Analysis
-
max time kernel
132s -
max time network
163s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 10:58
Static task
static1
Behavioral task
behavioral1
Sample
05a412b6a9b4374a59c00182b8b2c47512729f8e20d398690a840586b7a1dba3.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
05a412b6a9b4374a59c00182b8b2c47512729f8e20d398690a840586b7a1dba3.exe
Resource
win10v2004-en-20220112
General
-
Target
05a412b6a9b4374a59c00182b8b2c47512729f8e20d398690a840586b7a1dba3.exe
-
Size
99KB
-
MD5
282e691dbddb8724cacb290909da4b24
-
SHA1
8d8e303778b6a9210fa10a18b35237b32754086a
-
SHA256
05a412b6a9b4374a59c00182b8b2c47512729f8e20d398690a840586b7a1dba3
-
SHA512
ae084f85fbb73746792e67244e431cf6308544ea460eb748e789d8b614586fe3d512a770f2cac1bcf413fb61528d22d8d4f22386597d006f2cc4900540242b28
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1892 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1172 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
05a412b6a9b4374a59c00182b8b2c47512729f8e20d398690a840586b7a1dba3.exepid process 1684 05a412b6a9b4374a59c00182b8b2c47512729f8e20d398690a840586b7a1dba3.exe 1684 05a412b6a9b4374a59c00182b8b2c47512729f8e20d398690a840586b7a1dba3.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
05a412b6a9b4374a59c00182b8b2c47512729f8e20d398690a840586b7a1dba3.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 05a412b6a9b4374a59c00182b8b2c47512729f8e20d398690a840586b7a1dba3.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
05a412b6a9b4374a59c00182b8b2c47512729f8e20d398690a840586b7a1dba3.exedescription pid process Token: SeIncBasePriorityPrivilege 1684 05a412b6a9b4374a59c00182b8b2c47512729f8e20d398690a840586b7a1dba3.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
05a412b6a9b4374a59c00182b8b2c47512729f8e20d398690a840586b7a1dba3.execmd.exedescription pid process target process PID 1684 wrote to memory of 1892 1684 05a412b6a9b4374a59c00182b8b2c47512729f8e20d398690a840586b7a1dba3.exe MediaCenter.exe PID 1684 wrote to memory of 1892 1684 05a412b6a9b4374a59c00182b8b2c47512729f8e20d398690a840586b7a1dba3.exe MediaCenter.exe PID 1684 wrote to memory of 1892 1684 05a412b6a9b4374a59c00182b8b2c47512729f8e20d398690a840586b7a1dba3.exe MediaCenter.exe PID 1684 wrote to memory of 1892 1684 05a412b6a9b4374a59c00182b8b2c47512729f8e20d398690a840586b7a1dba3.exe MediaCenter.exe PID 1684 wrote to memory of 1172 1684 05a412b6a9b4374a59c00182b8b2c47512729f8e20d398690a840586b7a1dba3.exe cmd.exe PID 1684 wrote to memory of 1172 1684 05a412b6a9b4374a59c00182b8b2c47512729f8e20d398690a840586b7a1dba3.exe cmd.exe PID 1684 wrote to memory of 1172 1684 05a412b6a9b4374a59c00182b8b2c47512729f8e20d398690a840586b7a1dba3.exe cmd.exe PID 1684 wrote to memory of 1172 1684 05a412b6a9b4374a59c00182b8b2c47512729f8e20d398690a840586b7a1dba3.exe cmd.exe PID 1172 wrote to memory of 952 1172 cmd.exe PING.EXE PID 1172 wrote to memory of 952 1172 cmd.exe PING.EXE PID 1172 wrote to memory of 952 1172 cmd.exe PING.EXE PID 1172 wrote to memory of 952 1172 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\05a412b6a9b4374a59c00182b8b2c47512729f8e20d398690a840586b7a1dba3.exe"C:\Users\Admin\AppData\Local\Temp\05a412b6a9b4374a59c00182b8b2c47512729f8e20d398690a840586b7a1dba3.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1684 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1892 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\05a412b6a9b4374a59c00182b8b2c47512729f8e20d398690a840586b7a1dba3.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1172 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:952
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
623f6e414a9561ee3d49305cd00ec1b1
SHA17ddb29c65565dabf1fd8bf29287704d7cd525cc6
SHA256c3c4dc32d5d2f4ad39086dd11ad570b3efe2a71a656032b2945f871dff403041
SHA51226b0e15b492dfccf2ec46fa9783bc8e879f0bb01cf65e62dc7663c356a38d9330e5369ab2ba743e066279cfa224550a7f73f840c62abf891cfeedb313ea791a0
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
623f6e414a9561ee3d49305cd00ec1b1
SHA17ddb29c65565dabf1fd8bf29287704d7cd525cc6
SHA256c3c4dc32d5d2f4ad39086dd11ad570b3efe2a71a656032b2945f871dff403041
SHA51226b0e15b492dfccf2ec46fa9783bc8e879f0bb01cf65e62dc7663c356a38d9330e5369ab2ba743e066279cfa224550a7f73f840c62abf891cfeedb313ea791a0
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
623f6e414a9561ee3d49305cd00ec1b1
SHA17ddb29c65565dabf1fd8bf29287704d7cd525cc6
SHA256c3c4dc32d5d2f4ad39086dd11ad570b3efe2a71a656032b2945f871dff403041
SHA51226b0e15b492dfccf2ec46fa9783bc8e879f0bb01cf65e62dc7663c356a38d9330e5369ab2ba743e066279cfa224550a7f73f840c62abf891cfeedb313ea791a0
-
memory/1684-54-0x0000000075D61000-0x0000000075D63000-memory.dmpFilesize
8KB