Analysis
-
max time kernel
119s -
max time network
140s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 10:10
Static task
static1
Behavioral task
behavioral1
Sample
07ed11eac5c5ebba8b1fa53e07ef55dc34b937469f790eb028a13460857588b2.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
07ed11eac5c5ebba8b1fa53e07ef55dc34b937469f790eb028a13460857588b2.exe
Resource
win10v2004-en-20220112
General
-
Target
07ed11eac5c5ebba8b1fa53e07ef55dc34b937469f790eb028a13460857588b2.exe
-
Size
99KB
-
MD5
0d4ad1f926790fc99eb603f57c558f73
-
SHA1
6bb8a43714c1870cbb97d9205441eb09826d3f76
-
SHA256
07ed11eac5c5ebba8b1fa53e07ef55dc34b937469f790eb028a13460857588b2
-
SHA512
af30f6c7a83d05a3405fb2eb5c1370a2f6ba8f6c922d2dd6cdde4fd31de49039fd892edf08771fd54cfb7bf43faf6039d027c9151c292e8b11642e690dd98aae
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1292 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 916 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
07ed11eac5c5ebba8b1fa53e07ef55dc34b937469f790eb028a13460857588b2.exepid process 1672 07ed11eac5c5ebba8b1fa53e07ef55dc34b937469f790eb028a13460857588b2.exe 1672 07ed11eac5c5ebba8b1fa53e07ef55dc34b937469f790eb028a13460857588b2.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
07ed11eac5c5ebba8b1fa53e07ef55dc34b937469f790eb028a13460857588b2.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 07ed11eac5c5ebba8b1fa53e07ef55dc34b937469f790eb028a13460857588b2.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
07ed11eac5c5ebba8b1fa53e07ef55dc34b937469f790eb028a13460857588b2.exedescription pid process Token: SeIncBasePriorityPrivilege 1672 07ed11eac5c5ebba8b1fa53e07ef55dc34b937469f790eb028a13460857588b2.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
07ed11eac5c5ebba8b1fa53e07ef55dc34b937469f790eb028a13460857588b2.execmd.exedescription pid process target process PID 1672 wrote to memory of 1292 1672 07ed11eac5c5ebba8b1fa53e07ef55dc34b937469f790eb028a13460857588b2.exe MediaCenter.exe PID 1672 wrote to memory of 1292 1672 07ed11eac5c5ebba8b1fa53e07ef55dc34b937469f790eb028a13460857588b2.exe MediaCenter.exe PID 1672 wrote to memory of 1292 1672 07ed11eac5c5ebba8b1fa53e07ef55dc34b937469f790eb028a13460857588b2.exe MediaCenter.exe PID 1672 wrote to memory of 1292 1672 07ed11eac5c5ebba8b1fa53e07ef55dc34b937469f790eb028a13460857588b2.exe MediaCenter.exe PID 1672 wrote to memory of 916 1672 07ed11eac5c5ebba8b1fa53e07ef55dc34b937469f790eb028a13460857588b2.exe cmd.exe PID 1672 wrote to memory of 916 1672 07ed11eac5c5ebba8b1fa53e07ef55dc34b937469f790eb028a13460857588b2.exe cmd.exe PID 1672 wrote to memory of 916 1672 07ed11eac5c5ebba8b1fa53e07ef55dc34b937469f790eb028a13460857588b2.exe cmd.exe PID 1672 wrote to memory of 916 1672 07ed11eac5c5ebba8b1fa53e07ef55dc34b937469f790eb028a13460857588b2.exe cmd.exe PID 916 wrote to memory of 1708 916 cmd.exe PING.EXE PID 916 wrote to memory of 1708 916 cmd.exe PING.EXE PID 916 wrote to memory of 1708 916 cmd.exe PING.EXE PID 916 wrote to memory of 1708 916 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\07ed11eac5c5ebba8b1fa53e07ef55dc34b937469f790eb028a13460857588b2.exe"C:\Users\Admin\AppData\Local\Temp\07ed11eac5c5ebba8b1fa53e07ef55dc34b937469f790eb028a13460857588b2.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1672 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1292 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\07ed11eac5c5ebba8b1fa53e07ef55dc34b937469f790eb028a13460857588b2.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:916 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1708
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
fa53f32a65b6655b887673e05742f78a
SHA115ebcc84d4d30a73c83720cfd577195d43030386
SHA25628a042f0efebb9a68a339ceb0cf0d3d4042f23d7981046d73dd7ab1e801a7a05
SHA512f63ffadb749aa320f74c83fda45de0e95bf5a3f74360f5d68a442d414867c764dfc08168fa20d45bcffc1a1b6115bfbdad4a99d55fff941b3b3571b970c3f042
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
fa53f32a65b6655b887673e05742f78a
SHA115ebcc84d4d30a73c83720cfd577195d43030386
SHA25628a042f0efebb9a68a339ceb0cf0d3d4042f23d7981046d73dd7ab1e801a7a05
SHA512f63ffadb749aa320f74c83fda45de0e95bf5a3f74360f5d68a442d414867c764dfc08168fa20d45bcffc1a1b6115bfbdad4a99d55fff941b3b3571b970c3f042
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
fa53f32a65b6655b887673e05742f78a
SHA115ebcc84d4d30a73c83720cfd577195d43030386
SHA25628a042f0efebb9a68a339ceb0cf0d3d4042f23d7981046d73dd7ab1e801a7a05
SHA512f63ffadb749aa320f74c83fda45de0e95bf5a3f74360f5d68a442d414867c764dfc08168fa20d45bcffc1a1b6115bfbdad4a99d55fff941b3b3571b970c3f042
-
memory/1672-55-0x0000000076641000-0x0000000076643000-memory.dmpFilesize
8KB