Analysis
-
max time kernel
123s -
max time network
151s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 09:46
Static task
static1
Behavioral task
behavioral1
Sample
091674d68f96e87a61860a4d7e09ef6ca38d84009b98c6d0623f2b8e39d54ae8.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
091674d68f96e87a61860a4d7e09ef6ca38d84009b98c6d0623f2b8e39d54ae8.exe
Resource
win10v2004-en-20220113
General
-
Target
091674d68f96e87a61860a4d7e09ef6ca38d84009b98c6d0623f2b8e39d54ae8.exe
-
Size
80KB
-
MD5
f4a2c96374007d7a3229990740e0a9b0
-
SHA1
68988c5af539e277a99644d60de3f68295229635
-
SHA256
091674d68f96e87a61860a4d7e09ef6ca38d84009b98c6d0623f2b8e39d54ae8
-
SHA512
32ee4422e877eef3a1b9745c32f9c2e367aedadd7596b9c3d188cff510c8bb4d6c5315203ec419b04bea2bdda0315eea95afb53d97157bb9aa8088a40d2c7672
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 544 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 988 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
091674d68f96e87a61860a4d7e09ef6ca38d84009b98c6d0623f2b8e39d54ae8.exepid process 1128 091674d68f96e87a61860a4d7e09ef6ca38d84009b98c6d0623f2b8e39d54ae8.exe 1128 091674d68f96e87a61860a4d7e09ef6ca38d84009b98c6d0623f2b8e39d54ae8.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
091674d68f96e87a61860a4d7e09ef6ca38d84009b98c6d0623f2b8e39d54ae8.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 091674d68f96e87a61860a4d7e09ef6ca38d84009b98c6d0623f2b8e39d54ae8.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
091674d68f96e87a61860a4d7e09ef6ca38d84009b98c6d0623f2b8e39d54ae8.exedescription pid process Token: SeIncBasePriorityPrivilege 1128 091674d68f96e87a61860a4d7e09ef6ca38d84009b98c6d0623f2b8e39d54ae8.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
091674d68f96e87a61860a4d7e09ef6ca38d84009b98c6d0623f2b8e39d54ae8.execmd.exedescription pid process target process PID 1128 wrote to memory of 544 1128 091674d68f96e87a61860a4d7e09ef6ca38d84009b98c6d0623f2b8e39d54ae8.exe MediaCenter.exe PID 1128 wrote to memory of 544 1128 091674d68f96e87a61860a4d7e09ef6ca38d84009b98c6d0623f2b8e39d54ae8.exe MediaCenter.exe PID 1128 wrote to memory of 544 1128 091674d68f96e87a61860a4d7e09ef6ca38d84009b98c6d0623f2b8e39d54ae8.exe MediaCenter.exe PID 1128 wrote to memory of 544 1128 091674d68f96e87a61860a4d7e09ef6ca38d84009b98c6d0623f2b8e39d54ae8.exe MediaCenter.exe PID 1128 wrote to memory of 988 1128 091674d68f96e87a61860a4d7e09ef6ca38d84009b98c6d0623f2b8e39d54ae8.exe cmd.exe PID 1128 wrote to memory of 988 1128 091674d68f96e87a61860a4d7e09ef6ca38d84009b98c6d0623f2b8e39d54ae8.exe cmd.exe PID 1128 wrote to memory of 988 1128 091674d68f96e87a61860a4d7e09ef6ca38d84009b98c6d0623f2b8e39d54ae8.exe cmd.exe PID 1128 wrote to memory of 988 1128 091674d68f96e87a61860a4d7e09ef6ca38d84009b98c6d0623f2b8e39d54ae8.exe cmd.exe PID 988 wrote to memory of 1480 988 cmd.exe PING.EXE PID 988 wrote to memory of 1480 988 cmd.exe PING.EXE PID 988 wrote to memory of 1480 988 cmd.exe PING.EXE PID 988 wrote to memory of 1480 988 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\091674d68f96e87a61860a4d7e09ef6ca38d84009b98c6d0623f2b8e39d54ae8.exe"C:\Users\Admin\AppData\Local\Temp\091674d68f96e87a61860a4d7e09ef6ca38d84009b98c6d0623f2b8e39d54ae8.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1128 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:544 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\091674d68f96e87a61860a4d7e09ef6ca38d84009b98c6d0623f2b8e39d54ae8.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:988 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1480
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
0fa51a87dbaf7e298700628358dfb7b7
SHA10a6efeaff140a64631b94b4635cfcb21bd0da01c
SHA25604ee5e840d82bef5b3fa37bae8c46db0a6c29241fc4f5b35425c11dd390398ab
SHA51284b2faa5fd70d91c5d2219cdd2efdfa9bea8ffed7ef29d8a5e96eb14714e9c19df61c35572fb6309ac78f3b1163440100d66bcb8b9e2ccd8422046e3fc3054f9
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
0fa51a87dbaf7e298700628358dfb7b7
SHA10a6efeaff140a64631b94b4635cfcb21bd0da01c
SHA25604ee5e840d82bef5b3fa37bae8c46db0a6c29241fc4f5b35425c11dd390398ab
SHA51284b2faa5fd70d91c5d2219cdd2efdfa9bea8ffed7ef29d8a5e96eb14714e9c19df61c35572fb6309ac78f3b1163440100d66bcb8b9e2ccd8422046e3fc3054f9
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
0fa51a87dbaf7e298700628358dfb7b7
SHA10a6efeaff140a64631b94b4635cfcb21bd0da01c
SHA25604ee5e840d82bef5b3fa37bae8c46db0a6c29241fc4f5b35425c11dd390398ab
SHA51284b2faa5fd70d91c5d2219cdd2efdfa9bea8ffed7ef29d8a5e96eb14714e9c19df61c35572fb6309ac78f3b1163440100d66bcb8b9e2ccd8422046e3fc3054f9
-
memory/1128-54-0x0000000075F21000-0x0000000075F23000-memory.dmpFilesize
8KB