Analysis
-
max time kernel
156s -
max time network
170s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 05:59
Static task
static1
Behavioral task
behavioral1
Sample
112d5055959202cedacbb57bb150e908cecb83921866eb07bc741025d0f6b340.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
112d5055959202cedacbb57bb150e908cecb83921866eb07bc741025d0f6b340.exe
Resource
win10v2004-en-20220113
General
-
Target
112d5055959202cedacbb57bb150e908cecb83921866eb07bc741025d0f6b340.exe
-
Size
89KB
-
MD5
eb5b1a1b52a1262a9c85e2e8541cfc76
-
SHA1
6999a7a2a6bbdb7bce25a3219a14280306f13d7c
-
SHA256
112d5055959202cedacbb57bb150e908cecb83921866eb07bc741025d0f6b340
-
SHA512
72d6f784daa46b68fc85b6400438ebb07c3e625adae1807d6837cd801b1c355d6354168528f04239da5d2016ec17f82601934f325a2ea104c6595212eb267f42
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1816 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1996 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
112d5055959202cedacbb57bb150e908cecb83921866eb07bc741025d0f6b340.exepid process 1864 112d5055959202cedacbb57bb150e908cecb83921866eb07bc741025d0f6b340.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
112d5055959202cedacbb57bb150e908cecb83921866eb07bc741025d0f6b340.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 112d5055959202cedacbb57bb150e908cecb83921866eb07bc741025d0f6b340.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
112d5055959202cedacbb57bb150e908cecb83921866eb07bc741025d0f6b340.exedescription pid process Token: SeIncBasePriorityPrivilege 1864 112d5055959202cedacbb57bb150e908cecb83921866eb07bc741025d0f6b340.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
112d5055959202cedacbb57bb150e908cecb83921866eb07bc741025d0f6b340.execmd.exedescription pid process target process PID 1864 wrote to memory of 1816 1864 112d5055959202cedacbb57bb150e908cecb83921866eb07bc741025d0f6b340.exe MediaCenter.exe PID 1864 wrote to memory of 1816 1864 112d5055959202cedacbb57bb150e908cecb83921866eb07bc741025d0f6b340.exe MediaCenter.exe PID 1864 wrote to memory of 1816 1864 112d5055959202cedacbb57bb150e908cecb83921866eb07bc741025d0f6b340.exe MediaCenter.exe PID 1864 wrote to memory of 1816 1864 112d5055959202cedacbb57bb150e908cecb83921866eb07bc741025d0f6b340.exe MediaCenter.exe PID 1864 wrote to memory of 1996 1864 112d5055959202cedacbb57bb150e908cecb83921866eb07bc741025d0f6b340.exe cmd.exe PID 1864 wrote to memory of 1996 1864 112d5055959202cedacbb57bb150e908cecb83921866eb07bc741025d0f6b340.exe cmd.exe PID 1864 wrote to memory of 1996 1864 112d5055959202cedacbb57bb150e908cecb83921866eb07bc741025d0f6b340.exe cmd.exe PID 1864 wrote to memory of 1996 1864 112d5055959202cedacbb57bb150e908cecb83921866eb07bc741025d0f6b340.exe cmd.exe PID 1996 wrote to memory of 1812 1996 cmd.exe PING.EXE PID 1996 wrote to memory of 1812 1996 cmd.exe PING.EXE PID 1996 wrote to memory of 1812 1996 cmd.exe PING.EXE PID 1996 wrote to memory of 1812 1996 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\112d5055959202cedacbb57bb150e908cecb83921866eb07bc741025d0f6b340.exe"C:\Users\Admin\AppData\Local\Temp\112d5055959202cedacbb57bb150e908cecb83921866eb07bc741025d0f6b340.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1864 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1816 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\112d5055959202cedacbb57bb150e908cecb83921866eb07bc741025d0f6b340.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1812
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
8c57d718a00c8838a33fdc90f57eb556
SHA19e98b676d30141cba6308c282d694f1c659a5ed8
SHA2569c7d15ea32047851e892113def764c8e749a55e19b0dcc1b0b92ce524be7b669
SHA512bb728d3bfc64ea08089b693b5d9c5d5d786a6cb291b3abb5737589e250e68f797c5b91165b3bbff40758f242f06e883c6991500435000b6a2c1f30e626409999
-
MD5
8c57d718a00c8838a33fdc90f57eb556
SHA19e98b676d30141cba6308c282d694f1c659a5ed8
SHA2569c7d15ea32047851e892113def764c8e749a55e19b0dcc1b0b92ce524be7b669
SHA512bb728d3bfc64ea08089b693b5d9c5d5d786a6cb291b3abb5737589e250e68f797c5b91165b3bbff40758f242f06e883c6991500435000b6a2c1f30e626409999