Analysis
-
max time kernel
146s -
max time network
157s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 06:10
Static task
static1
Behavioral task
behavioral1
Sample
10b0db4452dcc705c7c6d48428162cb5a73423fd258ea0b56601f6b0723623a5.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
10b0db4452dcc705c7c6d48428162cb5a73423fd258ea0b56601f6b0723623a5.exe
Resource
win10v2004-en-20220113
General
-
Target
10b0db4452dcc705c7c6d48428162cb5a73423fd258ea0b56601f6b0723623a5.exe
-
Size
216KB
-
MD5
92bd0295f2b2ca150bd0d453254643d7
-
SHA1
302f7035949fac92c48e4db24dbbea9888394d89
-
SHA256
10b0db4452dcc705c7c6d48428162cb5a73423fd258ea0b56601f6b0723623a5
-
SHA512
cd7836e887aa8589a8d5043ebec9db8fca0aa7d8cc6e8bbf796abab4a8289ceef610ddaa235314936307bd97fbd36ff7ddf1c0f7d29e0867da73aa3d0a2a4fed
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral1/memory/1260-58-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral1/memory/1684-59-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1684 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1164 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
10b0db4452dcc705c7c6d48428162cb5a73423fd258ea0b56601f6b0723623a5.exepid process 1260 10b0db4452dcc705c7c6d48428162cb5a73423fd258ea0b56601f6b0723623a5.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
10b0db4452dcc705c7c6d48428162cb5a73423fd258ea0b56601f6b0723623a5.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 10b0db4452dcc705c7c6d48428162cb5a73423fd258ea0b56601f6b0723623a5.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
10b0db4452dcc705c7c6d48428162cb5a73423fd258ea0b56601f6b0723623a5.exedescription pid process Token: SeIncBasePriorityPrivilege 1260 10b0db4452dcc705c7c6d48428162cb5a73423fd258ea0b56601f6b0723623a5.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
10b0db4452dcc705c7c6d48428162cb5a73423fd258ea0b56601f6b0723623a5.execmd.exedescription pid process target process PID 1260 wrote to memory of 1684 1260 10b0db4452dcc705c7c6d48428162cb5a73423fd258ea0b56601f6b0723623a5.exe MediaCenter.exe PID 1260 wrote to memory of 1684 1260 10b0db4452dcc705c7c6d48428162cb5a73423fd258ea0b56601f6b0723623a5.exe MediaCenter.exe PID 1260 wrote to memory of 1684 1260 10b0db4452dcc705c7c6d48428162cb5a73423fd258ea0b56601f6b0723623a5.exe MediaCenter.exe PID 1260 wrote to memory of 1684 1260 10b0db4452dcc705c7c6d48428162cb5a73423fd258ea0b56601f6b0723623a5.exe MediaCenter.exe PID 1260 wrote to memory of 1164 1260 10b0db4452dcc705c7c6d48428162cb5a73423fd258ea0b56601f6b0723623a5.exe cmd.exe PID 1260 wrote to memory of 1164 1260 10b0db4452dcc705c7c6d48428162cb5a73423fd258ea0b56601f6b0723623a5.exe cmd.exe PID 1260 wrote to memory of 1164 1260 10b0db4452dcc705c7c6d48428162cb5a73423fd258ea0b56601f6b0723623a5.exe cmd.exe PID 1260 wrote to memory of 1164 1260 10b0db4452dcc705c7c6d48428162cb5a73423fd258ea0b56601f6b0723623a5.exe cmd.exe PID 1164 wrote to memory of 952 1164 cmd.exe PING.EXE PID 1164 wrote to memory of 952 1164 cmd.exe PING.EXE PID 1164 wrote to memory of 952 1164 cmd.exe PING.EXE PID 1164 wrote to memory of 952 1164 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\10b0db4452dcc705c7c6d48428162cb5a73423fd258ea0b56601f6b0723623a5.exe"C:\Users\Admin\AppData\Local\Temp\10b0db4452dcc705c7c6d48428162cb5a73423fd258ea0b56601f6b0723623a5.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1260 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1684 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\10b0db4452dcc705c7c6d48428162cb5a73423fd258ea0b56601f6b0723623a5.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1164 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:952
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
4011f179b501711085c76bc6e87ac57e
SHA19619cf138e6096b2e08b435534fb51310fa9c5fd
SHA25609f3411f432c3651c9aee49ff418a487f5951b48638307642a2c669daa6b97d8
SHA5123a758658c13f99486c73134074d5251e40b62a90857c892bf2288fec9d283aa9b44ce28bf941d8b00263c43eb1a13a232bef3ec6563bc1d2b0cd753f24e2a6dc
-
MD5
4011f179b501711085c76bc6e87ac57e
SHA19619cf138e6096b2e08b435534fb51310fa9c5fd
SHA25609f3411f432c3651c9aee49ff418a487f5951b48638307642a2c669daa6b97d8
SHA5123a758658c13f99486c73134074d5251e40b62a90857c892bf2288fec9d283aa9b44ce28bf941d8b00263c43eb1a13a232bef3ec6563bc1d2b0cd753f24e2a6dc