Analysis
-
max time kernel
151s -
max time network
165s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 11:08
Static task
static1
Behavioral task
behavioral1
Sample
053e7f8f1a6b0d0dd421724b5f1457f77a540b25a3993a4d60da104bf35e0af9.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
053e7f8f1a6b0d0dd421724b5f1457f77a540b25a3993a4d60da104bf35e0af9.exe
Resource
win10v2004-en-20220112
General
-
Target
053e7f8f1a6b0d0dd421724b5f1457f77a540b25a3993a4d60da104bf35e0af9.exe
-
Size
150KB
-
MD5
3eec723e3763cfef6ed6e2ecfddbf48d
-
SHA1
cd16fd3cce1f87909d97001bbb36d6dee3ab0be1
-
SHA256
053e7f8f1a6b0d0dd421724b5f1457f77a540b25a3993a4d60da104bf35e0af9
-
SHA512
344984ddada8264bfdb186720923bd22b45edd8371dd70325713c212c1a22a09081a7f5caa6035c845e6c23553417973543ba1c4c3dfb537d4fd7fb50ce85c7f
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 460 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1172 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
053e7f8f1a6b0d0dd421724b5f1457f77a540b25a3993a4d60da104bf35e0af9.exepid process 1100 053e7f8f1a6b0d0dd421724b5f1457f77a540b25a3993a4d60da104bf35e0af9.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
053e7f8f1a6b0d0dd421724b5f1457f77a540b25a3993a4d60da104bf35e0af9.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 053e7f8f1a6b0d0dd421724b5f1457f77a540b25a3993a4d60da104bf35e0af9.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
053e7f8f1a6b0d0dd421724b5f1457f77a540b25a3993a4d60da104bf35e0af9.exedescription pid process Token: SeIncBasePriorityPrivilege 1100 053e7f8f1a6b0d0dd421724b5f1457f77a540b25a3993a4d60da104bf35e0af9.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
053e7f8f1a6b0d0dd421724b5f1457f77a540b25a3993a4d60da104bf35e0af9.execmd.exedescription pid process target process PID 1100 wrote to memory of 460 1100 053e7f8f1a6b0d0dd421724b5f1457f77a540b25a3993a4d60da104bf35e0af9.exe MediaCenter.exe PID 1100 wrote to memory of 460 1100 053e7f8f1a6b0d0dd421724b5f1457f77a540b25a3993a4d60da104bf35e0af9.exe MediaCenter.exe PID 1100 wrote to memory of 460 1100 053e7f8f1a6b0d0dd421724b5f1457f77a540b25a3993a4d60da104bf35e0af9.exe MediaCenter.exe PID 1100 wrote to memory of 460 1100 053e7f8f1a6b0d0dd421724b5f1457f77a540b25a3993a4d60da104bf35e0af9.exe MediaCenter.exe PID 1100 wrote to memory of 1172 1100 053e7f8f1a6b0d0dd421724b5f1457f77a540b25a3993a4d60da104bf35e0af9.exe cmd.exe PID 1100 wrote to memory of 1172 1100 053e7f8f1a6b0d0dd421724b5f1457f77a540b25a3993a4d60da104bf35e0af9.exe cmd.exe PID 1100 wrote to memory of 1172 1100 053e7f8f1a6b0d0dd421724b5f1457f77a540b25a3993a4d60da104bf35e0af9.exe cmd.exe PID 1100 wrote to memory of 1172 1100 053e7f8f1a6b0d0dd421724b5f1457f77a540b25a3993a4d60da104bf35e0af9.exe cmd.exe PID 1172 wrote to memory of 1204 1172 cmd.exe PING.EXE PID 1172 wrote to memory of 1204 1172 cmd.exe PING.EXE PID 1172 wrote to memory of 1204 1172 cmd.exe PING.EXE PID 1172 wrote to memory of 1204 1172 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\053e7f8f1a6b0d0dd421724b5f1457f77a540b25a3993a4d60da104bf35e0af9.exe"C:\Users\Admin\AppData\Local\Temp\053e7f8f1a6b0d0dd421724b5f1457f77a540b25a3993a4d60da104bf35e0af9.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1100 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:460 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\053e7f8f1a6b0d0dd421724b5f1457f77a540b25a3993a4d60da104bf35e0af9.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1172 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1204
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
78d1cf28da139ddfe4fb206b6644cbea
SHA1f5cc1f02b52dbdb24503985f83b386eb4988deb5
SHA25609d497d821023b53b58ec807891b66a8a29b7cb347a60f6762278c07841e88f8
SHA512c1294983cd6f16fcd7ce1395443dbca29f4576239eec1c2d2f50766c682c504b8c6e35079911af0f7f74981b9d6a355edff06a848f41bc040b1c584188e5ee83
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
78d1cf28da139ddfe4fb206b6644cbea
SHA1f5cc1f02b52dbdb24503985f83b386eb4988deb5
SHA25609d497d821023b53b58ec807891b66a8a29b7cb347a60f6762278c07841e88f8
SHA512c1294983cd6f16fcd7ce1395443dbca29f4576239eec1c2d2f50766c682c504b8c6e35079911af0f7f74981b9d6a355edff06a848f41bc040b1c584188e5ee83
-
memory/1100-54-0x0000000075AB1000-0x0000000075AB3000-memory.dmpFilesize
8KB