Analysis
-
max time kernel
119s -
max time network
126s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 10:11
Static task
static1
Behavioral task
behavioral1
Sample
07ddcb1d946b111ddccf574da599e4b1cfc7082b62f9c0ac75fc316aef0dc37c.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
07ddcb1d946b111ddccf574da599e4b1cfc7082b62f9c0ac75fc316aef0dc37c.exe
Resource
win10v2004-en-20220113
General
-
Target
07ddcb1d946b111ddccf574da599e4b1cfc7082b62f9c0ac75fc316aef0dc37c.exe
-
Size
99KB
-
MD5
77a310318bd89ac4a1e291862380e70a
-
SHA1
f37aec3c4eb6b1bb33582606bc5e807bf22d2fa4
-
SHA256
07ddcb1d946b111ddccf574da599e4b1cfc7082b62f9c0ac75fc316aef0dc37c
-
SHA512
8a789e4c938c6c718c372e3035ed0b755a752dfbfc38ec4346c025e95d4a4a32daf30fb28eb7fddb94237e62025d0696f189fc25f7c389cadc9f2d45ebbd78c6
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 316 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 432 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
07ddcb1d946b111ddccf574da599e4b1cfc7082b62f9c0ac75fc316aef0dc37c.exepid process 1696 07ddcb1d946b111ddccf574da599e4b1cfc7082b62f9c0ac75fc316aef0dc37c.exe 1696 07ddcb1d946b111ddccf574da599e4b1cfc7082b62f9c0ac75fc316aef0dc37c.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
07ddcb1d946b111ddccf574da599e4b1cfc7082b62f9c0ac75fc316aef0dc37c.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 07ddcb1d946b111ddccf574da599e4b1cfc7082b62f9c0ac75fc316aef0dc37c.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
07ddcb1d946b111ddccf574da599e4b1cfc7082b62f9c0ac75fc316aef0dc37c.exedescription pid process Token: SeIncBasePriorityPrivilege 1696 07ddcb1d946b111ddccf574da599e4b1cfc7082b62f9c0ac75fc316aef0dc37c.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
07ddcb1d946b111ddccf574da599e4b1cfc7082b62f9c0ac75fc316aef0dc37c.execmd.exedescription pid process target process PID 1696 wrote to memory of 316 1696 07ddcb1d946b111ddccf574da599e4b1cfc7082b62f9c0ac75fc316aef0dc37c.exe MediaCenter.exe PID 1696 wrote to memory of 316 1696 07ddcb1d946b111ddccf574da599e4b1cfc7082b62f9c0ac75fc316aef0dc37c.exe MediaCenter.exe PID 1696 wrote to memory of 316 1696 07ddcb1d946b111ddccf574da599e4b1cfc7082b62f9c0ac75fc316aef0dc37c.exe MediaCenter.exe PID 1696 wrote to memory of 316 1696 07ddcb1d946b111ddccf574da599e4b1cfc7082b62f9c0ac75fc316aef0dc37c.exe MediaCenter.exe PID 1696 wrote to memory of 432 1696 07ddcb1d946b111ddccf574da599e4b1cfc7082b62f9c0ac75fc316aef0dc37c.exe cmd.exe PID 1696 wrote to memory of 432 1696 07ddcb1d946b111ddccf574da599e4b1cfc7082b62f9c0ac75fc316aef0dc37c.exe cmd.exe PID 1696 wrote to memory of 432 1696 07ddcb1d946b111ddccf574da599e4b1cfc7082b62f9c0ac75fc316aef0dc37c.exe cmd.exe PID 1696 wrote to memory of 432 1696 07ddcb1d946b111ddccf574da599e4b1cfc7082b62f9c0ac75fc316aef0dc37c.exe cmd.exe PID 432 wrote to memory of 1924 432 cmd.exe PING.EXE PID 432 wrote to memory of 1924 432 cmd.exe PING.EXE PID 432 wrote to memory of 1924 432 cmd.exe PING.EXE PID 432 wrote to memory of 1924 432 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\07ddcb1d946b111ddccf574da599e4b1cfc7082b62f9c0ac75fc316aef0dc37c.exe"C:\Users\Admin\AppData\Local\Temp\07ddcb1d946b111ddccf574da599e4b1cfc7082b62f9c0ac75fc316aef0dc37c.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1696 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:316 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\07ddcb1d946b111ddccf574da599e4b1cfc7082b62f9c0ac75fc316aef0dc37c.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:432 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1924
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
294623f1b503653ee875f5219c470e85
SHA16f73557c95f66ecc72a29256a6a6562eb9f32ad8
SHA2568480b824772b1df10fc19dd3a34a4d73176254b94b3675c0e1a31f1e84e9fca1
SHA512091c8e5bcb5b331be3c3e026894a3ea44d4af6e91b1a840b47234e823207db7c939bb2a0a1517f8284f3f344563052946b413e841d73ccffd832ad916f5bdaa1
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
294623f1b503653ee875f5219c470e85
SHA16f73557c95f66ecc72a29256a6a6562eb9f32ad8
SHA2568480b824772b1df10fc19dd3a34a4d73176254b94b3675c0e1a31f1e84e9fca1
SHA512091c8e5bcb5b331be3c3e026894a3ea44d4af6e91b1a840b47234e823207db7c939bb2a0a1517f8284f3f344563052946b413e841d73ccffd832ad916f5bdaa1
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
294623f1b503653ee875f5219c470e85
SHA16f73557c95f66ecc72a29256a6a6562eb9f32ad8
SHA2568480b824772b1df10fc19dd3a34a4d73176254b94b3675c0e1a31f1e84e9fca1
SHA512091c8e5bcb5b331be3c3e026894a3ea44d4af6e91b1a840b47234e823207db7c939bb2a0a1517f8284f3f344563052946b413e841d73ccffd832ad916f5bdaa1
-
memory/1696-54-0x0000000076001000-0x0000000076003000-memory.dmpFilesize
8KB