Analysis
-
max time kernel
157s -
max time network
176s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 06:06
Static task
static1
Behavioral task
behavioral1
Sample
10dacb139ff6c0becb3370c87fecd0495ad7ef4b50d019b7140dab1ba165f3f1.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
10dacb139ff6c0becb3370c87fecd0495ad7ef4b50d019b7140dab1ba165f3f1.exe
Resource
win10v2004-en-20220113
General
-
Target
10dacb139ff6c0becb3370c87fecd0495ad7ef4b50d019b7140dab1ba165f3f1.exe
-
Size
216KB
-
MD5
a72f868e694243e5882d5600e50fc315
-
SHA1
a7c71b5b9e8dbeaf384a787ba5a61e862797d280
-
SHA256
10dacb139ff6c0becb3370c87fecd0495ad7ef4b50d019b7140dab1ba165f3f1
-
SHA512
a11dc64a7e7b09d72fb494ab72ddf3b1322aa22ebf2821a6b75e3e3a3978a886436b599cf79d4c4ff4eef68d9d24dfeff13cf4899085ef98484283fb4fb473da
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral1/memory/1556-59-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral1/memory/1632-60-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1632 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1288 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
10dacb139ff6c0becb3370c87fecd0495ad7ef4b50d019b7140dab1ba165f3f1.exepid process 1556 10dacb139ff6c0becb3370c87fecd0495ad7ef4b50d019b7140dab1ba165f3f1.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
10dacb139ff6c0becb3370c87fecd0495ad7ef4b50d019b7140dab1ba165f3f1.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 10dacb139ff6c0becb3370c87fecd0495ad7ef4b50d019b7140dab1ba165f3f1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
10dacb139ff6c0becb3370c87fecd0495ad7ef4b50d019b7140dab1ba165f3f1.exedescription pid process Token: SeIncBasePriorityPrivilege 1556 10dacb139ff6c0becb3370c87fecd0495ad7ef4b50d019b7140dab1ba165f3f1.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
10dacb139ff6c0becb3370c87fecd0495ad7ef4b50d019b7140dab1ba165f3f1.execmd.exedescription pid process target process PID 1556 wrote to memory of 1632 1556 10dacb139ff6c0becb3370c87fecd0495ad7ef4b50d019b7140dab1ba165f3f1.exe MediaCenter.exe PID 1556 wrote to memory of 1632 1556 10dacb139ff6c0becb3370c87fecd0495ad7ef4b50d019b7140dab1ba165f3f1.exe MediaCenter.exe PID 1556 wrote to memory of 1632 1556 10dacb139ff6c0becb3370c87fecd0495ad7ef4b50d019b7140dab1ba165f3f1.exe MediaCenter.exe PID 1556 wrote to memory of 1632 1556 10dacb139ff6c0becb3370c87fecd0495ad7ef4b50d019b7140dab1ba165f3f1.exe MediaCenter.exe PID 1556 wrote to memory of 1288 1556 10dacb139ff6c0becb3370c87fecd0495ad7ef4b50d019b7140dab1ba165f3f1.exe cmd.exe PID 1556 wrote to memory of 1288 1556 10dacb139ff6c0becb3370c87fecd0495ad7ef4b50d019b7140dab1ba165f3f1.exe cmd.exe PID 1556 wrote to memory of 1288 1556 10dacb139ff6c0becb3370c87fecd0495ad7ef4b50d019b7140dab1ba165f3f1.exe cmd.exe PID 1556 wrote to memory of 1288 1556 10dacb139ff6c0becb3370c87fecd0495ad7ef4b50d019b7140dab1ba165f3f1.exe cmd.exe PID 1288 wrote to memory of 1976 1288 cmd.exe PING.EXE PID 1288 wrote to memory of 1976 1288 cmd.exe PING.EXE PID 1288 wrote to memory of 1976 1288 cmd.exe PING.EXE PID 1288 wrote to memory of 1976 1288 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\10dacb139ff6c0becb3370c87fecd0495ad7ef4b50d019b7140dab1ba165f3f1.exe"C:\Users\Admin\AppData\Local\Temp\10dacb139ff6c0becb3370c87fecd0495ad7ef4b50d019b7140dab1ba165f3f1.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1556 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1632 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\10dacb139ff6c0becb3370c87fecd0495ad7ef4b50d019b7140dab1ba165f3f1.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1288 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1976
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
bf8e90cab95b5e9902cc8a06ec6c524b
SHA195d33ca76de07e4940908558de969ea9e3823997
SHA2569637ab0393bb06e1dbaecd907c483a3a9da9581a9b34e55662a3f37c31b70499
SHA512ef049e4d388c2c155b243267ba75101778960877dbef7d4ce2961884991bf92a7739fc820367ee80d957fefec79d6dc2e776b5eb135466aacd10dff753b690df
-
MD5
bf8e90cab95b5e9902cc8a06ec6c524b
SHA195d33ca76de07e4940908558de969ea9e3823997
SHA2569637ab0393bb06e1dbaecd907c483a3a9da9581a9b34e55662a3f37c31b70499
SHA512ef049e4d388c2c155b243267ba75101778960877dbef7d4ce2961884991bf92a7739fc820367ee80d957fefec79d6dc2e776b5eb135466aacd10dff753b690df