Analysis
-
max time kernel
140s -
max time network
159s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 06:15
Static task
static1
Behavioral task
behavioral1
Sample
107cf7da2b1ded6f1d83856a048ec21718062b7e11d58e508a376aab6be2caed.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
107cf7da2b1ded6f1d83856a048ec21718062b7e11d58e508a376aab6be2caed.exe
Resource
win10v2004-en-20220113
General
-
Target
107cf7da2b1ded6f1d83856a048ec21718062b7e11d58e508a376aab6be2caed.exe
-
Size
100KB
-
MD5
83220c0cee35496c83893a9ff99eadfc
-
SHA1
c7888a1c62ca973566f14c76c25c7d508d7a5b58
-
SHA256
107cf7da2b1ded6f1d83856a048ec21718062b7e11d58e508a376aab6be2caed
-
SHA512
ee16ab75439c0bcdbeaa885a63c45ba1f2cb0b76f7cdaf430c2ffb407111789c4c4050cb895c5769239a072e0c957b5057f72467e20e5ebe7bc5a835fb985456
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 320 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1056 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
107cf7da2b1ded6f1d83856a048ec21718062b7e11d58e508a376aab6be2caed.exepid process 316 107cf7da2b1ded6f1d83856a048ec21718062b7e11d58e508a376aab6be2caed.exe 316 107cf7da2b1ded6f1d83856a048ec21718062b7e11d58e508a376aab6be2caed.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
107cf7da2b1ded6f1d83856a048ec21718062b7e11d58e508a376aab6be2caed.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 107cf7da2b1ded6f1d83856a048ec21718062b7e11d58e508a376aab6be2caed.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
107cf7da2b1ded6f1d83856a048ec21718062b7e11d58e508a376aab6be2caed.exedescription pid process Token: SeIncBasePriorityPrivilege 316 107cf7da2b1ded6f1d83856a048ec21718062b7e11d58e508a376aab6be2caed.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
107cf7da2b1ded6f1d83856a048ec21718062b7e11d58e508a376aab6be2caed.execmd.exedescription pid process target process PID 316 wrote to memory of 320 316 107cf7da2b1ded6f1d83856a048ec21718062b7e11d58e508a376aab6be2caed.exe MediaCenter.exe PID 316 wrote to memory of 320 316 107cf7da2b1ded6f1d83856a048ec21718062b7e11d58e508a376aab6be2caed.exe MediaCenter.exe PID 316 wrote to memory of 320 316 107cf7da2b1ded6f1d83856a048ec21718062b7e11d58e508a376aab6be2caed.exe MediaCenter.exe PID 316 wrote to memory of 320 316 107cf7da2b1ded6f1d83856a048ec21718062b7e11d58e508a376aab6be2caed.exe MediaCenter.exe PID 316 wrote to memory of 1056 316 107cf7da2b1ded6f1d83856a048ec21718062b7e11d58e508a376aab6be2caed.exe cmd.exe PID 316 wrote to memory of 1056 316 107cf7da2b1ded6f1d83856a048ec21718062b7e11d58e508a376aab6be2caed.exe cmd.exe PID 316 wrote to memory of 1056 316 107cf7da2b1ded6f1d83856a048ec21718062b7e11d58e508a376aab6be2caed.exe cmd.exe PID 316 wrote to memory of 1056 316 107cf7da2b1ded6f1d83856a048ec21718062b7e11d58e508a376aab6be2caed.exe cmd.exe PID 1056 wrote to memory of 240 1056 cmd.exe PING.EXE PID 1056 wrote to memory of 240 1056 cmd.exe PING.EXE PID 1056 wrote to memory of 240 1056 cmd.exe PING.EXE PID 1056 wrote to memory of 240 1056 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\107cf7da2b1ded6f1d83856a048ec21718062b7e11d58e508a376aab6be2caed.exe"C:\Users\Admin\AppData\Local\Temp\107cf7da2b1ded6f1d83856a048ec21718062b7e11d58e508a376aab6be2caed.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:316 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:320 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\107cf7da2b1ded6f1d83856a048ec21718062b7e11d58e508a376aab6be2caed.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1056 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:240
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
5f18e2dbd6a620e159ab56f2064fb07f
SHA124fe6efb397381667581378f06898c6dccecb3a8
SHA256b3290278f430236331489b0bedc1835dd55eccfb6d7df3099a6503256677c904
SHA512909f40244c716d98e517697f2c312661ce31d5da164ff2b52dcee6144d04a8ba638e7c97b173fe474bba6186f3cde11277651b2446ef7f6f3ce2e63d799f261e
-
MD5
5f18e2dbd6a620e159ab56f2064fb07f
SHA124fe6efb397381667581378f06898c6dccecb3a8
SHA256b3290278f430236331489b0bedc1835dd55eccfb6d7df3099a6503256677c904
SHA512909f40244c716d98e517697f2c312661ce31d5da164ff2b52dcee6144d04a8ba638e7c97b173fe474bba6186f3cde11277651b2446ef7f6f3ce2e63d799f261e
-
MD5
5f18e2dbd6a620e159ab56f2064fb07f
SHA124fe6efb397381667581378f06898c6dccecb3a8
SHA256b3290278f430236331489b0bedc1835dd55eccfb6d7df3099a6503256677c904
SHA512909f40244c716d98e517697f2c312661ce31d5da164ff2b52dcee6144d04a8ba638e7c97b173fe474bba6186f3cde11277651b2446ef7f6f3ce2e63d799f261e