Analysis
-
max time kernel
4294203s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20220311-en -
submitted
23-03-2022 09:33
Static task
static1
Behavioral task
behavioral1
Sample
fa78da80bfee18732ee6ffb55b9fa8322f3310723273f782fc52f6e9c87b397f.exe
Resource
win7-20220311-en
Behavioral task
behavioral2
Sample
fa78da80bfee18732ee6ffb55b9fa8322f3310723273f782fc52f6e9c87b397f.exe
Resource
win10v2004-en-20220113
General
-
Target
fa78da80bfee18732ee6ffb55b9fa8322f3310723273f782fc52f6e9c87b397f.exe
-
Size
104KB
-
MD5
39355c04cb738da59753caccf1bd4dd5
-
SHA1
c8a84f08c89965c7719d0207ca9ba6bc89da15d1
-
SHA256
fa78da80bfee18732ee6ffb55b9fa8322f3310723273f782fc52f6e9c87b397f
-
SHA512
8d91282e663ff4e72a49eaecdce8173d240fcad6d8bb265aa01dc6760e65b9441f226c79b8056c1b21d3d1912abdd05cf8ae55bb5ca593cfa89b1ecf36e25248
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule behavioral1/files/0x000700000001436b-58.dat family_sakula behavioral1/files/0x000700000001436b-56.dat family_sakula behavioral1/files/0x000700000001436b-55.dat family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid Process 1664 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid Process 2004 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
fa78da80bfee18732ee6ffb55b9fa8322f3310723273f782fc52f6e9c87b397f.exepid Process 964 fa78da80bfee18732ee6ffb55b9fa8322f3310723273f782fc52f6e9c87b397f.exe 964 fa78da80bfee18732ee6ffb55b9fa8322f3310723273f782fc52f6e9c87b397f.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
fa78da80bfee18732ee6ffb55b9fa8322f3310723273f782fc52f6e9c87b397f.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" fa78da80bfee18732ee6ffb55b9fa8322f3310723273f782fc52f6e9c87b397f.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
fa78da80bfee18732ee6ffb55b9fa8322f3310723273f782fc52f6e9c87b397f.exedescription pid Process Token: SeIncBasePriorityPrivilege 964 fa78da80bfee18732ee6ffb55b9fa8322f3310723273f782fc52f6e9c87b397f.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
fa78da80bfee18732ee6ffb55b9fa8322f3310723273f782fc52f6e9c87b397f.execmd.exedescription pid Process procid_target PID 964 wrote to memory of 1664 964 fa78da80bfee18732ee6ffb55b9fa8322f3310723273f782fc52f6e9c87b397f.exe 27 PID 964 wrote to memory of 1664 964 fa78da80bfee18732ee6ffb55b9fa8322f3310723273f782fc52f6e9c87b397f.exe 27 PID 964 wrote to memory of 1664 964 fa78da80bfee18732ee6ffb55b9fa8322f3310723273f782fc52f6e9c87b397f.exe 27 PID 964 wrote to memory of 1664 964 fa78da80bfee18732ee6ffb55b9fa8322f3310723273f782fc52f6e9c87b397f.exe 27 PID 964 wrote to memory of 2004 964 fa78da80bfee18732ee6ffb55b9fa8322f3310723273f782fc52f6e9c87b397f.exe 30 PID 964 wrote to memory of 2004 964 fa78da80bfee18732ee6ffb55b9fa8322f3310723273f782fc52f6e9c87b397f.exe 30 PID 964 wrote to memory of 2004 964 fa78da80bfee18732ee6ffb55b9fa8322f3310723273f782fc52f6e9c87b397f.exe 30 PID 964 wrote to memory of 2004 964 fa78da80bfee18732ee6ffb55b9fa8322f3310723273f782fc52f6e9c87b397f.exe 30 PID 2004 wrote to memory of 1972 2004 cmd.exe 32 PID 2004 wrote to memory of 1972 2004 cmd.exe 32 PID 2004 wrote to memory of 1972 2004 cmd.exe 32 PID 2004 wrote to memory of 1972 2004 cmd.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\fa78da80bfee18732ee6ffb55b9fa8322f3310723273f782fc52f6e9c87b397f.exe"C:\Users\Admin\AppData\Local\Temp\fa78da80bfee18732ee6ffb55b9fa8322f3310723273f782fc52f6e9c87b397f.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:964 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1664
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\fa78da80bfee18732ee6ffb55b9fa8322f3310723273f782fc52f6e9c87b397f.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1972
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
7ed08b450678e5286f74895740c21b20
SHA1590c9622c03542ea3ae0ff9700635f0679fee8aa
SHA2566c728d0d946ae8b6f77b04f16fb88cb2597348537fa40e44333f1b090c255cb8
SHA512252ac26a9f75434e70f97c49360db796d141433b7657f78800e32c6e3eaff5f38dd681e13cec02d77bc94475019dc4dff1e90c4291c622fd01fdd0b9ca5f96a9
-
MD5
7ed08b450678e5286f74895740c21b20
SHA1590c9622c03542ea3ae0ff9700635f0679fee8aa
SHA2566c728d0d946ae8b6f77b04f16fb88cb2597348537fa40e44333f1b090c255cb8
SHA512252ac26a9f75434e70f97c49360db796d141433b7657f78800e32c6e3eaff5f38dd681e13cec02d77bc94475019dc4dff1e90c4291c622fd01fdd0b9ca5f96a9
-
MD5
7ed08b450678e5286f74895740c21b20
SHA1590c9622c03542ea3ae0ff9700635f0679fee8aa
SHA2566c728d0d946ae8b6f77b04f16fb88cb2597348537fa40e44333f1b090c255cb8
SHA512252ac26a9f75434e70f97c49360db796d141433b7657f78800e32c6e3eaff5f38dd681e13cec02d77bc94475019dc4dff1e90c4291c622fd01fdd0b9ca5f96a9