Analysis
-
max time kernel
130s -
max time network
140s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 06:14
Static task
static1
Behavioral task
behavioral1
Sample
108269352e437295cb1784b399f592fc4b7c9e67ac581540b16aa9452de06776.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
108269352e437295cb1784b399f592fc4b7c9e67ac581540b16aa9452de06776.exe
Resource
win10v2004-en-20220112
General
-
Target
108269352e437295cb1784b399f592fc4b7c9e67ac581540b16aa9452de06776.exe
-
Size
92KB
-
MD5
b83eaff287bfefe90c40b8964bb313ef
-
SHA1
2092e4b5d38e3e2943ee5d135c27d87f190181c6
-
SHA256
108269352e437295cb1784b399f592fc4b7c9e67ac581540b16aa9452de06776
-
SHA512
e9bae2121b952979f673c78631b596e3ceb1195ae4cd7382e41aafe7639b6641be37eb4e451ded3b95a114a72815ac5500f6b2c39b1a5ec9c045ca1c642d9a45
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 656 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1992 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
108269352e437295cb1784b399f592fc4b7c9e67ac581540b16aa9452de06776.exepid process 1684 108269352e437295cb1784b399f592fc4b7c9e67ac581540b16aa9452de06776.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
108269352e437295cb1784b399f592fc4b7c9e67ac581540b16aa9452de06776.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 108269352e437295cb1784b399f592fc4b7c9e67ac581540b16aa9452de06776.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
108269352e437295cb1784b399f592fc4b7c9e67ac581540b16aa9452de06776.exedescription pid process Token: SeIncBasePriorityPrivilege 1684 108269352e437295cb1784b399f592fc4b7c9e67ac581540b16aa9452de06776.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
108269352e437295cb1784b399f592fc4b7c9e67ac581540b16aa9452de06776.execmd.exedescription pid process target process PID 1684 wrote to memory of 656 1684 108269352e437295cb1784b399f592fc4b7c9e67ac581540b16aa9452de06776.exe MediaCenter.exe PID 1684 wrote to memory of 656 1684 108269352e437295cb1784b399f592fc4b7c9e67ac581540b16aa9452de06776.exe MediaCenter.exe PID 1684 wrote to memory of 656 1684 108269352e437295cb1784b399f592fc4b7c9e67ac581540b16aa9452de06776.exe MediaCenter.exe PID 1684 wrote to memory of 656 1684 108269352e437295cb1784b399f592fc4b7c9e67ac581540b16aa9452de06776.exe MediaCenter.exe PID 1684 wrote to memory of 1992 1684 108269352e437295cb1784b399f592fc4b7c9e67ac581540b16aa9452de06776.exe cmd.exe PID 1684 wrote to memory of 1992 1684 108269352e437295cb1784b399f592fc4b7c9e67ac581540b16aa9452de06776.exe cmd.exe PID 1684 wrote to memory of 1992 1684 108269352e437295cb1784b399f592fc4b7c9e67ac581540b16aa9452de06776.exe cmd.exe PID 1684 wrote to memory of 1992 1684 108269352e437295cb1784b399f592fc4b7c9e67ac581540b16aa9452de06776.exe cmd.exe PID 1992 wrote to memory of 1048 1992 cmd.exe PING.EXE PID 1992 wrote to memory of 1048 1992 cmd.exe PING.EXE PID 1992 wrote to memory of 1048 1992 cmd.exe PING.EXE PID 1992 wrote to memory of 1048 1992 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\108269352e437295cb1784b399f592fc4b7c9e67ac581540b16aa9452de06776.exe"C:\Users\Admin\AppData\Local\Temp\108269352e437295cb1784b399f592fc4b7c9e67ac581540b16aa9452de06776.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1684 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:656 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\108269352e437295cb1784b399f592fc4b7c9e67ac581540b16aa9452de06776.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1992 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1048
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
bca05f8f55154490588dc7cb28b8f98d
SHA1fb845ad301c7807438bcaa2948613c7c5feeb125
SHA256e485c74581135960cf548074c56f5b40c1cbd34afaed0d78b9f16bcd25ca1eb7
SHA51296c196703f7060c481cdc05b495734bf85efed6c6354624ecd25a91ed4233f318de8939788c298121bd2a154d5bd592ae2a50ce92000899a4a5036b5c6face0a
-
MD5
bca05f8f55154490588dc7cb28b8f98d
SHA1fb845ad301c7807438bcaa2948613c7c5feeb125
SHA256e485c74581135960cf548074c56f5b40c1cbd34afaed0d78b9f16bcd25ca1eb7
SHA51296c196703f7060c481cdc05b495734bf85efed6c6354624ecd25a91ed4233f318de8939788c298121bd2a154d5bd592ae2a50ce92000899a4a5036b5c6face0a