Analysis
-
max time kernel
135s -
max time network
154s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 06:02
Static task
static1
Behavioral task
behavioral1
Sample
1112b47d385f418bb27c7a9ee77bc32fb55f6ba5fc27acb335ec729c2e78581b.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
1112b47d385f418bb27c7a9ee77bc32fb55f6ba5fc27acb335ec729c2e78581b.exe
Resource
win10v2004-en-20220113
General
-
Target
1112b47d385f418bb27c7a9ee77bc32fb55f6ba5fc27acb335ec729c2e78581b.exe
-
Size
191KB
-
MD5
ef5a3363db75d8ab3297f0865386b2fb
-
SHA1
1aea7cf171e15ea9de46688a595cd4221bcd6e5e
-
SHA256
1112b47d385f418bb27c7a9ee77bc32fb55f6ba5fc27acb335ec729c2e78581b
-
SHA512
e31bd4b9ef837c5da9153fe36d71500e2a493a829f7502d4ad5c0321ba31a276bbf0f9668f7ef8d8b91b3be4bf30bdaeb7466c288aa270c17960cca9b6d93504
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1576 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 828 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
1112b47d385f418bb27c7a9ee77bc32fb55f6ba5fc27acb335ec729c2e78581b.exepid process 1664 1112b47d385f418bb27c7a9ee77bc32fb55f6ba5fc27acb335ec729c2e78581b.exe 1664 1112b47d385f418bb27c7a9ee77bc32fb55f6ba5fc27acb335ec729c2e78581b.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
1112b47d385f418bb27c7a9ee77bc32fb55f6ba5fc27acb335ec729c2e78581b.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 1112b47d385f418bb27c7a9ee77bc32fb55f6ba5fc27acb335ec729c2e78581b.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
1112b47d385f418bb27c7a9ee77bc32fb55f6ba5fc27acb335ec729c2e78581b.exedescription pid process Token: SeIncBasePriorityPrivilege 1664 1112b47d385f418bb27c7a9ee77bc32fb55f6ba5fc27acb335ec729c2e78581b.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
1112b47d385f418bb27c7a9ee77bc32fb55f6ba5fc27acb335ec729c2e78581b.execmd.exedescription pid process target process PID 1664 wrote to memory of 1576 1664 1112b47d385f418bb27c7a9ee77bc32fb55f6ba5fc27acb335ec729c2e78581b.exe MediaCenter.exe PID 1664 wrote to memory of 1576 1664 1112b47d385f418bb27c7a9ee77bc32fb55f6ba5fc27acb335ec729c2e78581b.exe MediaCenter.exe PID 1664 wrote to memory of 1576 1664 1112b47d385f418bb27c7a9ee77bc32fb55f6ba5fc27acb335ec729c2e78581b.exe MediaCenter.exe PID 1664 wrote to memory of 1576 1664 1112b47d385f418bb27c7a9ee77bc32fb55f6ba5fc27acb335ec729c2e78581b.exe MediaCenter.exe PID 1664 wrote to memory of 828 1664 1112b47d385f418bb27c7a9ee77bc32fb55f6ba5fc27acb335ec729c2e78581b.exe cmd.exe PID 1664 wrote to memory of 828 1664 1112b47d385f418bb27c7a9ee77bc32fb55f6ba5fc27acb335ec729c2e78581b.exe cmd.exe PID 1664 wrote to memory of 828 1664 1112b47d385f418bb27c7a9ee77bc32fb55f6ba5fc27acb335ec729c2e78581b.exe cmd.exe PID 1664 wrote to memory of 828 1664 1112b47d385f418bb27c7a9ee77bc32fb55f6ba5fc27acb335ec729c2e78581b.exe cmd.exe PID 828 wrote to memory of 1856 828 cmd.exe PING.EXE PID 828 wrote to memory of 1856 828 cmd.exe PING.EXE PID 828 wrote to memory of 1856 828 cmd.exe PING.EXE PID 828 wrote to memory of 1856 828 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\1112b47d385f418bb27c7a9ee77bc32fb55f6ba5fc27acb335ec729c2e78581b.exe"C:\Users\Admin\AppData\Local\Temp\1112b47d385f418bb27c7a9ee77bc32fb55f6ba5fc27acb335ec729c2e78581b.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1576 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\1112b47d385f418bb27c7a9ee77bc32fb55f6ba5fc27acb335ec729c2e78581b.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:828 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1856
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
0732d179e9c55192663fe9c222c2f05d
SHA13102aafe653a6656fecff0b490ecc862fc32ee68
SHA256eeb178f2e7a9c95dc61564ec91055e468c2dcaaa0ec5742615bbc634960a88c4
SHA51215e91466251dc59a601bb2ebc7d4f8cf3f1a3c19a6f37d7f2b976b886a2ca8acbe25d8fee1bc26f0dabc2c2d04d662d503b8e0d9ecaa750f88f6da6f4203f0c3
-
MD5
0732d179e9c55192663fe9c222c2f05d
SHA13102aafe653a6656fecff0b490ecc862fc32ee68
SHA256eeb178f2e7a9c95dc61564ec91055e468c2dcaaa0ec5742615bbc634960a88c4
SHA51215e91466251dc59a601bb2ebc7d4f8cf3f1a3c19a6f37d7f2b976b886a2ca8acbe25d8fee1bc26f0dabc2c2d04d662d503b8e0d9ecaa750f88f6da6f4203f0c3
-
MD5
0732d179e9c55192663fe9c222c2f05d
SHA13102aafe653a6656fecff0b490ecc862fc32ee68
SHA256eeb178f2e7a9c95dc61564ec91055e468c2dcaaa0ec5742615bbc634960a88c4
SHA51215e91466251dc59a601bb2ebc7d4f8cf3f1a3c19a6f37d7f2b976b886a2ca8acbe25d8fee1bc26f0dabc2c2d04d662d503b8e0d9ecaa750f88f6da6f4203f0c3