Analysis
-
max time kernel
119s -
max time network
135s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 11:10
Static task
static1
Behavioral task
behavioral1
Sample
0522d4d324b6089cfb1ec5b5e59b1a840c169ab911f96e7b38a25a9abca5569e.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0522d4d324b6089cfb1ec5b5e59b1a840c169ab911f96e7b38a25a9abca5569e.exe
Resource
win10v2004-en-20220112
General
-
Target
0522d4d324b6089cfb1ec5b5e59b1a840c169ab911f96e7b38a25a9abca5569e.exe
-
Size
79KB
-
MD5
d7869abd060d4f22821237f9b520e2b5
-
SHA1
5f7aae833427d4e392628737d55d6cdc758b6647
-
SHA256
0522d4d324b6089cfb1ec5b5e59b1a840c169ab911f96e7b38a25a9abca5569e
-
SHA512
1ce50b1c0e6e201d70e1f958b9792c421dced4fb6c06cb4d6aafa865c0cae311f0908bbb74d074df34da87e4fc399fd7fa3f3a2de62ea8c9c187c027e1fc2a5a
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1108 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2012 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0522d4d324b6089cfb1ec5b5e59b1a840c169ab911f96e7b38a25a9abca5569e.exepid process 1128 0522d4d324b6089cfb1ec5b5e59b1a840c169ab911f96e7b38a25a9abca5569e.exe 1128 0522d4d324b6089cfb1ec5b5e59b1a840c169ab911f96e7b38a25a9abca5569e.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0522d4d324b6089cfb1ec5b5e59b1a840c169ab911f96e7b38a25a9abca5569e.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0522d4d324b6089cfb1ec5b5e59b1a840c169ab911f96e7b38a25a9abca5569e.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0522d4d324b6089cfb1ec5b5e59b1a840c169ab911f96e7b38a25a9abca5569e.exedescription pid process Token: SeIncBasePriorityPrivilege 1128 0522d4d324b6089cfb1ec5b5e59b1a840c169ab911f96e7b38a25a9abca5569e.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0522d4d324b6089cfb1ec5b5e59b1a840c169ab911f96e7b38a25a9abca5569e.execmd.exedescription pid process target process PID 1128 wrote to memory of 1108 1128 0522d4d324b6089cfb1ec5b5e59b1a840c169ab911f96e7b38a25a9abca5569e.exe MediaCenter.exe PID 1128 wrote to memory of 1108 1128 0522d4d324b6089cfb1ec5b5e59b1a840c169ab911f96e7b38a25a9abca5569e.exe MediaCenter.exe PID 1128 wrote to memory of 1108 1128 0522d4d324b6089cfb1ec5b5e59b1a840c169ab911f96e7b38a25a9abca5569e.exe MediaCenter.exe PID 1128 wrote to memory of 1108 1128 0522d4d324b6089cfb1ec5b5e59b1a840c169ab911f96e7b38a25a9abca5569e.exe MediaCenter.exe PID 1128 wrote to memory of 2012 1128 0522d4d324b6089cfb1ec5b5e59b1a840c169ab911f96e7b38a25a9abca5569e.exe cmd.exe PID 1128 wrote to memory of 2012 1128 0522d4d324b6089cfb1ec5b5e59b1a840c169ab911f96e7b38a25a9abca5569e.exe cmd.exe PID 1128 wrote to memory of 2012 1128 0522d4d324b6089cfb1ec5b5e59b1a840c169ab911f96e7b38a25a9abca5569e.exe cmd.exe PID 1128 wrote to memory of 2012 1128 0522d4d324b6089cfb1ec5b5e59b1a840c169ab911f96e7b38a25a9abca5569e.exe cmd.exe PID 2012 wrote to memory of 2040 2012 cmd.exe PING.EXE PID 2012 wrote to memory of 2040 2012 cmd.exe PING.EXE PID 2012 wrote to memory of 2040 2012 cmd.exe PING.EXE PID 2012 wrote to memory of 2040 2012 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0522d4d324b6089cfb1ec5b5e59b1a840c169ab911f96e7b38a25a9abca5569e.exe"C:\Users\Admin\AppData\Local\Temp\0522d4d324b6089cfb1ec5b5e59b1a840c169ab911f96e7b38a25a9abca5569e.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1128 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1108 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0522d4d324b6089cfb1ec5b5e59b1a840c169ab911f96e7b38a25a9abca5569e.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:2040
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
73230713abb60eac81e04b0334027dc4
SHA181458f4187018f0371dfafeb84424bad6275b244
SHA25626a5517f89ba148c79080c1b4c418f92844d8b43f3cee2b70a5970ffe7f09ad3
SHA512bdb9794a58052faee76100b15a9fafd6ee5b0cc3e46a83f6df30e1c25e3a68fe2892747344bbe64b1aaf25378e2632b1b74eb39cf8c66f18591f751325bcdc35
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
73230713abb60eac81e04b0334027dc4
SHA181458f4187018f0371dfafeb84424bad6275b244
SHA25626a5517f89ba148c79080c1b4c418f92844d8b43f3cee2b70a5970ffe7f09ad3
SHA512bdb9794a58052faee76100b15a9fafd6ee5b0cc3e46a83f6df30e1c25e3a68fe2892747344bbe64b1aaf25378e2632b1b74eb39cf8c66f18591f751325bcdc35
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
73230713abb60eac81e04b0334027dc4
SHA181458f4187018f0371dfafeb84424bad6275b244
SHA25626a5517f89ba148c79080c1b4c418f92844d8b43f3cee2b70a5970ffe7f09ad3
SHA512bdb9794a58052faee76100b15a9fafd6ee5b0cc3e46a83f6df30e1c25e3a68fe2892747344bbe64b1aaf25378e2632b1b74eb39cf8c66f18591f751325bcdc35
-
memory/1128-54-0x0000000075421000-0x0000000075423000-memory.dmpFilesize
8KB