Analysis
-
max time kernel
150s -
max time network
169s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 10:09
Static task
static1
Behavioral task
behavioral1
Sample
07f4bd795b0ccea1c9f2e29b9460b5d93c66af11ceca3fd880580f656d4c690c.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
07f4bd795b0ccea1c9f2e29b9460b5d93c66af11ceca3fd880580f656d4c690c.exe
Resource
win10v2004-en-20220113
General
-
Target
07f4bd795b0ccea1c9f2e29b9460b5d93c66af11ceca3fd880580f656d4c690c.exe
-
Size
92KB
-
MD5
041751e064912a021e025e141e1ce1bd
-
SHA1
738a27708d6e6231980c73f61ac841b8d57fb438
-
SHA256
07f4bd795b0ccea1c9f2e29b9460b5d93c66af11ceca3fd880580f656d4c690c
-
SHA512
2293e7516e2602e4a3a9da3adf4e86f3e74371fd06e0ee5796f041519859cd4f3bd0f16052914e433815da751dd97ebab6724596b240a3d24090aa77f9cccb0c
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 736 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 284 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
07f4bd795b0ccea1c9f2e29b9460b5d93c66af11ceca3fd880580f656d4c690c.exepid process 1612 07f4bd795b0ccea1c9f2e29b9460b5d93c66af11ceca3fd880580f656d4c690c.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
07f4bd795b0ccea1c9f2e29b9460b5d93c66af11ceca3fd880580f656d4c690c.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 07f4bd795b0ccea1c9f2e29b9460b5d93c66af11ceca3fd880580f656d4c690c.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
07f4bd795b0ccea1c9f2e29b9460b5d93c66af11ceca3fd880580f656d4c690c.exedescription pid process Token: SeIncBasePriorityPrivilege 1612 07f4bd795b0ccea1c9f2e29b9460b5d93c66af11ceca3fd880580f656d4c690c.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
07f4bd795b0ccea1c9f2e29b9460b5d93c66af11ceca3fd880580f656d4c690c.execmd.exedescription pid process target process PID 1612 wrote to memory of 736 1612 07f4bd795b0ccea1c9f2e29b9460b5d93c66af11ceca3fd880580f656d4c690c.exe MediaCenter.exe PID 1612 wrote to memory of 736 1612 07f4bd795b0ccea1c9f2e29b9460b5d93c66af11ceca3fd880580f656d4c690c.exe MediaCenter.exe PID 1612 wrote to memory of 736 1612 07f4bd795b0ccea1c9f2e29b9460b5d93c66af11ceca3fd880580f656d4c690c.exe MediaCenter.exe PID 1612 wrote to memory of 736 1612 07f4bd795b0ccea1c9f2e29b9460b5d93c66af11ceca3fd880580f656d4c690c.exe MediaCenter.exe PID 1612 wrote to memory of 284 1612 07f4bd795b0ccea1c9f2e29b9460b5d93c66af11ceca3fd880580f656d4c690c.exe cmd.exe PID 1612 wrote to memory of 284 1612 07f4bd795b0ccea1c9f2e29b9460b5d93c66af11ceca3fd880580f656d4c690c.exe cmd.exe PID 1612 wrote to memory of 284 1612 07f4bd795b0ccea1c9f2e29b9460b5d93c66af11ceca3fd880580f656d4c690c.exe cmd.exe PID 1612 wrote to memory of 284 1612 07f4bd795b0ccea1c9f2e29b9460b5d93c66af11ceca3fd880580f656d4c690c.exe cmd.exe PID 284 wrote to memory of 1052 284 cmd.exe PING.EXE PID 284 wrote to memory of 1052 284 cmd.exe PING.EXE PID 284 wrote to memory of 1052 284 cmd.exe PING.EXE PID 284 wrote to memory of 1052 284 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\07f4bd795b0ccea1c9f2e29b9460b5d93c66af11ceca3fd880580f656d4c690c.exe"C:\Users\Admin\AppData\Local\Temp\07f4bd795b0ccea1c9f2e29b9460b5d93c66af11ceca3fd880580f656d4c690c.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1612 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:736 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\07f4bd795b0ccea1c9f2e29b9460b5d93c66af11ceca3fd880580f656d4c690c.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:284 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1052
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
4788fb89bb8b7b1d7b8772cc2d3243dc
SHA1517e218f3a3395d6b89e776b8bf6fc3a506820dd
SHA2563fd9363931f317c7d38d2d20b15e63ccdca919331d2483c9b2b55fdc52b1abac
SHA512f717a315d3e24335b0773c43bdf61335d9b85eb03d972485dbe1cd4d975b93a847e92f743034672e59051a688d3d4dc724e0f87bd7ea42bb6fb87d24a1e3248d
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
4788fb89bb8b7b1d7b8772cc2d3243dc
SHA1517e218f3a3395d6b89e776b8bf6fc3a506820dd
SHA2563fd9363931f317c7d38d2d20b15e63ccdca919331d2483c9b2b55fdc52b1abac
SHA512f717a315d3e24335b0773c43bdf61335d9b85eb03d972485dbe1cd4d975b93a847e92f743034672e59051a688d3d4dc724e0f87bd7ea42bb6fb87d24a1e3248d
-
memory/1612-55-0x0000000075B11000-0x0000000075B13000-memory.dmpFilesize
8KB