Analysis
-
max time kernel
158s -
max time network
176s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 10:12
Static task
static1
Behavioral task
behavioral1
Sample
07d752928fd9a3a4a74047f62d3a1ac61d94b0c176ba8777bd1c2ca170a34484.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
07d752928fd9a3a4a74047f62d3a1ac61d94b0c176ba8777bd1c2ca170a34484.exe
Resource
win10v2004-en-20220112
General
-
Target
07d752928fd9a3a4a74047f62d3a1ac61d94b0c176ba8777bd1c2ca170a34484.exe
-
Size
191KB
-
MD5
ea7f97d9af9cad7761d40f5e6fa2d01c
-
SHA1
0cc54589e400519171f2a3daae5bb5b9793b3bd6
-
SHA256
07d752928fd9a3a4a74047f62d3a1ac61d94b0c176ba8777bd1c2ca170a34484
-
SHA512
52bfa71d293b65d9d41b6a6b27d544b2982adcf8756a619dcce3911d08912feb6258a7a8358a40c01466fd52236d6a6b386d6a1e0ef918beb25d53bbd69aa221
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 592 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1060 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
07d752928fd9a3a4a74047f62d3a1ac61d94b0c176ba8777bd1c2ca170a34484.exepid process 848 07d752928fd9a3a4a74047f62d3a1ac61d94b0c176ba8777bd1c2ca170a34484.exe 848 07d752928fd9a3a4a74047f62d3a1ac61d94b0c176ba8777bd1c2ca170a34484.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
07d752928fd9a3a4a74047f62d3a1ac61d94b0c176ba8777bd1c2ca170a34484.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 07d752928fd9a3a4a74047f62d3a1ac61d94b0c176ba8777bd1c2ca170a34484.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
07d752928fd9a3a4a74047f62d3a1ac61d94b0c176ba8777bd1c2ca170a34484.exedescription pid process Token: SeIncBasePriorityPrivilege 848 07d752928fd9a3a4a74047f62d3a1ac61d94b0c176ba8777bd1c2ca170a34484.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
07d752928fd9a3a4a74047f62d3a1ac61d94b0c176ba8777bd1c2ca170a34484.execmd.exedescription pid process target process PID 848 wrote to memory of 592 848 07d752928fd9a3a4a74047f62d3a1ac61d94b0c176ba8777bd1c2ca170a34484.exe MediaCenter.exe PID 848 wrote to memory of 592 848 07d752928fd9a3a4a74047f62d3a1ac61d94b0c176ba8777bd1c2ca170a34484.exe MediaCenter.exe PID 848 wrote to memory of 592 848 07d752928fd9a3a4a74047f62d3a1ac61d94b0c176ba8777bd1c2ca170a34484.exe MediaCenter.exe PID 848 wrote to memory of 592 848 07d752928fd9a3a4a74047f62d3a1ac61d94b0c176ba8777bd1c2ca170a34484.exe MediaCenter.exe PID 848 wrote to memory of 1060 848 07d752928fd9a3a4a74047f62d3a1ac61d94b0c176ba8777bd1c2ca170a34484.exe cmd.exe PID 848 wrote to memory of 1060 848 07d752928fd9a3a4a74047f62d3a1ac61d94b0c176ba8777bd1c2ca170a34484.exe cmd.exe PID 848 wrote to memory of 1060 848 07d752928fd9a3a4a74047f62d3a1ac61d94b0c176ba8777bd1c2ca170a34484.exe cmd.exe PID 848 wrote to memory of 1060 848 07d752928fd9a3a4a74047f62d3a1ac61d94b0c176ba8777bd1c2ca170a34484.exe cmd.exe PID 1060 wrote to memory of 1812 1060 cmd.exe PING.EXE PID 1060 wrote to memory of 1812 1060 cmd.exe PING.EXE PID 1060 wrote to memory of 1812 1060 cmd.exe PING.EXE PID 1060 wrote to memory of 1812 1060 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\07d752928fd9a3a4a74047f62d3a1ac61d94b0c176ba8777bd1c2ca170a34484.exe"C:\Users\Admin\AppData\Local\Temp\07d752928fd9a3a4a74047f62d3a1ac61d94b0c176ba8777bd1c2ca170a34484.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:848 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:592 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\07d752928fd9a3a4a74047f62d3a1ac61d94b0c176ba8777bd1c2ca170a34484.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1060 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1812
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
cbafe48f21ace8060f3b35dbb5119a9d
SHA1fbf0b1099b4d241518aef85d0c7c8f24387cb4b0
SHA25616e70e25704118f10e0e4d552e88055e6a0ceabfaf913dd5cf29cfc666b33dfd
SHA512ab389c87975dc841fad429299bf3bb831b79cf0767b87a1ad467192e0428de7e13b2a63e3cde28c6a9a4137b64b6bbf23039e08aa0bf8025b9143e2b1acad4ca
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
cbafe48f21ace8060f3b35dbb5119a9d
SHA1fbf0b1099b4d241518aef85d0c7c8f24387cb4b0
SHA25616e70e25704118f10e0e4d552e88055e6a0ceabfaf913dd5cf29cfc666b33dfd
SHA512ab389c87975dc841fad429299bf3bb831b79cf0767b87a1ad467192e0428de7e13b2a63e3cde28c6a9a4137b64b6bbf23039e08aa0bf8025b9143e2b1acad4ca
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
cbafe48f21ace8060f3b35dbb5119a9d
SHA1fbf0b1099b4d241518aef85d0c7c8f24387cb4b0
SHA25616e70e25704118f10e0e4d552e88055e6a0ceabfaf913dd5cf29cfc666b33dfd
SHA512ab389c87975dc841fad429299bf3bb831b79cf0767b87a1ad467192e0428de7e13b2a63e3cde28c6a9a4137b64b6bbf23039e08aa0bf8025b9143e2b1acad4ca
-
memory/848-54-0x00000000751B1000-0x00000000751B3000-memory.dmpFilesize
8KB