Analysis
-
max time kernel
153s -
max time network
160s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 06:07
Static task
static1
Behavioral task
behavioral1
Sample
10d80821f411f93a2cc1518f3eb34e719b35c4944e4a668f1c5321d8eec0b417.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
10d80821f411f93a2cc1518f3eb34e719b35c4944e4a668f1c5321d8eec0b417.exe
Resource
win10v2004-en-20220112
General
-
Target
10d80821f411f93a2cc1518f3eb34e719b35c4944e4a668f1c5321d8eec0b417.exe
-
Size
80KB
-
MD5
47b3c37b4a3e4ffe3c1eb0133d16d2d0
-
SHA1
981b26944ef56f0843e9667b87c6797313ec5490
-
SHA256
10d80821f411f93a2cc1518f3eb34e719b35c4944e4a668f1c5321d8eec0b417
-
SHA512
9d13fed4f8d10d2fc6f50c9aff973983be35542be265f77adc037e546fa740d96844202b9e1b115cfd247cac4af8ff19bd090e29a3c6f9aa23e87fd576d0e072
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1684 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 776 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
10d80821f411f93a2cc1518f3eb34e719b35c4944e4a668f1c5321d8eec0b417.exepid process 1212 10d80821f411f93a2cc1518f3eb34e719b35c4944e4a668f1c5321d8eec0b417.exe 1212 10d80821f411f93a2cc1518f3eb34e719b35c4944e4a668f1c5321d8eec0b417.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
10d80821f411f93a2cc1518f3eb34e719b35c4944e4a668f1c5321d8eec0b417.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 10d80821f411f93a2cc1518f3eb34e719b35c4944e4a668f1c5321d8eec0b417.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
10d80821f411f93a2cc1518f3eb34e719b35c4944e4a668f1c5321d8eec0b417.exedescription pid process Token: SeIncBasePriorityPrivilege 1212 10d80821f411f93a2cc1518f3eb34e719b35c4944e4a668f1c5321d8eec0b417.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
10d80821f411f93a2cc1518f3eb34e719b35c4944e4a668f1c5321d8eec0b417.execmd.exedescription pid process target process PID 1212 wrote to memory of 1684 1212 10d80821f411f93a2cc1518f3eb34e719b35c4944e4a668f1c5321d8eec0b417.exe MediaCenter.exe PID 1212 wrote to memory of 1684 1212 10d80821f411f93a2cc1518f3eb34e719b35c4944e4a668f1c5321d8eec0b417.exe MediaCenter.exe PID 1212 wrote to memory of 1684 1212 10d80821f411f93a2cc1518f3eb34e719b35c4944e4a668f1c5321d8eec0b417.exe MediaCenter.exe PID 1212 wrote to memory of 1684 1212 10d80821f411f93a2cc1518f3eb34e719b35c4944e4a668f1c5321d8eec0b417.exe MediaCenter.exe PID 1212 wrote to memory of 776 1212 10d80821f411f93a2cc1518f3eb34e719b35c4944e4a668f1c5321d8eec0b417.exe cmd.exe PID 1212 wrote to memory of 776 1212 10d80821f411f93a2cc1518f3eb34e719b35c4944e4a668f1c5321d8eec0b417.exe cmd.exe PID 1212 wrote to memory of 776 1212 10d80821f411f93a2cc1518f3eb34e719b35c4944e4a668f1c5321d8eec0b417.exe cmd.exe PID 1212 wrote to memory of 776 1212 10d80821f411f93a2cc1518f3eb34e719b35c4944e4a668f1c5321d8eec0b417.exe cmd.exe PID 776 wrote to memory of 1048 776 cmd.exe PING.EXE PID 776 wrote to memory of 1048 776 cmd.exe PING.EXE PID 776 wrote to memory of 1048 776 cmd.exe PING.EXE PID 776 wrote to memory of 1048 776 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\10d80821f411f93a2cc1518f3eb34e719b35c4944e4a668f1c5321d8eec0b417.exe"C:\Users\Admin\AppData\Local\Temp\10d80821f411f93a2cc1518f3eb34e719b35c4944e4a668f1c5321d8eec0b417.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1212 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1684 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\10d80821f411f93a2cc1518f3eb34e719b35c4944e4a668f1c5321d8eec0b417.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:776 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1048
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
9a655cc68e6a49083dad4ede0294b390
SHA1df372d26a3751ccbfc4b1b07cad4bdd793d63e7a
SHA256a0cc6984ea604f7deb32934b92c9b8000c3336efe0e9fb177e94c8836728a452
SHA51278baa38e2c66b995899f7b8df07bead35f9c02f0a8ad4533429dd589232329d7c357d52c984c3c5c2cd5a2bf02aeaec193dcccc307123d82bb732d2f7f6c7aed
-
MD5
9a655cc68e6a49083dad4ede0294b390
SHA1df372d26a3751ccbfc4b1b07cad4bdd793d63e7a
SHA256a0cc6984ea604f7deb32934b92c9b8000c3336efe0e9fb177e94c8836728a452
SHA51278baa38e2c66b995899f7b8df07bead35f9c02f0a8ad4533429dd589232329d7c357d52c984c3c5c2cd5a2bf02aeaec193dcccc307123d82bb732d2f7f6c7aed
-
MD5
9a655cc68e6a49083dad4ede0294b390
SHA1df372d26a3751ccbfc4b1b07cad4bdd793d63e7a
SHA256a0cc6984ea604f7deb32934b92c9b8000c3336efe0e9fb177e94c8836728a452
SHA51278baa38e2c66b995899f7b8df07bead35f9c02f0a8ad4533429dd589232329d7c357d52c984c3c5c2cd5a2bf02aeaec193dcccc307123d82bb732d2f7f6c7aed