Analysis
-
max time kernel
152s -
max time network
174s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 05:57
Static task
static1
Behavioral task
behavioral1
Sample
1139eebcce7c784cf977d9a82491df6da24dfafb0c68b9e0ea964b5d161806ff.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
1139eebcce7c784cf977d9a82491df6da24dfafb0c68b9e0ea964b5d161806ff.exe
Resource
win10v2004-en-20220112
General
-
Target
1139eebcce7c784cf977d9a82491df6da24dfafb0c68b9e0ea964b5d161806ff.exe
-
Size
80KB
-
MD5
d4f42427c490c6f37a3fa74c54d39376
-
SHA1
a937bfa1ed33147e48dc3e0391631d91fdea59c7
-
SHA256
1139eebcce7c784cf977d9a82491df6da24dfafb0c68b9e0ea964b5d161806ff
-
SHA512
b976232e3d31b48ead260449772a11b9b18d2cc6f89e6c1f5546dbdce8594b97c8030afceb95a694c3b655242670ef38baa92c803a7c3b98cfdcf8b702f746a3
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 960 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1304 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
1139eebcce7c784cf977d9a82491df6da24dfafb0c68b9e0ea964b5d161806ff.exepid process 844 1139eebcce7c784cf977d9a82491df6da24dfafb0c68b9e0ea964b5d161806ff.exe 844 1139eebcce7c784cf977d9a82491df6da24dfafb0c68b9e0ea964b5d161806ff.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
1139eebcce7c784cf977d9a82491df6da24dfafb0c68b9e0ea964b5d161806ff.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 1139eebcce7c784cf977d9a82491df6da24dfafb0c68b9e0ea964b5d161806ff.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
1139eebcce7c784cf977d9a82491df6da24dfafb0c68b9e0ea964b5d161806ff.exedescription pid process Token: SeIncBasePriorityPrivilege 844 1139eebcce7c784cf977d9a82491df6da24dfafb0c68b9e0ea964b5d161806ff.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
1139eebcce7c784cf977d9a82491df6da24dfafb0c68b9e0ea964b5d161806ff.execmd.exedescription pid process target process PID 844 wrote to memory of 960 844 1139eebcce7c784cf977d9a82491df6da24dfafb0c68b9e0ea964b5d161806ff.exe MediaCenter.exe PID 844 wrote to memory of 960 844 1139eebcce7c784cf977d9a82491df6da24dfafb0c68b9e0ea964b5d161806ff.exe MediaCenter.exe PID 844 wrote to memory of 960 844 1139eebcce7c784cf977d9a82491df6da24dfafb0c68b9e0ea964b5d161806ff.exe MediaCenter.exe PID 844 wrote to memory of 960 844 1139eebcce7c784cf977d9a82491df6da24dfafb0c68b9e0ea964b5d161806ff.exe MediaCenter.exe PID 844 wrote to memory of 1304 844 1139eebcce7c784cf977d9a82491df6da24dfafb0c68b9e0ea964b5d161806ff.exe cmd.exe PID 844 wrote to memory of 1304 844 1139eebcce7c784cf977d9a82491df6da24dfafb0c68b9e0ea964b5d161806ff.exe cmd.exe PID 844 wrote to memory of 1304 844 1139eebcce7c784cf977d9a82491df6da24dfafb0c68b9e0ea964b5d161806ff.exe cmd.exe PID 844 wrote to memory of 1304 844 1139eebcce7c784cf977d9a82491df6da24dfafb0c68b9e0ea964b5d161806ff.exe cmd.exe PID 1304 wrote to memory of 1932 1304 cmd.exe PING.EXE PID 1304 wrote to memory of 1932 1304 cmd.exe PING.EXE PID 1304 wrote to memory of 1932 1304 cmd.exe PING.EXE PID 1304 wrote to memory of 1932 1304 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\1139eebcce7c784cf977d9a82491df6da24dfafb0c68b9e0ea964b5d161806ff.exe"C:\Users\Admin\AppData\Local\Temp\1139eebcce7c784cf977d9a82491df6da24dfafb0c68b9e0ea964b5d161806ff.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:844 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:960 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\1139eebcce7c784cf977d9a82491df6da24dfafb0c68b9e0ea964b5d161806ff.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1304 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1932
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
770a77215d628e412c857efe29a85a51
SHA18ceb9b34576fdf685b1f16e32e9a056b957b1ce6
SHA256a9801b93c909adb14f40fa2652236e2519610b0db2d4cf7e5e3e976b8a503e05
SHA5125dd42c6bb0ea99d1dcfb200140f7e49ab5aee5d1d920d47b30c7e62f9820336012001288aa06b8745f941cbfc4abe38d1f753d721a0dc05967292bd261fc368e
-
MD5
770a77215d628e412c857efe29a85a51
SHA18ceb9b34576fdf685b1f16e32e9a056b957b1ce6
SHA256a9801b93c909adb14f40fa2652236e2519610b0db2d4cf7e5e3e976b8a503e05
SHA5125dd42c6bb0ea99d1dcfb200140f7e49ab5aee5d1d920d47b30c7e62f9820336012001288aa06b8745f941cbfc4abe38d1f753d721a0dc05967292bd261fc368e
-
MD5
770a77215d628e412c857efe29a85a51
SHA18ceb9b34576fdf685b1f16e32e9a056b957b1ce6
SHA256a9801b93c909adb14f40fa2652236e2519610b0db2d4cf7e5e3e976b8a503e05
SHA5125dd42c6bb0ea99d1dcfb200140f7e49ab5aee5d1d920d47b30c7e62f9820336012001288aa06b8745f941cbfc4abe38d1f753d721a0dc05967292bd261fc368e