4d3f2dc3e07c1be37a