Analysis
-
max time kernel
148s -
max time network
158s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 05:52
Static task
static1
Behavioral task
behavioral1
Sample
11723c197be14cb35881337c1cb89584f7241dfd876daafa5ed875e7e95b6d86.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
11723c197be14cb35881337c1cb89584f7241dfd876daafa5ed875e7e95b6d86.exe
Resource
win10v2004-en-20220113
General
-
Target
11723c197be14cb35881337c1cb89584f7241dfd876daafa5ed875e7e95b6d86.exe
-
Size
176KB
-
MD5
98d219ef049a8e1392df2b27a93d0acf
-
SHA1
952650b094e824a0dd13ece97dea33ea09946fc4
-
SHA256
11723c197be14cb35881337c1cb89584f7241dfd876daafa5ed875e7e95b6d86
-
SHA512
ef8b5142515f157910d1fbcc2774bdd0c5401b9565d23c936a261c8c76be13bbc0526bd5a12588bad7410f3aaf29ccc55b7050164bd10656ae1bdc58a49cf887
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral1/memory/1500-58-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral1/memory/656-59-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 656 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1940 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
11723c197be14cb35881337c1cb89584f7241dfd876daafa5ed875e7e95b6d86.exepid process 1500 11723c197be14cb35881337c1cb89584f7241dfd876daafa5ed875e7e95b6d86.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
11723c197be14cb35881337c1cb89584f7241dfd876daafa5ed875e7e95b6d86.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 11723c197be14cb35881337c1cb89584f7241dfd876daafa5ed875e7e95b6d86.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
11723c197be14cb35881337c1cb89584f7241dfd876daafa5ed875e7e95b6d86.exedescription pid process Token: SeIncBasePriorityPrivilege 1500 11723c197be14cb35881337c1cb89584f7241dfd876daafa5ed875e7e95b6d86.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
11723c197be14cb35881337c1cb89584f7241dfd876daafa5ed875e7e95b6d86.execmd.exedescription pid process target process PID 1500 wrote to memory of 656 1500 11723c197be14cb35881337c1cb89584f7241dfd876daafa5ed875e7e95b6d86.exe MediaCenter.exe PID 1500 wrote to memory of 656 1500 11723c197be14cb35881337c1cb89584f7241dfd876daafa5ed875e7e95b6d86.exe MediaCenter.exe PID 1500 wrote to memory of 656 1500 11723c197be14cb35881337c1cb89584f7241dfd876daafa5ed875e7e95b6d86.exe MediaCenter.exe PID 1500 wrote to memory of 656 1500 11723c197be14cb35881337c1cb89584f7241dfd876daafa5ed875e7e95b6d86.exe MediaCenter.exe PID 1500 wrote to memory of 1940 1500 11723c197be14cb35881337c1cb89584f7241dfd876daafa5ed875e7e95b6d86.exe cmd.exe PID 1500 wrote to memory of 1940 1500 11723c197be14cb35881337c1cb89584f7241dfd876daafa5ed875e7e95b6d86.exe cmd.exe PID 1500 wrote to memory of 1940 1500 11723c197be14cb35881337c1cb89584f7241dfd876daafa5ed875e7e95b6d86.exe cmd.exe PID 1500 wrote to memory of 1940 1500 11723c197be14cb35881337c1cb89584f7241dfd876daafa5ed875e7e95b6d86.exe cmd.exe PID 1940 wrote to memory of 1596 1940 cmd.exe PING.EXE PID 1940 wrote to memory of 1596 1940 cmd.exe PING.EXE PID 1940 wrote to memory of 1596 1940 cmd.exe PING.EXE PID 1940 wrote to memory of 1596 1940 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\11723c197be14cb35881337c1cb89584f7241dfd876daafa5ed875e7e95b6d86.exe"C:\Users\Admin\AppData\Local\Temp\11723c197be14cb35881337c1cb89584f7241dfd876daafa5ed875e7e95b6d86.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1500 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:656 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\11723c197be14cb35881337c1cb89584f7241dfd876daafa5ed875e7e95b6d86.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1940 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1596
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
ef614d7da3179f72a177365cda7358e1
SHA13ccdc526c6abe00cab8234b7094261c1f4f2ec76
SHA256d56357d1669fd9d049acab362031ca0833abad6ee786f40b95f8bda077bb13b3
SHA5124383fc56c7de032de16cd6ef03c049ec6ce191ca62695e92d31195ce949869094687922baad7d3edd7cc1ff5f8334f7f0cff6dacf2a662873808254c734072f1
-
MD5
ef614d7da3179f72a177365cda7358e1
SHA13ccdc526c6abe00cab8234b7094261c1f4f2ec76
SHA256d56357d1669fd9d049acab362031ca0833abad6ee786f40b95f8bda077bb13b3
SHA5124383fc56c7de032de16cd6ef03c049ec6ce191ca62695e92d31195ce949869094687922baad7d3edd7cc1ff5f8334f7f0cff6dacf2a662873808254c734072f1