Analysis
-
max time kernel
153s -
max time network
175s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 11:02
Static task
static1
Behavioral task
behavioral1
Sample
05750015a1f364c850aa9c56377952e059f4467afb6a1a7a61526edeab5dbd5c.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
05750015a1f364c850aa9c56377952e059f4467afb6a1a7a61526edeab5dbd5c.exe
Resource
win10v2004-en-20220113
General
-
Target
05750015a1f364c850aa9c56377952e059f4467afb6a1a7a61526edeab5dbd5c.exe
-
Size
84KB
-
MD5
89660a305761d4eee7a7dd4db4d98174
-
SHA1
302f4afb0814672a55daf17c959a9184b93e594d
-
SHA256
05750015a1f364c850aa9c56377952e059f4467afb6a1a7a61526edeab5dbd5c
-
SHA512
d319a504ba3ce991eb8a11afa47bd27c4f66ae80c5c32fd7ad074fe538eb59870b2a99151c6652de77fdb662fdc490967066d7271e4a69eb92c20a28b2bf9808
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 960 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 620 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
05750015a1f364c850aa9c56377952e059f4467afb6a1a7a61526edeab5dbd5c.exepid process 844 05750015a1f364c850aa9c56377952e059f4467afb6a1a7a61526edeab5dbd5c.exe 844 05750015a1f364c850aa9c56377952e059f4467afb6a1a7a61526edeab5dbd5c.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
05750015a1f364c850aa9c56377952e059f4467afb6a1a7a61526edeab5dbd5c.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 05750015a1f364c850aa9c56377952e059f4467afb6a1a7a61526edeab5dbd5c.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
05750015a1f364c850aa9c56377952e059f4467afb6a1a7a61526edeab5dbd5c.exedescription pid process Token: SeIncBasePriorityPrivilege 844 05750015a1f364c850aa9c56377952e059f4467afb6a1a7a61526edeab5dbd5c.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
05750015a1f364c850aa9c56377952e059f4467afb6a1a7a61526edeab5dbd5c.execmd.exedescription pid process target process PID 844 wrote to memory of 960 844 05750015a1f364c850aa9c56377952e059f4467afb6a1a7a61526edeab5dbd5c.exe MediaCenter.exe PID 844 wrote to memory of 960 844 05750015a1f364c850aa9c56377952e059f4467afb6a1a7a61526edeab5dbd5c.exe MediaCenter.exe PID 844 wrote to memory of 960 844 05750015a1f364c850aa9c56377952e059f4467afb6a1a7a61526edeab5dbd5c.exe MediaCenter.exe PID 844 wrote to memory of 960 844 05750015a1f364c850aa9c56377952e059f4467afb6a1a7a61526edeab5dbd5c.exe MediaCenter.exe PID 844 wrote to memory of 620 844 05750015a1f364c850aa9c56377952e059f4467afb6a1a7a61526edeab5dbd5c.exe cmd.exe PID 844 wrote to memory of 620 844 05750015a1f364c850aa9c56377952e059f4467afb6a1a7a61526edeab5dbd5c.exe cmd.exe PID 844 wrote to memory of 620 844 05750015a1f364c850aa9c56377952e059f4467afb6a1a7a61526edeab5dbd5c.exe cmd.exe PID 844 wrote to memory of 620 844 05750015a1f364c850aa9c56377952e059f4467afb6a1a7a61526edeab5dbd5c.exe cmd.exe PID 620 wrote to memory of 1868 620 cmd.exe PING.EXE PID 620 wrote to memory of 1868 620 cmd.exe PING.EXE PID 620 wrote to memory of 1868 620 cmd.exe PING.EXE PID 620 wrote to memory of 1868 620 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\05750015a1f364c850aa9c56377952e059f4467afb6a1a7a61526edeab5dbd5c.exe"C:\Users\Admin\AppData\Local\Temp\05750015a1f364c850aa9c56377952e059f4467afb6a1a7a61526edeab5dbd5c.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:844 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:960 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\05750015a1f364c850aa9c56377952e059f4467afb6a1a7a61526edeab5dbd5c.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:620 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1868
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
67b60a52ddecdbd56df5c620f3c9f33e
SHA10dc1b46fc5e4b5d54f85bef83e5e957b0c4db261
SHA256015ab3cb3eb7c0ad8335aec582b26a515c4284c54baf6520ff4dc847fccb0084
SHA512b7baf6872a18a07e8739e3754c8d8111f056a70c8557664a16c173515a8e3a826ca8af673dd35e0da0539668c6bafd27e7c050105da32961d96c13f55f2b16c5
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
67b60a52ddecdbd56df5c620f3c9f33e
SHA10dc1b46fc5e4b5d54f85bef83e5e957b0c4db261
SHA256015ab3cb3eb7c0ad8335aec582b26a515c4284c54baf6520ff4dc847fccb0084
SHA512b7baf6872a18a07e8739e3754c8d8111f056a70c8557664a16c173515a8e3a826ca8af673dd35e0da0539668c6bafd27e7c050105da32961d96c13f55f2b16c5
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
67b60a52ddecdbd56df5c620f3c9f33e
SHA10dc1b46fc5e4b5d54f85bef83e5e957b0c4db261
SHA256015ab3cb3eb7c0ad8335aec582b26a515c4284c54baf6520ff4dc847fccb0084
SHA512b7baf6872a18a07e8739e3754c8d8111f056a70c8557664a16c173515a8e3a826ca8af673dd35e0da0539668c6bafd27e7c050105da32961d96c13f55f2b16c5
-
memory/844-54-0x0000000076151000-0x0000000076153000-memory.dmpFilesize
8KB