Analysis
-
max time kernel
128s -
max time network
183s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
24-09-2021 06:12
Static task
static1
Behavioral task
behavioral1
Sample
618733a0c26f169b157e50c683a327f836ef8db6f13d7d0b94f0dd432030eacf.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
618733a0c26f169b157e50c683a327f836ef8db6f13d7d0b94f0dd432030eacf.exe
Resource
win10-en-20210920
General
-
Target
618733a0c26f169b157e50c683a327f836ef8db6f13d7d0b94f0dd432030eacf.exe
-
Size
517KB
-
MD5
c00d8e2e994ce0664b89481518c2376e
-
SHA1
8076dbd4cf89f4ddf0fa5f8f90b7664eca6312c2
-
SHA256
618733a0c26f169b157e50c683a327f836ef8db6f13d7d0b94f0dd432030eacf
-
SHA512
5b030171e3f3065ef47155c16225a0ab9e21fffce79037d6a37b4a35496df70967f752777562c4e22b7726aa0780489c2f5329cf07c2a02cfb6b82c96e059f62
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 2000 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1468 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
618733a0c26f169b157e50c683a327f836ef8db6f13d7d0b94f0dd432030eacf.exepid process 1972 618733a0c26f169b157e50c683a327f836ef8db6f13d7d0b94f0dd432030eacf.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
618733a0c26f169b157e50c683a327f836ef8db6f13d7d0b94f0dd432030eacf.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 618733a0c26f169b157e50c683a327f836ef8db6f13d7d0b94f0dd432030eacf.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
618733a0c26f169b157e50c683a327f836ef8db6f13d7d0b94f0dd432030eacf.exedescription pid process Token: SeIncBasePriorityPrivilege 1972 618733a0c26f169b157e50c683a327f836ef8db6f13d7d0b94f0dd432030eacf.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
618733a0c26f169b157e50c683a327f836ef8db6f13d7d0b94f0dd432030eacf.execmd.exedescription pid process target process PID 1972 wrote to memory of 2000 1972 618733a0c26f169b157e50c683a327f836ef8db6f13d7d0b94f0dd432030eacf.exe MediaCenter.exe PID 1972 wrote to memory of 2000 1972 618733a0c26f169b157e50c683a327f836ef8db6f13d7d0b94f0dd432030eacf.exe MediaCenter.exe PID 1972 wrote to memory of 2000 1972 618733a0c26f169b157e50c683a327f836ef8db6f13d7d0b94f0dd432030eacf.exe MediaCenter.exe PID 1972 wrote to memory of 2000 1972 618733a0c26f169b157e50c683a327f836ef8db6f13d7d0b94f0dd432030eacf.exe MediaCenter.exe PID 1972 wrote to memory of 1468 1972 618733a0c26f169b157e50c683a327f836ef8db6f13d7d0b94f0dd432030eacf.exe cmd.exe PID 1972 wrote to memory of 1468 1972 618733a0c26f169b157e50c683a327f836ef8db6f13d7d0b94f0dd432030eacf.exe cmd.exe PID 1972 wrote to memory of 1468 1972 618733a0c26f169b157e50c683a327f836ef8db6f13d7d0b94f0dd432030eacf.exe cmd.exe PID 1972 wrote to memory of 1468 1972 618733a0c26f169b157e50c683a327f836ef8db6f13d7d0b94f0dd432030eacf.exe cmd.exe PID 1468 wrote to memory of 1740 1468 cmd.exe PING.EXE PID 1468 wrote to memory of 1740 1468 cmd.exe PING.EXE PID 1468 wrote to memory of 1740 1468 cmd.exe PING.EXE PID 1468 wrote to memory of 1740 1468 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\618733a0c26f169b157e50c683a327f836ef8db6f13d7d0b94f0dd432030eacf.exe"C:\Users\Admin\AppData\Local\Temp\618733a0c26f169b157e50c683a327f836ef8db6f13d7d0b94f0dd432030eacf.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\618733a0c26f169b157e50c683a327f836ef8db6f13d7d0b94f0dd432030eacf.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
6fb01a3fa8a8a04b30e5777cb0056ce1
SHA167590a2093b2e5b8e9d57d78ed9efc90dad394d1
SHA2565f26f9e834d67124c819d9f94caa9067b850b39b29c6e5bbf1d40a5ed21aa282
SHA5121fadf067b4ad46d6ab4c0c543e371ba506921dcc4639f00f81da11b3fb92dcedeae2e5e65f7171de145099de7e5de1f79a8e1158aca05709fa831bf3f2b39f3c
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
6fb01a3fa8a8a04b30e5777cb0056ce1
SHA167590a2093b2e5b8e9d57d78ed9efc90dad394d1
SHA2565f26f9e834d67124c819d9f94caa9067b850b39b29c6e5bbf1d40a5ed21aa282
SHA5121fadf067b4ad46d6ab4c0c543e371ba506921dcc4639f00f81da11b3fb92dcedeae2e5e65f7171de145099de7e5de1f79a8e1158aca05709fa831bf3f2b39f3c
-
memory/1468-64-0x0000000000000000-mapping.dmp
-
memory/1740-65-0x0000000000000000-mapping.dmp
-
memory/1972-59-0x0000000076A01000-0x0000000076A03000-memory.dmpFilesize
8KB
-
memory/2000-61-0x0000000000000000-mapping.dmp