Analysis
-
max time kernel
143s -
max time network
167s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 05:58
Static task
static1
Behavioral task
behavioral1
Sample
1135f9bb57e53c2e86cd04847220fa2f7bcabb7d2722139463c7ec790f17c2ae.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
1135f9bb57e53c2e86cd04847220fa2f7bcabb7d2722139463c7ec790f17c2ae.exe
Resource
win10v2004-en-20220112
General
-
Target
1135f9bb57e53c2e86cd04847220fa2f7bcabb7d2722139463c7ec790f17c2ae.exe
-
Size
192KB
-
MD5
13e6909c9cd932a1ec95fb0f18a5f4be
-
SHA1
524de8e475da895f0f988328ed512b49ba647314
-
SHA256
1135f9bb57e53c2e86cd04847220fa2f7bcabb7d2722139463c7ec790f17c2ae
-
SHA512
7ac2995517a2a98431206e5892a18f20e201fd77cc36f5a1c93a2e0ac124683d5ea80c674b3659a4568575b55767c28a8e96023e70894abee1a71f43eeaeebc5
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1492 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 824 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
1135f9bb57e53c2e86cd04847220fa2f7bcabb7d2722139463c7ec790f17c2ae.exepid process 1412 1135f9bb57e53c2e86cd04847220fa2f7bcabb7d2722139463c7ec790f17c2ae.exe 1412 1135f9bb57e53c2e86cd04847220fa2f7bcabb7d2722139463c7ec790f17c2ae.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
1135f9bb57e53c2e86cd04847220fa2f7bcabb7d2722139463c7ec790f17c2ae.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 1135f9bb57e53c2e86cd04847220fa2f7bcabb7d2722139463c7ec790f17c2ae.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
1135f9bb57e53c2e86cd04847220fa2f7bcabb7d2722139463c7ec790f17c2ae.exedescription pid process Token: SeIncBasePriorityPrivilege 1412 1135f9bb57e53c2e86cd04847220fa2f7bcabb7d2722139463c7ec790f17c2ae.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
1135f9bb57e53c2e86cd04847220fa2f7bcabb7d2722139463c7ec790f17c2ae.execmd.exedescription pid process target process PID 1412 wrote to memory of 1492 1412 1135f9bb57e53c2e86cd04847220fa2f7bcabb7d2722139463c7ec790f17c2ae.exe MediaCenter.exe PID 1412 wrote to memory of 1492 1412 1135f9bb57e53c2e86cd04847220fa2f7bcabb7d2722139463c7ec790f17c2ae.exe MediaCenter.exe PID 1412 wrote to memory of 1492 1412 1135f9bb57e53c2e86cd04847220fa2f7bcabb7d2722139463c7ec790f17c2ae.exe MediaCenter.exe PID 1412 wrote to memory of 1492 1412 1135f9bb57e53c2e86cd04847220fa2f7bcabb7d2722139463c7ec790f17c2ae.exe MediaCenter.exe PID 1412 wrote to memory of 824 1412 1135f9bb57e53c2e86cd04847220fa2f7bcabb7d2722139463c7ec790f17c2ae.exe cmd.exe PID 1412 wrote to memory of 824 1412 1135f9bb57e53c2e86cd04847220fa2f7bcabb7d2722139463c7ec790f17c2ae.exe cmd.exe PID 1412 wrote to memory of 824 1412 1135f9bb57e53c2e86cd04847220fa2f7bcabb7d2722139463c7ec790f17c2ae.exe cmd.exe PID 1412 wrote to memory of 824 1412 1135f9bb57e53c2e86cd04847220fa2f7bcabb7d2722139463c7ec790f17c2ae.exe cmd.exe PID 824 wrote to memory of 796 824 cmd.exe PING.EXE PID 824 wrote to memory of 796 824 cmd.exe PING.EXE PID 824 wrote to memory of 796 824 cmd.exe PING.EXE PID 824 wrote to memory of 796 824 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\1135f9bb57e53c2e86cd04847220fa2f7bcabb7d2722139463c7ec790f17c2ae.exe"C:\Users\Admin\AppData\Local\Temp\1135f9bb57e53c2e86cd04847220fa2f7bcabb7d2722139463c7ec790f17c2ae.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1412 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1492 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\1135f9bb57e53c2e86cd04847220fa2f7bcabb7d2722139463c7ec790f17c2ae.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:824 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:796
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
ffd3d08a9accb04e7459ec6cb3f7ccf7
SHA1d42e82fbc1b93bd375b8b641fea542c88da5021b
SHA25630e52c679c21a50eee7c1a9e4c56fe8048451f8f863e9ae10cb5436705d9a32a
SHA5125296d7eaf32ac495397213fddf0eecf3b386586d9fabb4a23eeff17ca3a4341b49671095b37f2c74f31d9a571004a07beb397a6f4e0f1c07ede4a319937de718
-
MD5
ffd3d08a9accb04e7459ec6cb3f7ccf7
SHA1d42e82fbc1b93bd375b8b641fea542c88da5021b
SHA25630e52c679c21a50eee7c1a9e4c56fe8048451f8f863e9ae10cb5436705d9a32a
SHA5125296d7eaf32ac495397213fddf0eecf3b386586d9fabb4a23eeff17ca3a4341b49671095b37f2c74f31d9a571004a07beb397a6f4e0f1c07ede4a319937de718
-
MD5
ffd3d08a9accb04e7459ec6cb3f7ccf7
SHA1d42e82fbc1b93bd375b8b641fea542c88da5021b
SHA25630e52c679c21a50eee7c1a9e4c56fe8048451f8f863e9ae10cb5436705d9a32a
SHA5125296d7eaf32ac495397213fddf0eecf3b386586d9fabb4a23eeff17ca3a4341b49671095b37f2c74f31d9a571004a07beb397a6f4e0f1c07ede4a319937de718