Analysis
-
max time kernel
151s -
max time network
167s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 06:02
Static task
static1
Behavioral task
behavioral1
Sample
1111499cba591111ee7f0bb6c80a64476cd61cb3599cb90c4bde7bba9e6eb94b.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
1111499cba591111ee7f0bb6c80a64476cd61cb3599cb90c4bde7bba9e6eb94b.exe
Resource
win10v2004-en-20220113
General
-
Target
1111499cba591111ee7f0bb6c80a64476cd61cb3599cb90c4bde7bba9e6eb94b.exe
-
Size
192KB
-
MD5
1c53f20c92cae03a4d51b006a7403fa2
-
SHA1
c045e4922e00001b6852c501d3f3b630cb93406a
-
SHA256
1111499cba591111ee7f0bb6c80a64476cd61cb3599cb90c4bde7bba9e6eb94b
-
SHA512
ed69e74b82c411cb3bdb16abf74120f9a1612c798a7b1c98a0dc6b8019c8ea024ad29b14fcfade3b3ae58c99218ad6c22b355d46c1f8a3aa9ba7e315201ca46b
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1468 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1688 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
1111499cba591111ee7f0bb6c80a64476cd61cb3599cb90c4bde7bba9e6eb94b.exepid process 1540 1111499cba591111ee7f0bb6c80a64476cd61cb3599cb90c4bde7bba9e6eb94b.exe 1540 1111499cba591111ee7f0bb6c80a64476cd61cb3599cb90c4bde7bba9e6eb94b.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
1111499cba591111ee7f0bb6c80a64476cd61cb3599cb90c4bde7bba9e6eb94b.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 1111499cba591111ee7f0bb6c80a64476cd61cb3599cb90c4bde7bba9e6eb94b.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
1111499cba591111ee7f0bb6c80a64476cd61cb3599cb90c4bde7bba9e6eb94b.exedescription pid process Token: SeIncBasePriorityPrivilege 1540 1111499cba591111ee7f0bb6c80a64476cd61cb3599cb90c4bde7bba9e6eb94b.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
1111499cba591111ee7f0bb6c80a64476cd61cb3599cb90c4bde7bba9e6eb94b.execmd.exedescription pid process target process PID 1540 wrote to memory of 1468 1540 1111499cba591111ee7f0bb6c80a64476cd61cb3599cb90c4bde7bba9e6eb94b.exe MediaCenter.exe PID 1540 wrote to memory of 1468 1540 1111499cba591111ee7f0bb6c80a64476cd61cb3599cb90c4bde7bba9e6eb94b.exe MediaCenter.exe PID 1540 wrote to memory of 1468 1540 1111499cba591111ee7f0bb6c80a64476cd61cb3599cb90c4bde7bba9e6eb94b.exe MediaCenter.exe PID 1540 wrote to memory of 1468 1540 1111499cba591111ee7f0bb6c80a64476cd61cb3599cb90c4bde7bba9e6eb94b.exe MediaCenter.exe PID 1540 wrote to memory of 1688 1540 1111499cba591111ee7f0bb6c80a64476cd61cb3599cb90c4bde7bba9e6eb94b.exe cmd.exe PID 1540 wrote to memory of 1688 1540 1111499cba591111ee7f0bb6c80a64476cd61cb3599cb90c4bde7bba9e6eb94b.exe cmd.exe PID 1540 wrote to memory of 1688 1540 1111499cba591111ee7f0bb6c80a64476cd61cb3599cb90c4bde7bba9e6eb94b.exe cmd.exe PID 1540 wrote to memory of 1688 1540 1111499cba591111ee7f0bb6c80a64476cd61cb3599cb90c4bde7bba9e6eb94b.exe cmd.exe PID 1688 wrote to memory of 1100 1688 cmd.exe PING.EXE PID 1688 wrote to memory of 1100 1688 cmd.exe PING.EXE PID 1688 wrote to memory of 1100 1688 cmd.exe PING.EXE PID 1688 wrote to memory of 1100 1688 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\1111499cba591111ee7f0bb6c80a64476cd61cb3599cb90c4bde7bba9e6eb94b.exe"C:\Users\Admin\AppData\Local\Temp\1111499cba591111ee7f0bb6c80a64476cd61cb3599cb90c4bde7bba9e6eb94b.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1540 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1468 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\1111499cba591111ee7f0bb6c80a64476cd61cb3599cb90c4bde7bba9e6eb94b.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1100
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
c1e3537e8f55f9003a091396479fa7b2
SHA1843d3b42d0603e0a3321e689c3ddf6911a5faebe
SHA25633e5bc80691060c5010528578a8a43909884778834b240f024ca0aebc9151cb4
SHA5123eaebf17ed1ec2fbf4d66e0f21b231da8ab67d2577fdc01c5646b721cc21f505eed67cc6b5d167915a2a964ddef212c96ba18622942b8d946af851bf09ea58c0
-
MD5
c1e3537e8f55f9003a091396479fa7b2
SHA1843d3b42d0603e0a3321e689c3ddf6911a5faebe
SHA25633e5bc80691060c5010528578a8a43909884778834b240f024ca0aebc9151cb4
SHA5123eaebf17ed1ec2fbf4d66e0f21b231da8ab67d2577fdc01c5646b721cc21f505eed67cc6b5d167915a2a964ddef212c96ba18622942b8d946af851bf09ea58c0
-
MD5
c1e3537e8f55f9003a091396479fa7b2
SHA1843d3b42d0603e0a3321e689c3ddf6911a5faebe
SHA25633e5bc80691060c5010528578a8a43909884778834b240f024ca0aebc9151cb4
SHA5123eaebf17ed1ec2fbf4d66e0f21b231da8ab67d2577fdc01c5646b721cc21f505eed67cc6b5d167915a2a964ddef212c96ba18622942b8d946af851bf09ea58c0