Analysis
-
max time kernel
139s -
max time network
154s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 11:07
Static task
static1
Behavioral task
behavioral1
Sample
0547598a27c29994298994fadb0c8ecd6841b0a96c05cfdaa7e80c77fef18bb9.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0547598a27c29994298994fadb0c8ecd6841b0a96c05cfdaa7e80c77fef18bb9.exe
Resource
win10v2004-en-20220112
General
-
Target
0547598a27c29994298994fadb0c8ecd6841b0a96c05cfdaa7e80c77fef18bb9.exe
-
Size
92KB
-
MD5
0d161427c84c99658d37cfbee02c221c
-
SHA1
8aed0a2ab6643774ba68f9c6c229ec72b4c7a4a0
-
SHA256
0547598a27c29994298994fadb0c8ecd6841b0a96c05cfdaa7e80c77fef18bb9
-
SHA512
5a152c477826e7c5425377b9f0f46225589103fc24588736b0819cdad02b8f497321dc8fb33263e34b4935e4b75a5a52fb299e321b462e3011c02429b73668e1
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 528 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1964 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
0547598a27c29994298994fadb0c8ecd6841b0a96c05cfdaa7e80c77fef18bb9.exepid process 972 0547598a27c29994298994fadb0c8ecd6841b0a96c05cfdaa7e80c77fef18bb9.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0547598a27c29994298994fadb0c8ecd6841b0a96c05cfdaa7e80c77fef18bb9.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0547598a27c29994298994fadb0c8ecd6841b0a96c05cfdaa7e80c77fef18bb9.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0547598a27c29994298994fadb0c8ecd6841b0a96c05cfdaa7e80c77fef18bb9.exedescription pid process Token: SeIncBasePriorityPrivilege 972 0547598a27c29994298994fadb0c8ecd6841b0a96c05cfdaa7e80c77fef18bb9.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0547598a27c29994298994fadb0c8ecd6841b0a96c05cfdaa7e80c77fef18bb9.execmd.exedescription pid process target process PID 972 wrote to memory of 528 972 0547598a27c29994298994fadb0c8ecd6841b0a96c05cfdaa7e80c77fef18bb9.exe MediaCenter.exe PID 972 wrote to memory of 528 972 0547598a27c29994298994fadb0c8ecd6841b0a96c05cfdaa7e80c77fef18bb9.exe MediaCenter.exe PID 972 wrote to memory of 528 972 0547598a27c29994298994fadb0c8ecd6841b0a96c05cfdaa7e80c77fef18bb9.exe MediaCenter.exe PID 972 wrote to memory of 528 972 0547598a27c29994298994fadb0c8ecd6841b0a96c05cfdaa7e80c77fef18bb9.exe MediaCenter.exe PID 972 wrote to memory of 1964 972 0547598a27c29994298994fadb0c8ecd6841b0a96c05cfdaa7e80c77fef18bb9.exe cmd.exe PID 972 wrote to memory of 1964 972 0547598a27c29994298994fadb0c8ecd6841b0a96c05cfdaa7e80c77fef18bb9.exe cmd.exe PID 972 wrote to memory of 1964 972 0547598a27c29994298994fadb0c8ecd6841b0a96c05cfdaa7e80c77fef18bb9.exe cmd.exe PID 972 wrote to memory of 1964 972 0547598a27c29994298994fadb0c8ecd6841b0a96c05cfdaa7e80c77fef18bb9.exe cmd.exe PID 1964 wrote to memory of 1260 1964 cmd.exe PING.EXE PID 1964 wrote to memory of 1260 1964 cmd.exe PING.EXE PID 1964 wrote to memory of 1260 1964 cmd.exe PING.EXE PID 1964 wrote to memory of 1260 1964 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0547598a27c29994298994fadb0c8ecd6841b0a96c05cfdaa7e80c77fef18bb9.exe"C:\Users\Admin\AppData\Local\Temp\0547598a27c29994298994fadb0c8ecd6841b0a96c05cfdaa7e80c77fef18bb9.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:972 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:528 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0547598a27c29994298994fadb0c8ecd6841b0a96c05cfdaa7e80c77fef18bb9.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1260
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
3a3f18979a9c1adb162ee34554f363d8
SHA11da77a8e7df21e7eb804cc28337841f8eb92bc00
SHA256ca23044d19385be0db50c80328d71c7392b7422b2e798a97fc6f008c34d17aa6
SHA512874b4a9b26de08f9ba283bc803829411c6be14e5bf3eacd21d3dbf95594bbdcb6ba963c5412ede48d9fc0e0ad8701182f661c16a8a23572b2d0b249eed889610
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
3a3f18979a9c1adb162ee34554f363d8
SHA11da77a8e7df21e7eb804cc28337841f8eb92bc00
SHA256ca23044d19385be0db50c80328d71c7392b7422b2e798a97fc6f008c34d17aa6
SHA512874b4a9b26de08f9ba283bc803829411c6be14e5bf3eacd21d3dbf95594bbdcb6ba963c5412ede48d9fc0e0ad8701182f661c16a8a23572b2d0b249eed889610
-
memory/972-55-0x0000000076071000-0x0000000076073000-memory.dmpFilesize
8KB