Analysis
-
max time kernel
139s -
max time network
166s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 10:04
Static task
static1
Behavioral task
behavioral1
Sample
083a2d97765f86350addce28cb196b044dc0d37825cb31d847a30e76157b0890.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
083a2d97765f86350addce28cb196b044dc0d37825cb31d847a30e76157b0890.exe
Resource
win10v2004-en-20220113
General
-
Target
083a2d97765f86350addce28cb196b044dc0d37825cb31d847a30e76157b0890.exe
-
Size
79KB
-
MD5
90e5154d6fcffc1322b999ca16602517
-
SHA1
7a93a85f3d99b2e74b1bcf6d631bc1847bfbec3a
-
SHA256
083a2d97765f86350addce28cb196b044dc0d37825cb31d847a30e76157b0890
-
SHA512
3f1cf04c3c43d86eceb731b6cb9a47da3f3d459d10f24b357869791c563face4d618ac8d18600de12c49bcb3a3e2821fcdbbd987e6b7c7850c15afa52de4bd33
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 776 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1064 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
083a2d97765f86350addce28cb196b044dc0d37825cb31d847a30e76157b0890.exepid process 604 083a2d97765f86350addce28cb196b044dc0d37825cb31d847a30e76157b0890.exe 604 083a2d97765f86350addce28cb196b044dc0d37825cb31d847a30e76157b0890.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
083a2d97765f86350addce28cb196b044dc0d37825cb31d847a30e76157b0890.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 083a2d97765f86350addce28cb196b044dc0d37825cb31d847a30e76157b0890.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
083a2d97765f86350addce28cb196b044dc0d37825cb31d847a30e76157b0890.exedescription pid process Token: SeIncBasePriorityPrivilege 604 083a2d97765f86350addce28cb196b044dc0d37825cb31d847a30e76157b0890.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
083a2d97765f86350addce28cb196b044dc0d37825cb31d847a30e76157b0890.execmd.exedescription pid process target process PID 604 wrote to memory of 776 604 083a2d97765f86350addce28cb196b044dc0d37825cb31d847a30e76157b0890.exe MediaCenter.exe PID 604 wrote to memory of 776 604 083a2d97765f86350addce28cb196b044dc0d37825cb31d847a30e76157b0890.exe MediaCenter.exe PID 604 wrote to memory of 776 604 083a2d97765f86350addce28cb196b044dc0d37825cb31d847a30e76157b0890.exe MediaCenter.exe PID 604 wrote to memory of 776 604 083a2d97765f86350addce28cb196b044dc0d37825cb31d847a30e76157b0890.exe MediaCenter.exe PID 604 wrote to memory of 1064 604 083a2d97765f86350addce28cb196b044dc0d37825cb31d847a30e76157b0890.exe cmd.exe PID 604 wrote to memory of 1064 604 083a2d97765f86350addce28cb196b044dc0d37825cb31d847a30e76157b0890.exe cmd.exe PID 604 wrote to memory of 1064 604 083a2d97765f86350addce28cb196b044dc0d37825cb31d847a30e76157b0890.exe cmd.exe PID 604 wrote to memory of 1064 604 083a2d97765f86350addce28cb196b044dc0d37825cb31d847a30e76157b0890.exe cmd.exe PID 1064 wrote to memory of 1200 1064 cmd.exe PING.EXE PID 1064 wrote to memory of 1200 1064 cmd.exe PING.EXE PID 1064 wrote to memory of 1200 1064 cmd.exe PING.EXE PID 1064 wrote to memory of 1200 1064 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\083a2d97765f86350addce28cb196b044dc0d37825cb31d847a30e76157b0890.exe"C:\Users\Admin\AppData\Local\Temp\083a2d97765f86350addce28cb196b044dc0d37825cb31d847a30e76157b0890.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:604 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:776 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\083a2d97765f86350addce28cb196b044dc0d37825cb31d847a30e76157b0890.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1064 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1200
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
2706bd70741eb2e5e5f203028e342708
SHA154ca68ffe6dd470a9deebb59583b5b0674c6ab92
SHA2563329b909c6738db060ee8a2fe6cd47d7269554fd8ff6c7935132ed58afdab1b2
SHA51201883bd34e86478af2aed8ad54f7de2cfebbd5d18df131882912a0e4f545b7f85125b3a57d2d3843477ce84e0e0c5a5f5824fe1fa9c6534a4f73557e3c461b75
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
2706bd70741eb2e5e5f203028e342708
SHA154ca68ffe6dd470a9deebb59583b5b0674c6ab92
SHA2563329b909c6738db060ee8a2fe6cd47d7269554fd8ff6c7935132ed58afdab1b2
SHA51201883bd34e86478af2aed8ad54f7de2cfebbd5d18df131882912a0e4f545b7f85125b3a57d2d3843477ce84e0e0c5a5f5824fe1fa9c6534a4f73557e3c461b75
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
2706bd70741eb2e5e5f203028e342708
SHA154ca68ffe6dd470a9deebb59583b5b0674c6ab92
SHA2563329b909c6738db060ee8a2fe6cd47d7269554fd8ff6c7935132ed58afdab1b2
SHA51201883bd34e86478af2aed8ad54f7de2cfebbd5d18df131882912a0e4f545b7f85125b3a57d2d3843477ce84e0e0c5a5f5824fe1fa9c6534a4f73557e3c461b75
-
memory/604-55-0x0000000075191000-0x0000000075193000-memory.dmpFilesize
8KB