Analysis
-
max time kernel
124s -
max time network
155s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 10:57
Static task
static1
Behavioral task
behavioral1
Sample
05acaeae4f408eff2d8d5138f54c0d62ddc04bd62860a3822d35203988225a48.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
05acaeae4f408eff2d8d5138f54c0d62ddc04bd62860a3822d35203988225a48.exe
Resource
win10v2004-en-20220113
General
-
Target
05acaeae4f408eff2d8d5138f54c0d62ddc04bd62860a3822d35203988225a48.exe
-
Size
101KB
-
MD5
a0ef1add4c8b74b86adbb58738c485ce
-
SHA1
93db3843393fbad2690c4c5cab33baefa80c772e
-
SHA256
05acaeae4f408eff2d8d5138f54c0d62ddc04bd62860a3822d35203988225a48
-
SHA512
79c3eacc5f449a95abc018692c03a2ffe2c4c7a8fe477e7bd9e70ccad4dead0c57c7d01ad5fae8806a491056b353fecef23e2fb55752ebb1929793b2acad8582
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1544 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1976 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
05acaeae4f408eff2d8d5138f54c0d62ddc04bd62860a3822d35203988225a48.exepid process 1664 05acaeae4f408eff2d8d5138f54c0d62ddc04bd62860a3822d35203988225a48.exe 1664 05acaeae4f408eff2d8d5138f54c0d62ddc04bd62860a3822d35203988225a48.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
05acaeae4f408eff2d8d5138f54c0d62ddc04bd62860a3822d35203988225a48.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 05acaeae4f408eff2d8d5138f54c0d62ddc04bd62860a3822d35203988225a48.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
05acaeae4f408eff2d8d5138f54c0d62ddc04bd62860a3822d35203988225a48.exedescription pid process Token: SeIncBasePriorityPrivilege 1664 05acaeae4f408eff2d8d5138f54c0d62ddc04bd62860a3822d35203988225a48.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
05acaeae4f408eff2d8d5138f54c0d62ddc04bd62860a3822d35203988225a48.execmd.exedescription pid process target process PID 1664 wrote to memory of 1544 1664 05acaeae4f408eff2d8d5138f54c0d62ddc04bd62860a3822d35203988225a48.exe MediaCenter.exe PID 1664 wrote to memory of 1544 1664 05acaeae4f408eff2d8d5138f54c0d62ddc04bd62860a3822d35203988225a48.exe MediaCenter.exe PID 1664 wrote to memory of 1544 1664 05acaeae4f408eff2d8d5138f54c0d62ddc04bd62860a3822d35203988225a48.exe MediaCenter.exe PID 1664 wrote to memory of 1544 1664 05acaeae4f408eff2d8d5138f54c0d62ddc04bd62860a3822d35203988225a48.exe MediaCenter.exe PID 1664 wrote to memory of 1976 1664 05acaeae4f408eff2d8d5138f54c0d62ddc04bd62860a3822d35203988225a48.exe cmd.exe PID 1664 wrote to memory of 1976 1664 05acaeae4f408eff2d8d5138f54c0d62ddc04bd62860a3822d35203988225a48.exe cmd.exe PID 1664 wrote to memory of 1976 1664 05acaeae4f408eff2d8d5138f54c0d62ddc04bd62860a3822d35203988225a48.exe cmd.exe PID 1664 wrote to memory of 1976 1664 05acaeae4f408eff2d8d5138f54c0d62ddc04bd62860a3822d35203988225a48.exe cmd.exe PID 1976 wrote to memory of 1968 1976 cmd.exe PING.EXE PID 1976 wrote to memory of 1968 1976 cmd.exe PING.EXE PID 1976 wrote to memory of 1968 1976 cmd.exe PING.EXE PID 1976 wrote to memory of 1968 1976 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\05acaeae4f408eff2d8d5138f54c0d62ddc04bd62860a3822d35203988225a48.exe"C:\Users\Admin\AppData\Local\Temp\05acaeae4f408eff2d8d5138f54c0d62ddc04bd62860a3822d35203988225a48.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1544 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\05acaeae4f408eff2d8d5138f54c0d62ddc04bd62860a3822d35203988225a48.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1976 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1968
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
7f1817c3db9fc6ea06f3c7e38741099f
SHA1042c49c79486122c5304aca87e69322ae86459c3
SHA256d8e59c582dc5f848ff6c886d062b86de8cd2c191a178e255a75325e4c4aabd65
SHA5125dd0abc7e62670e11ff5eb42790363186a4df0bb3548d2956ea11abf7e044e51a732cc4ca23f872d1d7c974a594cacc8ea99577535a84091206af013f0ca8412
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
7f1817c3db9fc6ea06f3c7e38741099f
SHA1042c49c79486122c5304aca87e69322ae86459c3
SHA256d8e59c582dc5f848ff6c886d062b86de8cd2c191a178e255a75325e4c4aabd65
SHA5125dd0abc7e62670e11ff5eb42790363186a4df0bb3548d2956ea11abf7e044e51a732cc4ca23f872d1d7c974a594cacc8ea99577535a84091206af013f0ca8412
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
7f1817c3db9fc6ea06f3c7e38741099f
SHA1042c49c79486122c5304aca87e69322ae86459c3
SHA256d8e59c582dc5f848ff6c886d062b86de8cd2c191a178e255a75325e4c4aabd65
SHA5125dd0abc7e62670e11ff5eb42790363186a4df0bb3548d2956ea11abf7e044e51a732cc4ca23f872d1d7c974a594cacc8ea99577535a84091206af013f0ca8412
-
memory/1664-54-0x0000000075D61000-0x0000000075D63000-memory.dmpFilesize
8KB