Analysis
-
max time kernel
162s -
max time network
183s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 05:51
Static task
static1
Behavioral task
behavioral1
Sample
117da7e5b8cbc2b64d7d2393c2f8e4c35665b46e9e085ddbfc1df7ed6a0493b4.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
117da7e5b8cbc2b64d7d2393c2f8e4c35665b46e9e085ddbfc1df7ed6a0493b4.exe
Resource
win10v2004-en-20220112
General
-
Target
117da7e5b8cbc2b64d7d2393c2f8e4c35665b46e9e085ddbfc1df7ed6a0493b4.exe
-
Size
99KB
-
MD5
7060a4d5c8593f1f97d80f417b0ef69e
-
SHA1
dcf9a387c686ef419b6684e273f29165fa433039
-
SHA256
117da7e5b8cbc2b64d7d2393c2f8e4c35665b46e9e085ddbfc1df7ed6a0493b4
-
SHA512
c8abcd59f2d6a92903645b139463648ebd9f0779b4af7b5f2b0d068ba7a5829952e8df821820e15ac2a4d7a9ab8b415876404cf06a35f486dc92670f0e43c80a
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1652 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1920 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
117da7e5b8cbc2b64d7d2393c2f8e4c35665b46e9e085ddbfc1df7ed6a0493b4.exepid process 1320 117da7e5b8cbc2b64d7d2393c2f8e4c35665b46e9e085ddbfc1df7ed6a0493b4.exe 1320 117da7e5b8cbc2b64d7d2393c2f8e4c35665b46e9e085ddbfc1df7ed6a0493b4.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
117da7e5b8cbc2b64d7d2393c2f8e4c35665b46e9e085ddbfc1df7ed6a0493b4.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 117da7e5b8cbc2b64d7d2393c2f8e4c35665b46e9e085ddbfc1df7ed6a0493b4.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
117da7e5b8cbc2b64d7d2393c2f8e4c35665b46e9e085ddbfc1df7ed6a0493b4.exedescription pid process Token: SeIncBasePriorityPrivilege 1320 117da7e5b8cbc2b64d7d2393c2f8e4c35665b46e9e085ddbfc1df7ed6a0493b4.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
117da7e5b8cbc2b64d7d2393c2f8e4c35665b46e9e085ddbfc1df7ed6a0493b4.execmd.exedescription pid process target process PID 1320 wrote to memory of 1652 1320 117da7e5b8cbc2b64d7d2393c2f8e4c35665b46e9e085ddbfc1df7ed6a0493b4.exe MediaCenter.exe PID 1320 wrote to memory of 1652 1320 117da7e5b8cbc2b64d7d2393c2f8e4c35665b46e9e085ddbfc1df7ed6a0493b4.exe MediaCenter.exe PID 1320 wrote to memory of 1652 1320 117da7e5b8cbc2b64d7d2393c2f8e4c35665b46e9e085ddbfc1df7ed6a0493b4.exe MediaCenter.exe PID 1320 wrote to memory of 1652 1320 117da7e5b8cbc2b64d7d2393c2f8e4c35665b46e9e085ddbfc1df7ed6a0493b4.exe MediaCenter.exe PID 1320 wrote to memory of 1920 1320 117da7e5b8cbc2b64d7d2393c2f8e4c35665b46e9e085ddbfc1df7ed6a0493b4.exe cmd.exe PID 1320 wrote to memory of 1920 1320 117da7e5b8cbc2b64d7d2393c2f8e4c35665b46e9e085ddbfc1df7ed6a0493b4.exe cmd.exe PID 1320 wrote to memory of 1920 1320 117da7e5b8cbc2b64d7d2393c2f8e4c35665b46e9e085ddbfc1df7ed6a0493b4.exe cmd.exe PID 1320 wrote to memory of 1920 1320 117da7e5b8cbc2b64d7d2393c2f8e4c35665b46e9e085ddbfc1df7ed6a0493b4.exe cmd.exe PID 1920 wrote to memory of 1016 1920 cmd.exe PING.EXE PID 1920 wrote to memory of 1016 1920 cmd.exe PING.EXE PID 1920 wrote to memory of 1016 1920 cmd.exe PING.EXE PID 1920 wrote to memory of 1016 1920 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\117da7e5b8cbc2b64d7d2393c2f8e4c35665b46e9e085ddbfc1df7ed6a0493b4.exe"C:\Users\Admin\AppData\Local\Temp\117da7e5b8cbc2b64d7d2393c2f8e4c35665b46e9e085ddbfc1df7ed6a0493b4.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1320 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1652 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\117da7e5b8cbc2b64d7d2393c2f8e4c35665b46e9e085ddbfc1df7ed6a0493b4.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1920 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1016
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
c514a63c38528be0927c52270facd61f
SHA1915605d541cd9bc4fd9ef2d60493ccd14d149ffc
SHA2569cee1d161b56d97bc6756f05e10f99f78d8b028a06fa9437f0f6a775d4acf7ba
SHA5120e68f4575ead25161c99ed0643bb962646cfdf1545db1474753df126508a939cca0fb1a99b8ae1ae4b915a2407fdf84f46796f48fa7dfc3cf73b11cc5eb73a2a
-
MD5
c514a63c38528be0927c52270facd61f
SHA1915605d541cd9bc4fd9ef2d60493ccd14d149ffc
SHA2569cee1d161b56d97bc6756f05e10f99f78d8b028a06fa9437f0f6a775d4acf7ba
SHA5120e68f4575ead25161c99ed0643bb962646cfdf1545db1474753df126508a939cca0fb1a99b8ae1ae4b915a2407fdf84f46796f48fa7dfc3cf73b11cc5eb73a2a
-
MD5
c514a63c38528be0927c52270facd61f
SHA1915605d541cd9bc4fd9ef2d60493ccd14d149ffc
SHA2569cee1d161b56d97bc6756f05e10f99f78d8b028a06fa9437f0f6a775d4acf7ba
SHA5120e68f4575ead25161c99ed0643bb962646cfdf1545db1474753df126508a939cca0fb1a99b8ae1ae4b915a2407fdf84f46796f48fa7dfc3cf73b11cc5eb73a2a