Analysis
-
max time kernel
134s -
max time network
158s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 05:59
Static task
static1
Behavioral task
behavioral1
Sample
1126417ebd8533090e2e84410919c184c64a06ba6d55147db2399ff7f71d4adf.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
1126417ebd8533090e2e84410919c184c64a06ba6d55147db2399ff7f71d4adf.exe
Resource
win10v2004-en-20220113
General
-
Target
1126417ebd8533090e2e84410919c184c64a06ba6d55147db2399ff7f71d4adf.exe
-
Size
101KB
-
MD5
6de2400eb64605235b8e71323914d1a2
-
SHA1
47e5a3ead6af1c80463f20f9aea9b91d7c90b511
-
SHA256
1126417ebd8533090e2e84410919c184c64a06ba6d55147db2399ff7f71d4adf
-
SHA512
98130c24c493b51485d40df8fe8b0b5c6160026e5e26dcff8e6c564205801f1aa49d3b394a4fae68c5a5259b7f415d0d30180a214cd1ad2a2f9bbd4768485418
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 520 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1108 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
1126417ebd8533090e2e84410919c184c64a06ba6d55147db2399ff7f71d4adf.exepid process 808 1126417ebd8533090e2e84410919c184c64a06ba6d55147db2399ff7f71d4adf.exe 808 1126417ebd8533090e2e84410919c184c64a06ba6d55147db2399ff7f71d4adf.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
1126417ebd8533090e2e84410919c184c64a06ba6d55147db2399ff7f71d4adf.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 1126417ebd8533090e2e84410919c184c64a06ba6d55147db2399ff7f71d4adf.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
1126417ebd8533090e2e84410919c184c64a06ba6d55147db2399ff7f71d4adf.exedescription pid process Token: SeIncBasePriorityPrivilege 808 1126417ebd8533090e2e84410919c184c64a06ba6d55147db2399ff7f71d4adf.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
1126417ebd8533090e2e84410919c184c64a06ba6d55147db2399ff7f71d4adf.execmd.exedescription pid process target process PID 808 wrote to memory of 520 808 1126417ebd8533090e2e84410919c184c64a06ba6d55147db2399ff7f71d4adf.exe MediaCenter.exe PID 808 wrote to memory of 520 808 1126417ebd8533090e2e84410919c184c64a06ba6d55147db2399ff7f71d4adf.exe MediaCenter.exe PID 808 wrote to memory of 520 808 1126417ebd8533090e2e84410919c184c64a06ba6d55147db2399ff7f71d4adf.exe MediaCenter.exe PID 808 wrote to memory of 520 808 1126417ebd8533090e2e84410919c184c64a06ba6d55147db2399ff7f71d4adf.exe MediaCenter.exe PID 808 wrote to memory of 1108 808 1126417ebd8533090e2e84410919c184c64a06ba6d55147db2399ff7f71d4adf.exe cmd.exe PID 808 wrote to memory of 1108 808 1126417ebd8533090e2e84410919c184c64a06ba6d55147db2399ff7f71d4adf.exe cmd.exe PID 808 wrote to memory of 1108 808 1126417ebd8533090e2e84410919c184c64a06ba6d55147db2399ff7f71d4adf.exe cmd.exe PID 808 wrote to memory of 1108 808 1126417ebd8533090e2e84410919c184c64a06ba6d55147db2399ff7f71d4adf.exe cmd.exe PID 1108 wrote to memory of 1072 1108 cmd.exe PING.EXE PID 1108 wrote to memory of 1072 1108 cmd.exe PING.EXE PID 1108 wrote to memory of 1072 1108 cmd.exe PING.EXE PID 1108 wrote to memory of 1072 1108 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\1126417ebd8533090e2e84410919c184c64a06ba6d55147db2399ff7f71d4adf.exe"C:\Users\Admin\AppData\Local\Temp\1126417ebd8533090e2e84410919c184c64a06ba6d55147db2399ff7f71d4adf.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:808 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:520 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\1126417ebd8533090e2e84410919c184c64a06ba6d55147db2399ff7f71d4adf.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1108 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1072
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
e06cd3ae510937e96ac9f9d398921087
SHA149d8c5c9553127b6571e23f4fcadbe184dd99f63
SHA256e40712aa6aa3affddfd38cf080d8f299bf35d9925c2663d8129ece2d848f1c92
SHA512a270f790c209d6ebcad9b2cec0fffcd7ca8d6d5813e44526c3581a415ee3829cced5d9b44b155c8a06866358e4131f0f8674cbd698ae06af1958388d9dbba9a8
-
MD5
e06cd3ae510937e96ac9f9d398921087
SHA149d8c5c9553127b6571e23f4fcadbe184dd99f63
SHA256e40712aa6aa3affddfd38cf080d8f299bf35d9925c2663d8129ece2d848f1c92
SHA512a270f790c209d6ebcad9b2cec0fffcd7ca8d6d5813e44526c3581a415ee3829cced5d9b44b155c8a06866358e4131f0f8674cbd698ae06af1958388d9dbba9a8
-
MD5
e06cd3ae510937e96ac9f9d398921087
SHA149d8c5c9553127b6571e23f4fcadbe184dd99f63
SHA256e40712aa6aa3affddfd38cf080d8f299bf35d9925c2663d8129ece2d848f1c92
SHA512a270f790c209d6ebcad9b2cec0fffcd7ca8d6d5813e44526c3581a415ee3829cced5d9b44b155c8a06866358e4131f0f8674cbd698ae06af1958388d9dbba9a8