Analysis
-
max time kernel
150s -
max time network
162s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 06:13
Static task
static1
Behavioral task
behavioral1
Sample
108c647a1441c9868279a4c0156bc8b06666e93cce4b1c02886636d32e16f3bb.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
108c647a1441c9868279a4c0156bc8b06666e93cce4b1c02886636d32e16f3bb.exe
Resource
win10v2004-en-20220112
General
-
Target
108c647a1441c9868279a4c0156bc8b06666e93cce4b1c02886636d32e16f3bb.exe
-
Size
99KB
-
MD5
d83a405dabbfb12b36e1408dd44f1f6a
-
SHA1
a57543ef36bebb744e56d33afb540c9dadd8e154
-
SHA256
108c647a1441c9868279a4c0156bc8b06666e93cce4b1c02886636d32e16f3bb
-
SHA512
767357caafd333cc2d33cbb84acfe96c26e6347086cce1f0afc40030a728e58ea5524748c0a71382d1d18004f08bcd450d181b0dc449bb63d8fc835eacc60dbd
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 268 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1124 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
108c647a1441c9868279a4c0156bc8b06666e93cce4b1c02886636d32e16f3bb.exepid process 1028 108c647a1441c9868279a4c0156bc8b06666e93cce4b1c02886636d32e16f3bb.exe 1028 108c647a1441c9868279a4c0156bc8b06666e93cce4b1c02886636d32e16f3bb.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
108c647a1441c9868279a4c0156bc8b06666e93cce4b1c02886636d32e16f3bb.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 108c647a1441c9868279a4c0156bc8b06666e93cce4b1c02886636d32e16f3bb.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
108c647a1441c9868279a4c0156bc8b06666e93cce4b1c02886636d32e16f3bb.exedescription pid process Token: SeIncBasePriorityPrivilege 1028 108c647a1441c9868279a4c0156bc8b06666e93cce4b1c02886636d32e16f3bb.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
108c647a1441c9868279a4c0156bc8b06666e93cce4b1c02886636d32e16f3bb.execmd.exedescription pid process target process PID 1028 wrote to memory of 268 1028 108c647a1441c9868279a4c0156bc8b06666e93cce4b1c02886636d32e16f3bb.exe MediaCenter.exe PID 1028 wrote to memory of 268 1028 108c647a1441c9868279a4c0156bc8b06666e93cce4b1c02886636d32e16f3bb.exe MediaCenter.exe PID 1028 wrote to memory of 268 1028 108c647a1441c9868279a4c0156bc8b06666e93cce4b1c02886636d32e16f3bb.exe MediaCenter.exe PID 1028 wrote to memory of 268 1028 108c647a1441c9868279a4c0156bc8b06666e93cce4b1c02886636d32e16f3bb.exe MediaCenter.exe PID 1028 wrote to memory of 1124 1028 108c647a1441c9868279a4c0156bc8b06666e93cce4b1c02886636d32e16f3bb.exe cmd.exe PID 1028 wrote to memory of 1124 1028 108c647a1441c9868279a4c0156bc8b06666e93cce4b1c02886636d32e16f3bb.exe cmd.exe PID 1028 wrote to memory of 1124 1028 108c647a1441c9868279a4c0156bc8b06666e93cce4b1c02886636d32e16f3bb.exe cmd.exe PID 1028 wrote to memory of 1124 1028 108c647a1441c9868279a4c0156bc8b06666e93cce4b1c02886636d32e16f3bb.exe cmd.exe PID 1124 wrote to memory of 660 1124 cmd.exe PING.EXE PID 1124 wrote to memory of 660 1124 cmd.exe PING.EXE PID 1124 wrote to memory of 660 1124 cmd.exe PING.EXE PID 1124 wrote to memory of 660 1124 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\108c647a1441c9868279a4c0156bc8b06666e93cce4b1c02886636d32e16f3bb.exe"C:\Users\Admin\AppData\Local\Temp\108c647a1441c9868279a4c0156bc8b06666e93cce4b1c02886636d32e16f3bb.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1028 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:268 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\108c647a1441c9868279a4c0156bc8b06666e93cce4b1c02886636d32e16f3bb.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1124 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:660
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
47e063a3034d2a6d95265235483f93a3
SHA15481153f4f651ffcab2bebe6400f91ec81bb04fd
SHA256aee8701f735b9821b824a3b0ef8b5576a5d11382b514ceacf4393066f503e4c9
SHA5120cceed5629ab25d5be4d05bace7452dcbd72f3c045c83ef698b4a317e0b3d314042e670ff0844e78e4052d7388ef55509a5d95b91c882d74808c176679ba63e0
-
MD5
47e063a3034d2a6d95265235483f93a3
SHA15481153f4f651ffcab2bebe6400f91ec81bb04fd
SHA256aee8701f735b9821b824a3b0ef8b5576a5d11382b514ceacf4393066f503e4c9
SHA5120cceed5629ab25d5be4d05bace7452dcbd72f3c045c83ef698b4a317e0b3d314042e670ff0844e78e4052d7388ef55509a5d95b91c882d74808c176679ba63e0
-
MD5
47e063a3034d2a6d95265235483f93a3
SHA15481153f4f651ffcab2bebe6400f91ec81bb04fd
SHA256aee8701f735b9821b824a3b0ef8b5576a5d11382b514ceacf4393066f503e4c9
SHA5120cceed5629ab25d5be4d05bace7452dcbd72f3c045c83ef698b4a317e0b3d314042e670ff0844e78e4052d7388ef55509a5d95b91c882d74808c176679ba63e0