Analysis
-
max time kernel
143s -
max time network
165s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 12:18
Static task
static1
Behavioral task
behavioral1
Sample
01ec9fd8625be6f43ef086441d1e08ba6fd0ddf093383e4488287bc8c1cad2c2.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
01ec9fd8625be6f43ef086441d1e08ba6fd0ddf093383e4488287bc8c1cad2c2.exe
Resource
win10v2004-en-20220112
General
-
Target
01ec9fd8625be6f43ef086441d1e08ba6fd0ddf093383e4488287bc8c1cad2c2.exe
-
Size
80KB
-
MD5
c81e526c5c1fda71c660d65519ab2732
-
SHA1
a79a683ac5df1b0a43bf5b41a31b78a6de9e27ae
-
SHA256
01ec9fd8625be6f43ef086441d1e08ba6fd0ddf093383e4488287bc8c1cad2c2
-
SHA512
b80f220beaaec6061223026d3ba3a68932fcd2aaf1d3d65710c5d9130e63b7e1ea6bed65339ff7a925d210e529698bb1e7aecf4a105369e40c33cedb2285fad6
Malware Config
Signatures
-
Sakula Payload 3 IoCs
resource yara_rule behavioral1/files/0x00080000000121f5-56.dat family_sakula behavioral1/files/0x00080000000121f5-57.dat family_sakula behavioral1/files/0x00080000000121f5-58.dat family_sakula -
Executes dropped EXE 1 IoCs
pid Process 1736 MediaCenter.exe -
Deletes itself 1 IoCs
pid Process 928 cmd.exe -
Loads dropped DLL 2 IoCs
pid Process 1548 01ec9fd8625be6f43ef086441d1e08ba6fd0ddf093383e4488287bc8c1cad2c2.exe 1548 01ec9fd8625be6f43ef086441d1e08ba6fd0ddf093383e4488287bc8c1cad2c2.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 01ec9fd8625be6f43ef086441d1e08ba6fd0ddf093383e4488287bc8c1cad2c2.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
pid Process 1696 PING.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 1548 01ec9fd8625be6f43ef086441d1e08ba6fd0ddf093383e4488287bc8c1cad2c2.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1548 wrote to memory of 1736 1548 01ec9fd8625be6f43ef086441d1e08ba6fd0ddf093383e4488287bc8c1cad2c2.exe 27 PID 1548 wrote to memory of 1736 1548 01ec9fd8625be6f43ef086441d1e08ba6fd0ddf093383e4488287bc8c1cad2c2.exe 27 PID 1548 wrote to memory of 1736 1548 01ec9fd8625be6f43ef086441d1e08ba6fd0ddf093383e4488287bc8c1cad2c2.exe 27 PID 1548 wrote to memory of 1736 1548 01ec9fd8625be6f43ef086441d1e08ba6fd0ddf093383e4488287bc8c1cad2c2.exe 27 PID 1548 wrote to memory of 928 1548 01ec9fd8625be6f43ef086441d1e08ba6fd0ddf093383e4488287bc8c1cad2c2.exe 30 PID 1548 wrote to memory of 928 1548 01ec9fd8625be6f43ef086441d1e08ba6fd0ddf093383e4488287bc8c1cad2c2.exe 30 PID 1548 wrote to memory of 928 1548 01ec9fd8625be6f43ef086441d1e08ba6fd0ddf093383e4488287bc8c1cad2c2.exe 30 PID 1548 wrote to memory of 928 1548 01ec9fd8625be6f43ef086441d1e08ba6fd0ddf093383e4488287bc8c1cad2c2.exe 30 PID 928 wrote to memory of 1696 928 cmd.exe 32 PID 928 wrote to memory of 1696 928 cmd.exe 32 PID 928 wrote to memory of 1696 928 cmd.exe 32 PID 928 wrote to memory of 1696 928 cmd.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\01ec9fd8625be6f43ef086441d1e08ba6fd0ddf093383e4488287bc8c1cad2c2.exe"C:\Users\Admin\AppData\Local\Temp\01ec9fd8625be6f43ef086441d1e08ba6fd0ddf093383e4488287bc8c1cad2c2.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1548 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1736
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\01ec9fd8625be6f43ef086441d1e08ba6fd0ddf093383e4488287bc8c1cad2c2.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:928 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1696
-
-