Analysis
-
max time kernel
117s -
max time network
133s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 06:11
Static task
static1
Behavioral task
behavioral1
Sample
10a6d672cba59c5d5ede4625fbf2ed40965abd29716ff3a599f387a2542954e3.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
10a6d672cba59c5d5ede4625fbf2ed40965abd29716ff3a599f387a2542954e3.exe
Resource
win10v2004-en-20220112
General
-
Target
10a6d672cba59c5d5ede4625fbf2ed40965abd29716ff3a599f387a2542954e3.exe
-
Size
101KB
-
MD5
67dcb9338e553d2f4877c4883693bd61
-
SHA1
85f591c0878dd4280c61ac1c7ba07ea4555e439c
-
SHA256
10a6d672cba59c5d5ede4625fbf2ed40965abd29716ff3a599f387a2542954e3
-
SHA512
5b79423534c84ca32354463604d8ffb0e0d1503cf4b66a9df00a3676a6662a95f1e0d6716856cbd300ef579351995853072f22d74eef896d79bb72a9bb865965
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1636 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1836 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
10a6d672cba59c5d5ede4625fbf2ed40965abd29716ff3a599f387a2542954e3.exepid process 1572 10a6d672cba59c5d5ede4625fbf2ed40965abd29716ff3a599f387a2542954e3.exe 1572 10a6d672cba59c5d5ede4625fbf2ed40965abd29716ff3a599f387a2542954e3.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
10a6d672cba59c5d5ede4625fbf2ed40965abd29716ff3a599f387a2542954e3.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 10a6d672cba59c5d5ede4625fbf2ed40965abd29716ff3a599f387a2542954e3.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
10a6d672cba59c5d5ede4625fbf2ed40965abd29716ff3a599f387a2542954e3.exedescription pid process Token: SeIncBasePriorityPrivilege 1572 10a6d672cba59c5d5ede4625fbf2ed40965abd29716ff3a599f387a2542954e3.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
10a6d672cba59c5d5ede4625fbf2ed40965abd29716ff3a599f387a2542954e3.execmd.exedescription pid process target process PID 1572 wrote to memory of 1636 1572 10a6d672cba59c5d5ede4625fbf2ed40965abd29716ff3a599f387a2542954e3.exe MediaCenter.exe PID 1572 wrote to memory of 1636 1572 10a6d672cba59c5d5ede4625fbf2ed40965abd29716ff3a599f387a2542954e3.exe MediaCenter.exe PID 1572 wrote to memory of 1636 1572 10a6d672cba59c5d5ede4625fbf2ed40965abd29716ff3a599f387a2542954e3.exe MediaCenter.exe PID 1572 wrote to memory of 1636 1572 10a6d672cba59c5d5ede4625fbf2ed40965abd29716ff3a599f387a2542954e3.exe MediaCenter.exe PID 1572 wrote to memory of 1836 1572 10a6d672cba59c5d5ede4625fbf2ed40965abd29716ff3a599f387a2542954e3.exe cmd.exe PID 1572 wrote to memory of 1836 1572 10a6d672cba59c5d5ede4625fbf2ed40965abd29716ff3a599f387a2542954e3.exe cmd.exe PID 1572 wrote to memory of 1836 1572 10a6d672cba59c5d5ede4625fbf2ed40965abd29716ff3a599f387a2542954e3.exe cmd.exe PID 1572 wrote to memory of 1836 1572 10a6d672cba59c5d5ede4625fbf2ed40965abd29716ff3a599f387a2542954e3.exe cmd.exe PID 1836 wrote to memory of 1820 1836 cmd.exe PING.EXE PID 1836 wrote to memory of 1820 1836 cmd.exe PING.EXE PID 1836 wrote to memory of 1820 1836 cmd.exe PING.EXE PID 1836 wrote to memory of 1820 1836 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\10a6d672cba59c5d5ede4625fbf2ed40965abd29716ff3a599f387a2542954e3.exe"C:\Users\Admin\AppData\Local\Temp\10a6d672cba59c5d5ede4625fbf2ed40965abd29716ff3a599f387a2542954e3.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1572 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1636 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\10a6d672cba59c5d5ede4625fbf2ed40965abd29716ff3a599f387a2542954e3.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1836 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1820
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
ae9e5d09961d8b55c75420905777f0a2
SHA1310f507edd385eade58df5493c738ced26d4d536
SHA2566abc429b8e41844ced9c478ca810cb11db93175f431e0088b016d77549488d5b
SHA51233f458f29fd3355bf1af945c4ba77c71bddfa64e706f1776de4ff13476a097153f75862f30889abebd8ffc7295e47e6f7b0409ba047e717730f1f3e0fcdb25b9
-
MD5
ae9e5d09961d8b55c75420905777f0a2
SHA1310f507edd385eade58df5493c738ced26d4d536
SHA2566abc429b8e41844ced9c478ca810cb11db93175f431e0088b016d77549488d5b
SHA51233f458f29fd3355bf1af945c4ba77c71bddfa64e706f1776de4ff13476a097153f75862f30889abebd8ffc7295e47e6f7b0409ba047e717730f1f3e0fcdb25b9
-
MD5
ae9e5d09961d8b55c75420905777f0a2
SHA1310f507edd385eade58df5493c738ced26d4d536
SHA2566abc429b8e41844ced9c478ca810cb11db93175f431e0088b016d77549488d5b
SHA51233f458f29fd3355bf1af945c4ba77c71bddfa64e706f1776de4ff13476a097153f75862f30889abebd8ffc7295e47e6f7b0409ba047e717730f1f3e0fcdb25b9