Analysis
-
max time kernel
133s -
max time network
146s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 10:14
Static task
static1
Behavioral task
behavioral1
Sample
07c3fdfbb7947f16c23743826bf10e2e532b0ba1d6defea3539d10af4b6d13b9.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
07c3fdfbb7947f16c23743826bf10e2e532b0ba1d6defea3539d10af4b6d13b9.exe
Resource
win10v2004-en-20220113
General
-
Target
07c3fdfbb7947f16c23743826bf10e2e532b0ba1d6defea3539d10af4b6d13b9.exe
-
Size
92KB
-
MD5
1eda9f6764722e11c5165c525d7e4eee
-
SHA1
5f804c3827fd4c226ef8b6faea0cd878347e9b46
-
SHA256
07c3fdfbb7947f16c23743826bf10e2e532b0ba1d6defea3539d10af4b6d13b9
-
SHA512
d6686b513096e1ccb22812cc9796da6a1943959d2b52f5a516864d56c1259e667389c387f3233e90f9be55b55fc7937c279c636e9c34a8a382cbb8bbb5172cc3
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1588 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 540 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
07c3fdfbb7947f16c23743826bf10e2e532b0ba1d6defea3539d10af4b6d13b9.exepid process 836 07c3fdfbb7947f16c23743826bf10e2e532b0ba1d6defea3539d10af4b6d13b9.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
07c3fdfbb7947f16c23743826bf10e2e532b0ba1d6defea3539d10af4b6d13b9.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 07c3fdfbb7947f16c23743826bf10e2e532b0ba1d6defea3539d10af4b6d13b9.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
07c3fdfbb7947f16c23743826bf10e2e532b0ba1d6defea3539d10af4b6d13b9.exedescription pid process Token: SeIncBasePriorityPrivilege 836 07c3fdfbb7947f16c23743826bf10e2e532b0ba1d6defea3539d10af4b6d13b9.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
07c3fdfbb7947f16c23743826bf10e2e532b0ba1d6defea3539d10af4b6d13b9.execmd.exedescription pid process target process PID 836 wrote to memory of 1588 836 07c3fdfbb7947f16c23743826bf10e2e532b0ba1d6defea3539d10af4b6d13b9.exe MediaCenter.exe PID 836 wrote to memory of 1588 836 07c3fdfbb7947f16c23743826bf10e2e532b0ba1d6defea3539d10af4b6d13b9.exe MediaCenter.exe PID 836 wrote to memory of 1588 836 07c3fdfbb7947f16c23743826bf10e2e532b0ba1d6defea3539d10af4b6d13b9.exe MediaCenter.exe PID 836 wrote to memory of 1588 836 07c3fdfbb7947f16c23743826bf10e2e532b0ba1d6defea3539d10af4b6d13b9.exe MediaCenter.exe PID 836 wrote to memory of 540 836 07c3fdfbb7947f16c23743826bf10e2e532b0ba1d6defea3539d10af4b6d13b9.exe cmd.exe PID 836 wrote to memory of 540 836 07c3fdfbb7947f16c23743826bf10e2e532b0ba1d6defea3539d10af4b6d13b9.exe cmd.exe PID 836 wrote to memory of 540 836 07c3fdfbb7947f16c23743826bf10e2e532b0ba1d6defea3539d10af4b6d13b9.exe cmd.exe PID 836 wrote to memory of 540 836 07c3fdfbb7947f16c23743826bf10e2e532b0ba1d6defea3539d10af4b6d13b9.exe cmd.exe PID 540 wrote to memory of 776 540 cmd.exe PING.EXE PID 540 wrote to memory of 776 540 cmd.exe PING.EXE PID 540 wrote to memory of 776 540 cmd.exe PING.EXE PID 540 wrote to memory of 776 540 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\07c3fdfbb7947f16c23743826bf10e2e532b0ba1d6defea3539d10af4b6d13b9.exe"C:\Users\Admin\AppData\Local\Temp\07c3fdfbb7947f16c23743826bf10e2e532b0ba1d6defea3539d10af4b6d13b9.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:836 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1588 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\07c3fdfbb7947f16c23743826bf10e2e532b0ba1d6defea3539d10af4b6d13b9.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:540 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:776
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
5a33bf5c0a7da6c3cf774d06cf8b1af6
SHA17fd565b249b070780588fe7dab5378960b548574
SHA25676e5131d8fea6139abcb4034d1849256c8f4ef551b1cfa52b9f48407874abe29
SHA51238fe8632c3fd328f859a530b46c4987d8dbedb014bbd33ed50f378253f4f5c945543b848126d4cf0df35cbcd6855b6a5f50fd5c94c2779518cc725140f19c1f5
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
5a33bf5c0a7da6c3cf774d06cf8b1af6
SHA17fd565b249b070780588fe7dab5378960b548574
SHA25676e5131d8fea6139abcb4034d1849256c8f4ef551b1cfa52b9f48407874abe29
SHA51238fe8632c3fd328f859a530b46c4987d8dbedb014bbd33ed50f378253f4f5c945543b848126d4cf0df35cbcd6855b6a5f50fd5c94c2779518cc725140f19c1f5
-
memory/836-54-0x0000000076421000-0x0000000076423000-memory.dmpFilesize
8KB