Analysis
-
max time kernel
160s -
max time network
179s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 06:10
Static task
static1
Behavioral task
behavioral1
Sample
10afa2f83f36d61d974a647f31f0fdc0c07d10236c9f49905f8c5e12bd10db91.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
10afa2f83f36d61d974a647f31f0fdc0c07d10236c9f49905f8c5e12bd10db91.exe
Resource
win10v2004-en-20220112
General
-
Target
10afa2f83f36d61d974a647f31f0fdc0c07d10236c9f49905f8c5e12bd10db91.exe
-
Size
216KB
-
MD5
b35358f26964918c18fbea4ca4c87ba2
-
SHA1
573fd2586a2762d08a6a884c0becbbc003802aac
-
SHA256
10afa2f83f36d61d974a647f31f0fdc0c07d10236c9f49905f8c5e12bd10db91
-
SHA512
2dae6ae1ac5e138abb808e9c0c6f70cc35ebbf15f49f3488f66ef04d4371562b65ea9f824b2d4f6c3cf51e65fe7bb0679133cf893f2dd6156f7ac8d6dbf2973c
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral1/memory/1532-59-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral1/memory/1540-60-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1540 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1520 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
10afa2f83f36d61d974a647f31f0fdc0c07d10236c9f49905f8c5e12bd10db91.exepid process 1532 10afa2f83f36d61d974a647f31f0fdc0c07d10236c9f49905f8c5e12bd10db91.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
10afa2f83f36d61d974a647f31f0fdc0c07d10236c9f49905f8c5e12bd10db91.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 10afa2f83f36d61d974a647f31f0fdc0c07d10236c9f49905f8c5e12bd10db91.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
10afa2f83f36d61d974a647f31f0fdc0c07d10236c9f49905f8c5e12bd10db91.exedescription pid process Token: SeIncBasePriorityPrivilege 1532 10afa2f83f36d61d974a647f31f0fdc0c07d10236c9f49905f8c5e12bd10db91.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
10afa2f83f36d61d974a647f31f0fdc0c07d10236c9f49905f8c5e12bd10db91.execmd.exedescription pid process target process PID 1532 wrote to memory of 1540 1532 10afa2f83f36d61d974a647f31f0fdc0c07d10236c9f49905f8c5e12bd10db91.exe MediaCenter.exe PID 1532 wrote to memory of 1540 1532 10afa2f83f36d61d974a647f31f0fdc0c07d10236c9f49905f8c5e12bd10db91.exe MediaCenter.exe PID 1532 wrote to memory of 1540 1532 10afa2f83f36d61d974a647f31f0fdc0c07d10236c9f49905f8c5e12bd10db91.exe MediaCenter.exe PID 1532 wrote to memory of 1540 1532 10afa2f83f36d61d974a647f31f0fdc0c07d10236c9f49905f8c5e12bd10db91.exe MediaCenter.exe PID 1532 wrote to memory of 1520 1532 10afa2f83f36d61d974a647f31f0fdc0c07d10236c9f49905f8c5e12bd10db91.exe cmd.exe PID 1532 wrote to memory of 1520 1532 10afa2f83f36d61d974a647f31f0fdc0c07d10236c9f49905f8c5e12bd10db91.exe cmd.exe PID 1532 wrote to memory of 1520 1532 10afa2f83f36d61d974a647f31f0fdc0c07d10236c9f49905f8c5e12bd10db91.exe cmd.exe PID 1532 wrote to memory of 1520 1532 10afa2f83f36d61d974a647f31f0fdc0c07d10236c9f49905f8c5e12bd10db91.exe cmd.exe PID 1520 wrote to memory of 1244 1520 cmd.exe PING.EXE PID 1520 wrote to memory of 1244 1520 cmd.exe PING.EXE PID 1520 wrote to memory of 1244 1520 cmd.exe PING.EXE PID 1520 wrote to memory of 1244 1520 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\10afa2f83f36d61d974a647f31f0fdc0c07d10236c9f49905f8c5e12bd10db91.exe"C:\Users\Admin\AppData\Local\Temp\10afa2f83f36d61d974a647f31f0fdc0c07d10236c9f49905f8c5e12bd10db91.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1532 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1540 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\10afa2f83f36d61d974a647f31f0fdc0c07d10236c9f49905f8c5e12bd10db91.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1520 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1244
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
e4b7c781a4bbabb14e22dd87da83d4f5
SHA1aba348f6c3f49496005d8c6609c962061bf51a8f
SHA256c6a8f81a5c3c8da89c74169517d248109b7ef0b218459abce557cfd3d1fc8c13
SHA51208b6fbda6d38d5790459141bec38de824a914b7cb32b400b7179fdcbe91f54d04a14fbd184ef31e2f35464c8f0444202f1370f71e15a61a1236657940352513d
-
MD5
e4b7c781a4bbabb14e22dd87da83d4f5
SHA1aba348f6c3f49496005d8c6609c962061bf51a8f
SHA256c6a8f81a5c3c8da89c74169517d248109b7ef0b218459abce557cfd3d1fc8c13
SHA51208b6fbda6d38d5790459141bec38de824a914b7cb32b400b7179fdcbe91f54d04a14fbd184ef31e2f35464c8f0444202f1370f71e15a61a1236657940352513d