Analysis
-
max time kernel
154s -
max time network
172s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 05:58
Static task
static1
Behavioral task
behavioral1
Sample
11345359b634c183e330196466dc70b8e0feaee70a419b1ea012707967b9e484.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
11345359b634c183e330196466dc70b8e0feaee70a419b1ea012707967b9e484.exe
Resource
win10v2004-en-20220113
General
-
Target
11345359b634c183e330196466dc70b8e0feaee70a419b1ea012707967b9e484.exe
-
Size
150KB
-
MD5
b5d3c0728736eeb2227e4e92cf9f5d58
-
SHA1
99c367f1252bd0f1611a1a3c7c41c9164e820636
-
SHA256
11345359b634c183e330196466dc70b8e0feaee70a419b1ea012707967b9e484
-
SHA512
bbb4112e6f827abcc9bac7d5713176eef0773d34caee4fde1ebfb4ab3d43f1284fe7c387a3f3999e7555d9eb7dbf42aa3603d5c6c79a99764932d3e4e85154b1
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1360 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 432 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
11345359b634c183e330196466dc70b8e0feaee70a419b1ea012707967b9e484.exepid process 1728 11345359b634c183e330196466dc70b8e0feaee70a419b1ea012707967b9e484.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
11345359b634c183e330196466dc70b8e0feaee70a419b1ea012707967b9e484.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 11345359b634c183e330196466dc70b8e0feaee70a419b1ea012707967b9e484.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
11345359b634c183e330196466dc70b8e0feaee70a419b1ea012707967b9e484.exedescription pid process Token: SeIncBasePriorityPrivilege 1728 11345359b634c183e330196466dc70b8e0feaee70a419b1ea012707967b9e484.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
11345359b634c183e330196466dc70b8e0feaee70a419b1ea012707967b9e484.execmd.exedescription pid process target process PID 1728 wrote to memory of 1360 1728 11345359b634c183e330196466dc70b8e0feaee70a419b1ea012707967b9e484.exe MediaCenter.exe PID 1728 wrote to memory of 1360 1728 11345359b634c183e330196466dc70b8e0feaee70a419b1ea012707967b9e484.exe MediaCenter.exe PID 1728 wrote to memory of 1360 1728 11345359b634c183e330196466dc70b8e0feaee70a419b1ea012707967b9e484.exe MediaCenter.exe PID 1728 wrote to memory of 1360 1728 11345359b634c183e330196466dc70b8e0feaee70a419b1ea012707967b9e484.exe MediaCenter.exe PID 1728 wrote to memory of 432 1728 11345359b634c183e330196466dc70b8e0feaee70a419b1ea012707967b9e484.exe cmd.exe PID 1728 wrote to memory of 432 1728 11345359b634c183e330196466dc70b8e0feaee70a419b1ea012707967b9e484.exe cmd.exe PID 1728 wrote to memory of 432 1728 11345359b634c183e330196466dc70b8e0feaee70a419b1ea012707967b9e484.exe cmd.exe PID 1728 wrote to memory of 432 1728 11345359b634c183e330196466dc70b8e0feaee70a419b1ea012707967b9e484.exe cmd.exe PID 432 wrote to memory of 1100 432 cmd.exe PING.EXE PID 432 wrote to memory of 1100 432 cmd.exe PING.EXE PID 432 wrote to memory of 1100 432 cmd.exe PING.EXE PID 432 wrote to memory of 1100 432 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\11345359b634c183e330196466dc70b8e0feaee70a419b1ea012707967b9e484.exe"C:\Users\Admin\AppData\Local\Temp\11345359b634c183e330196466dc70b8e0feaee70a419b1ea012707967b9e484.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1360 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\11345359b634c183e330196466dc70b8e0feaee70a419b1ea012707967b9e484.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:432 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1100
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
3fcac4884de9bb7f73345e81b2ec4c78
SHA1d02a98f4ba9e3df45809fce18312757bd3cdb42b
SHA25625032f175c103d8cac13885c0f6379e9942c31be886d0a3b1203b917d69ae9a3
SHA51232035a0701c31ea2ba96ad480ffe180296dad6b7a123111c20ef3abe0ee882ebd7a95a536869cbe895312cc5e768a2a2516526e1005193f5df756126404f8f98
-
MD5
3fcac4884de9bb7f73345e81b2ec4c78
SHA1d02a98f4ba9e3df45809fce18312757bd3cdb42b
SHA25625032f175c103d8cac13885c0f6379e9942c31be886d0a3b1203b917d69ae9a3
SHA51232035a0701c31ea2ba96ad480ffe180296dad6b7a123111c20ef3abe0ee882ebd7a95a536869cbe895312cc5e768a2a2516526e1005193f5df756126404f8f98