Analysis
-
max time kernel
140s -
max time network
150s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 06:15
Static task
static1
Behavioral task
behavioral1
Sample
107d723151c6039c0bf8417779a88b1250c1bf122a14602d4f03739eeb2cc332.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
107d723151c6039c0bf8417779a88b1250c1bf122a14602d4f03739eeb2cc332.exe
Resource
win10v2004-en-20220113
General
-
Target
107d723151c6039c0bf8417779a88b1250c1bf122a14602d4f03739eeb2cc332.exe
-
Size
220KB
-
MD5
267f0107dfd5deea4187a79dbe3676f0
-
SHA1
838d9d2d285c90cbcdc9dca3583d8e2491680af0
-
SHA256
107d723151c6039c0bf8417779a88b1250c1bf122a14602d4f03739eeb2cc332
-
SHA512
6b8ec8d0865a375407e98a99fbd2d045de1fbc5b9d79b41e63ed19e28cba9d5ed6e8690d019855199452b8c80760f3e7ecdd3c1268ad2f5f105b209031640b7d
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral1/memory/1712-58-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral1/memory/1892-59-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1892 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1836 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
107d723151c6039c0bf8417779a88b1250c1bf122a14602d4f03739eeb2cc332.exepid process 1712 107d723151c6039c0bf8417779a88b1250c1bf122a14602d4f03739eeb2cc332.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
107d723151c6039c0bf8417779a88b1250c1bf122a14602d4f03739eeb2cc332.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 107d723151c6039c0bf8417779a88b1250c1bf122a14602d4f03739eeb2cc332.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
107d723151c6039c0bf8417779a88b1250c1bf122a14602d4f03739eeb2cc332.exedescription pid process Token: SeIncBasePriorityPrivilege 1712 107d723151c6039c0bf8417779a88b1250c1bf122a14602d4f03739eeb2cc332.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
107d723151c6039c0bf8417779a88b1250c1bf122a14602d4f03739eeb2cc332.execmd.exedescription pid process target process PID 1712 wrote to memory of 1892 1712 107d723151c6039c0bf8417779a88b1250c1bf122a14602d4f03739eeb2cc332.exe MediaCenter.exe PID 1712 wrote to memory of 1892 1712 107d723151c6039c0bf8417779a88b1250c1bf122a14602d4f03739eeb2cc332.exe MediaCenter.exe PID 1712 wrote to memory of 1892 1712 107d723151c6039c0bf8417779a88b1250c1bf122a14602d4f03739eeb2cc332.exe MediaCenter.exe PID 1712 wrote to memory of 1892 1712 107d723151c6039c0bf8417779a88b1250c1bf122a14602d4f03739eeb2cc332.exe MediaCenter.exe PID 1712 wrote to memory of 1836 1712 107d723151c6039c0bf8417779a88b1250c1bf122a14602d4f03739eeb2cc332.exe cmd.exe PID 1712 wrote to memory of 1836 1712 107d723151c6039c0bf8417779a88b1250c1bf122a14602d4f03739eeb2cc332.exe cmd.exe PID 1712 wrote to memory of 1836 1712 107d723151c6039c0bf8417779a88b1250c1bf122a14602d4f03739eeb2cc332.exe cmd.exe PID 1712 wrote to memory of 1836 1712 107d723151c6039c0bf8417779a88b1250c1bf122a14602d4f03739eeb2cc332.exe cmd.exe PID 1836 wrote to memory of 1640 1836 cmd.exe PING.EXE PID 1836 wrote to memory of 1640 1836 cmd.exe PING.EXE PID 1836 wrote to memory of 1640 1836 cmd.exe PING.EXE PID 1836 wrote to memory of 1640 1836 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\107d723151c6039c0bf8417779a88b1250c1bf122a14602d4f03739eeb2cc332.exe"C:\Users\Admin\AppData\Local\Temp\107d723151c6039c0bf8417779a88b1250c1bf122a14602d4f03739eeb2cc332.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1892 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\107d723151c6039c0bf8417779a88b1250c1bf122a14602d4f03739eeb2cc332.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1836 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1640
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
0995339b98937fa13c71ca49aa047d35
SHA1cc617c1568b97288ffdb7b30750b60160857481f
SHA25628e9a94210ed1eb516b374eff04aa5aefcb57c73588566b92eede50ee5e204a7
SHA512d71fea4de587bfdeb053ac540fce2a3ce0ee26b7bf2cc8b3119217af4d72c8279fbc1f03137ead5de801a3676c346a102bf5eb229d25327d42e6c03582d802f0
-
MD5
0995339b98937fa13c71ca49aa047d35
SHA1cc617c1568b97288ffdb7b30750b60160857481f
SHA25628e9a94210ed1eb516b374eff04aa5aefcb57c73588566b92eede50ee5e204a7
SHA512d71fea4de587bfdeb053ac540fce2a3ce0ee26b7bf2cc8b3119217af4d72c8279fbc1f03137ead5de801a3676c346a102bf5eb229d25327d42e6c03582d802f0