Analysis
-
max time kernel
161s -
max time network
180s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 10:59
Static task
static1
Behavioral task
behavioral1
Sample
059ed0952a7d401b994a0d0d533e4a8140b08bc36df6b331cc09660793265965.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
059ed0952a7d401b994a0d0d533e4a8140b08bc36df6b331cc09660793265965.exe
Resource
win10v2004-en-20220113
General
-
Target
059ed0952a7d401b994a0d0d533e4a8140b08bc36df6b331cc09660793265965.exe
-
Size
80KB
-
MD5
5942436a4a51f7a30eff407e4a2d977b
-
SHA1
618d3dc52ee4022cbf70088d960dfe70da633d68
-
SHA256
059ed0952a7d401b994a0d0d533e4a8140b08bc36df6b331cc09660793265965
-
SHA512
b11d1c77d4b1588b45afd9e24b249a7e7fe07bec2f153659971b117ff8c11da8517e53a1f9aadc7627d0aa8d3e5a103ba60fcb2f3d04fa30c197e12dd02f4bf5
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1704 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 588 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
059ed0952a7d401b994a0d0d533e4a8140b08bc36df6b331cc09660793265965.exepid process 948 059ed0952a7d401b994a0d0d533e4a8140b08bc36df6b331cc09660793265965.exe 948 059ed0952a7d401b994a0d0d533e4a8140b08bc36df6b331cc09660793265965.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
059ed0952a7d401b994a0d0d533e4a8140b08bc36df6b331cc09660793265965.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 059ed0952a7d401b994a0d0d533e4a8140b08bc36df6b331cc09660793265965.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
059ed0952a7d401b994a0d0d533e4a8140b08bc36df6b331cc09660793265965.exedescription pid process Token: SeIncBasePriorityPrivilege 948 059ed0952a7d401b994a0d0d533e4a8140b08bc36df6b331cc09660793265965.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
059ed0952a7d401b994a0d0d533e4a8140b08bc36df6b331cc09660793265965.execmd.exedescription pid process target process PID 948 wrote to memory of 1704 948 059ed0952a7d401b994a0d0d533e4a8140b08bc36df6b331cc09660793265965.exe MediaCenter.exe PID 948 wrote to memory of 1704 948 059ed0952a7d401b994a0d0d533e4a8140b08bc36df6b331cc09660793265965.exe MediaCenter.exe PID 948 wrote to memory of 1704 948 059ed0952a7d401b994a0d0d533e4a8140b08bc36df6b331cc09660793265965.exe MediaCenter.exe PID 948 wrote to memory of 1704 948 059ed0952a7d401b994a0d0d533e4a8140b08bc36df6b331cc09660793265965.exe MediaCenter.exe PID 948 wrote to memory of 588 948 059ed0952a7d401b994a0d0d533e4a8140b08bc36df6b331cc09660793265965.exe cmd.exe PID 948 wrote to memory of 588 948 059ed0952a7d401b994a0d0d533e4a8140b08bc36df6b331cc09660793265965.exe cmd.exe PID 948 wrote to memory of 588 948 059ed0952a7d401b994a0d0d533e4a8140b08bc36df6b331cc09660793265965.exe cmd.exe PID 948 wrote to memory of 588 948 059ed0952a7d401b994a0d0d533e4a8140b08bc36df6b331cc09660793265965.exe cmd.exe PID 588 wrote to memory of 1152 588 cmd.exe PING.EXE PID 588 wrote to memory of 1152 588 cmd.exe PING.EXE PID 588 wrote to memory of 1152 588 cmd.exe PING.EXE PID 588 wrote to memory of 1152 588 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\059ed0952a7d401b994a0d0d533e4a8140b08bc36df6b331cc09660793265965.exe"C:\Users\Admin\AppData\Local\Temp\059ed0952a7d401b994a0d0d533e4a8140b08bc36df6b331cc09660793265965.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:948 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1704 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\059ed0952a7d401b994a0d0d533e4a8140b08bc36df6b331cc09660793265965.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:588 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1152
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
19105eb4c150239494069e4e9947693c
SHA1c94cfe12c6136c100b037c05c324a976379735e6
SHA25675ec9f4b405110b44d7f639672c708812b18e550dbe46a6e8061c19305c614bb
SHA512cedb17be661c7ec4a77e45c6eaed34c9202ed90a836c30dc5b29aefa1bb7c7e66e63c8646e0eb937bac4fa994e069f43e3501c9c20213e3b81d54fbc22f30d34
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
19105eb4c150239494069e4e9947693c
SHA1c94cfe12c6136c100b037c05c324a976379735e6
SHA25675ec9f4b405110b44d7f639672c708812b18e550dbe46a6e8061c19305c614bb
SHA512cedb17be661c7ec4a77e45c6eaed34c9202ed90a836c30dc5b29aefa1bb7c7e66e63c8646e0eb937bac4fa994e069f43e3501c9c20213e3b81d54fbc22f30d34
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
19105eb4c150239494069e4e9947693c
SHA1c94cfe12c6136c100b037c05c324a976379735e6
SHA25675ec9f4b405110b44d7f639672c708812b18e550dbe46a6e8061c19305c614bb
SHA512cedb17be661c7ec4a77e45c6eaed34c9202ed90a836c30dc5b29aefa1bb7c7e66e63c8646e0eb937bac4fa994e069f43e3501c9c20213e3b81d54fbc22f30d34
-
memory/948-54-0x0000000075601000-0x0000000075603000-memory.dmpFilesize
8KB