Analysis
-
max time kernel
152s -
max time network
172s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 05:48
Static task
static1
Behavioral task
behavioral1
Sample
11a80186faa7285aa01fc309b09321d7a30944dcbe3e85f5efdd13407d0ebf41.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
11a80186faa7285aa01fc309b09321d7a30944dcbe3e85f5efdd13407d0ebf41.exe
Resource
win10v2004-en-20220113
General
-
Target
11a80186faa7285aa01fc309b09321d7a30944dcbe3e85f5efdd13407d0ebf41.exe
-
Size
192KB
-
MD5
532f9c81f28a2c75f08e63e4d2b85a4a
-
SHA1
5d4492213c235d91f2ab8faf987092cc1c5f7d23
-
SHA256
11a80186faa7285aa01fc309b09321d7a30944dcbe3e85f5efdd13407d0ebf41
-
SHA512
b6e703c4281fc4e0cca869cc036545c872f5e0d63e737670bbd0c8af57d7576c8e4a776b7bb9a8a49ad8fff5830b8ef1feb5626e74d4a2d1d83386ad3d76c81d
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 2032 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1792 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
11a80186faa7285aa01fc309b09321d7a30944dcbe3e85f5efdd13407d0ebf41.exepid process 1600 11a80186faa7285aa01fc309b09321d7a30944dcbe3e85f5efdd13407d0ebf41.exe 1600 11a80186faa7285aa01fc309b09321d7a30944dcbe3e85f5efdd13407d0ebf41.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
11a80186faa7285aa01fc309b09321d7a30944dcbe3e85f5efdd13407d0ebf41.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 11a80186faa7285aa01fc309b09321d7a30944dcbe3e85f5efdd13407d0ebf41.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
11a80186faa7285aa01fc309b09321d7a30944dcbe3e85f5efdd13407d0ebf41.exedescription pid process Token: SeIncBasePriorityPrivilege 1600 11a80186faa7285aa01fc309b09321d7a30944dcbe3e85f5efdd13407d0ebf41.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
11a80186faa7285aa01fc309b09321d7a30944dcbe3e85f5efdd13407d0ebf41.execmd.exedescription pid process target process PID 1600 wrote to memory of 2032 1600 11a80186faa7285aa01fc309b09321d7a30944dcbe3e85f5efdd13407d0ebf41.exe MediaCenter.exe PID 1600 wrote to memory of 2032 1600 11a80186faa7285aa01fc309b09321d7a30944dcbe3e85f5efdd13407d0ebf41.exe MediaCenter.exe PID 1600 wrote to memory of 2032 1600 11a80186faa7285aa01fc309b09321d7a30944dcbe3e85f5efdd13407d0ebf41.exe MediaCenter.exe PID 1600 wrote to memory of 2032 1600 11a80186faa7285aa01fc309b09321d7a30944dcbe3e85f5efdd13407d0ebf41.exe MediaCenter.exe PID 1600 wrote to memory of 1792 1600 11a80186faa7285aa01fc309b09321d7a30944dcbe3e85f5efdd13407d0ebf41.exe cmd.exe PID 1600 wrote to memory of 1792 1600 11a80186faa7285aa01fc309b09321d7a30944dcbe3e85f5efdd13407d0ebf41.exe cmd.exe PID 1600 wrote to memory of 1792 1600 11a80186faa7285aa01fc309b09321d7a30944dcbe3e85f5efdd13407d0ebf41.exe cmd.exe PID 1600 wrote to memory of 1792 1600 11a80186faa7285aa01fc309b09321d7a30944dcbe3e85f5efdd13407d0ebf41.exe cmd.exe PID 1792 wrote to memory of 432 1792 cmd.exe PING.EXE PID 1792 wrote to memory of 432 1792 cmd.exe PING.EXE PID 1792 wrote to memory of 432 1792 cmd.exe PING.EXE PID 1792 wrote to memory of 432 1792 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\11a80186faa7285aa01fc309b09321d7a30944dcbe3e85f5efdd13407d0ebf41.exe"C:\Users\Admin\AppData\Local\Temp\11a80186faa7285aa01fc309b09321d7a30944dcbe3e85f5efdd13407d0ebf41.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1600 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:2032 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\11a80186faa7285aa01fc309b09321d7a30944dcbe3e85f5efdd13407d0ebf41.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1792 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:432
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
791d7d7eebc25d71079f2ea16ae8eb13
SHA11b85b1512be9372f36723ca9ca6adde84e6edca8
SHA256598feaf9b774736e274fcaa3d77f9aabffe851cc48c7093c74cdd32be9232915
SHA51238da6bfd8a51edc9382e02488a4b76ab957aa1e5110ec300ffb62f466ba44e78dad07ccb138ed08d1dd2bcdf163730015aaf30fded7f8ea50ac28eb20d7262a5
-
MD5
791d7d7eebc25d71079f2ea16ae8eb13
SHA11b85b1512be9372f36723ca9ca6adde84e6edca8
SHA256598feaf9b774736e274fcaa3d77f9aabffe851cc48c7093c74cdd32be9232915
SHA51238da6bfd8a51edc9382e02488a4b76ab957aa1e5110ec300ffb62f466ba44e78dad07ccb138ed08d1dd2bcdf163730015aaf30fded7f8ea50ac28eb20d7262a5
-
MD5
791d7d7eebc25d71079f2ea16ae8eb13
SHA11b85b1512be9372f36723ca9ca6adde84e6edca8
SHA256598feaf9b774736e274fcaa3d77f9aabffe851cc48c7093c74cdd32be9232915
SHA51238da6bfd8a51edc9382e02488a4b76ab957aa1e5110ec300ffb62f466ba44e78dad07ccb138ed08d1dd2bcdf163730015aaf30fded7f8ea50ac28eb20d7262a5