Analysis
-
max time kernel
149s -
max time network
168s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 11:08
Static task
static1
Behavioral task
behavioral1
Sample
053eedd8dd3e393652046d116f2a312147be406f8c3bdf16b56bf5a4f9d4b38b.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
053eedd8dd3e393652046d116f2a312147be406f8c3bdf16b56bf5a4f9d4b38b.exe
Resource
win10v2004-en-20220113
General
-
Target
053eedd8dd3e393652046d116f2a312147be406f8c3bdf16b56bf5a4f9d4b38b.exe
-
Size
150KB
-
MD5
4bd1cdab0745ae149ca5d643ec8ae92c
-
SHA1
e4b448e4514c3ea18a7b8aa7a20e11a83d54c745
-
SHA256
053eedd8dd3e393652046d116f2a312147be406f8c3bdf16b56bf5a4f9d4b38b
-
SHA512
ddce73f4c700f77d121a180bb592de64ff1481a0526dbebc1352420106074ec293bc8f30a9de211c6ee2beac63fb1f6af3c6ea077016cf7205a7ecc66ee956bc
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1112 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1148 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
053eedd8dd3e393652046d116f2a312147be406f8c3bdf16b56bf5a4f9d4b38b.exepid process 964 053eedd8dd3e393652046d116f2a312147be406f8c3bdf16b56bf5a4f9d4b38b.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
053eedd8dd3e393652046d116f2a312147be406f8c3bdf16b56bf5a4f9d4b38b.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 053eedd8dd3e393652046d116f2a312147be406f8c3bdf16b56bf5a4f9d4b38b.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
053eedd8dd3e393652046d116f2a312147be406f8c3bdf16b56bf5a4f9d4b38b.exedescription pid process Token: SeIncBasePriorityPrivilege 964 053eedd8dd3e393652046d116f2a312147be406f8c3bdf16b56bf5a4f9d4b38b.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
053eedd8dd3e393652046d116f2a312147be406f8c3bdf16b56bf5a4f9d4b38b.execmd.exedescription pid process target process PID 964 wrote to memory of 1112 964 053eedd8dd3e393652046d116f2a312147be406f8c3bdf16b56bf5a4f9d4b38b.exe MediaCenter.exe PID 964 wrote to memory of 1112 964 053eedd8dd3e393652046d116f2a312147be406f8c3bdf16b56bf5a4f9d4b38b.exe MediaCenter.exe PID 964 wrote to memory of 1112 964 053eedd8dd3e393652046d116f2a312147be406f8c3bdf16b56bf5a4f9d4b38b.exe MediaCenter.exe PID 964 wrote to memory of 1112 964 053eedd8dd3e393652046d116f2a312147be406f8c3bdf16b56bf5a4f9d4b38b.exe MediaCenter.exe PID 964 wrote to memory of 1148 964 053eedd8dd3e393652046d116f2a312147be406f8c3bdf16b56bf5a4f9d4b38b.exe cmd.exe PID 964 wrote to memory of 1148 964 053eedd8dd3e393652046d116f2a312147be406f8c3bdf16b56bf5a4f9d4b38b.exe cmd.exe PID 964 wrote to memory of 1148 964 053eedd8dd3e393652046d116f2a312147be406f8c3bdf16b56bf5a4f9d4b38b.exe cmd.exe PID 964 wrote to memory of 1148 964 053eedd8dd3e393652046d116f2a312147be406f8c3bdf16b56bf5a4f9d4b38b.exe cmd.exe PID 1148 wrote to memory of 1796 1148 cmd.exe PING.EXE PID 1148 wrote to memory of 1796 1148 cmd.exe PING.EXE PID 1148 wrote to memory of 1796 1148 cmd.exe PING.EXE PID 1148 wrote to memory of 1796 1148 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\053eedd8dd3e393652046d116f2a312147be406f8c3bdf16b56bf5a4f9d4b38b.exe"C:\Users\Admin\AppData\Local\Temp\053eedd8dd3e393652046d116f2a312147be406f8c3bdf16b56bf5a4f9d4b38b.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:964 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1112 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\053eedd8dd3e393652046d116f2a312147be406f8c3bdf16b56bf5a4f9d4b38b.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1148 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1796
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
c7028b6a5e7079252c29fc6c6de33db4
SHA1f1b4dae549bb81aa3d2cf9d9e3324185e368664e
SHA25676482f93d44d6c61f05109b46d888384e342544b733f678ca6c89dedf91a9add
SHA5120e8ac8aad957aaf68953d45e01ebe4a1ed6f4db5700d7b219b6ce294e9bc978311316e7a73ac3c4cc0d1899270fc476ef446ee66bfccdad74bc1c35f54532363
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
c7028b6a5e7079252c29fc6c6de33db4
SHA1f1b4dae549bb81aa3d2cf9d9e3324185e368664e
SHA25676482f93d44d6c61f05109b46d888384e342544b733f678ca6c89dedf91a9add
SHA5120e8ac8aad957aaf68953d45e01ebe4a1ed6f4db5700d7b219b6ce294e9bc978311316e7a73ac3c4cc0d1899270fc476ef446ee66bfccdad74bc1c35f54532363
-
memory/964-54-0x0000000075D61000-0x0000000075D63000-memory.dmpFilesize
8KB