Analysis
-
max time kernel
126s -
max time network
134s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 10:18
Static task
static1
Behavioral task
behavioral1
Sample
07a55888572163ca5332c4813a5ee0a1fdc57ac3e003798aff3c3aed1eb6124b.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
07a55888572163ca5332c4813a5ee0a1fdc57ac3e003798aff3c3aed1eb6124b.exe
Resource
win10v2004-en-20220113
General
-
Target
07a55888572163ca5332c4813a5ee0a1fdc57ac3e003798aff3c3aed1eb6124b.exe
-
Size
150KB
-
MD5
dc2c99c636960ebb884d75ac37c5028c
-
SHA1
e60348503792d9c4e5e4474f88d50f81b353650d
-
SHA256
07a55888572163ca5332c4813a5ee0a1fdc57ac3e003798aff3c3aed1eb6124b
-
SHA512
f63ec438eb215e057540f37c1e92dd607ad8482d2b436ba2b4e5268af51af6fafe88d2a028482a3c10ab7a808952d905048881b965c0e34194cbdd9a77fd98e6
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1848 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1244 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
07a55888572163ca5332c4813a5ee0a1fdc57ac3e003798aff3c3aed1eb6124b.exepid process 832 07a55888572163ca5332c4813a5ee0a1fdc57ac3e003798aff3c3aed1eb6124b.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
07a55888572163ca5332c4813a5ee0a1fdc57ac3e003798aff3c3aed1eb6124b.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 07a55888572163ca5332c4813a5ee0a1fdc57ac3e003798aff3c3aed1eb6124b.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
07a55888572163ca5332c4813a5ee0a1fdc57ac3e003798aff3c3aed1eb6124b.exedescription pid process Token: SeIncBasePriorityPrivilege 832 07a55888572163ca5332c4813a5ee0a1fdc57ac3e003798aff3c3aed1eb6124b.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
07a55888572163ca5332c4813a5ee0a1fdc57ac3e003798aff3c3aed1eb6124b.execmd.exedescription pid process target process PID 832 wrote to memory of 1848 832 07a55888572163ca5332c4813a5ee0a1fdc57ac3e003798aff3c3aed1eb6124b.exe MediaCenter.exe PID 832 wrote to memory of 1848 832 07a55888572163ca5332c4813a5ee0a1fdc57ac3e003798aff3c3aed1eb6124b.exe MediaCenter.exe PID 832 wrote to memory of 1848 832 07a55888572163ca5332c4813a5ee0a1fdc57ac3e003798aff3c3aed1eb6124b.exe MediaCenter.exe PID 832 wrote to memory of 1848 832 07a55888572163ca5332c4813a5ee0a1fdc57ac3e003798aff3c3aed1eb6124b.exe MediaCenter.exe PID 832 wrote to memory of 1244 832 07a55888572163ca5332c4813a5ee0a1fdc57ac3e003798aff3c3aed1eb6124b.exe cmd.exe PID 832 wrote to memory of 1244 832 07a55888572163ca5332c4813a5ee0a1fdc57ac3e003798aff3c3aed1eb6124b.exe cmd.exe PID 832 wrote to memory of 1244 832 07a55888572163ca5332c4813a5ee0a1fdc57ac3e003798aff3c3aed1eb6124b.exe cmd.exe PID 832 wrote to memory of 1244 832 07a55888572163ca5332c4813a5ee0a1fdc57ac3e003798aff3c3aed1eb6124b.exe cmd.exe PID 1244 wrote to memory of 1996 1244 cmd.exe PING.EXE PID 1244 wrote to memory of 1996 1244 cmd.exe PING.EXE PID 1244 wrote to memory of 1996 1244 cmd.exe PING.EXE PID 1244 wrote to memory of 1996 1244 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\07a55888572163ca5332c4813a5ee0a1fdc57ac3e003798aff3c3aed1eb6124b.exe"C:\Users\Admin\AppData\Local\Temp\07a55888572163ca5332c4813a5ee0a1fdc57ac3e003798aff3c3aed1eb6124b.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:832 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1848 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\07a55888572163ca5332c4813a5ee0a1fdc57ac3e003798aff3c3aed1eb6124b.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1244 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1996
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
1a92c411308b06e6f1b2260441026bc7
SHA1c9944e5f1c129de497c042555670c78461df1985
SHA256a3fe85d1c0ce068a025da956d46146ba7a2a14de7735da848b37451607743484
SHA5120af180420c758f3355e6609e711f87bffc607ac3c117b689d20ee72657afd28e528f4645d0879aef2c0fb2c2ed7865d7101143ddd7af30c7dca2b78308e729e7
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
1a92c411308b06e6f1b2260441026bc7
SHA1c9944e5f1c129de497c042555670c78461df1985
SHA256a3fe85d1c0ce068a025da956d46146ba7a2a14de7735da848b37451607743484
SHA5120af180420c758f3355e6609e711f87bffc607ac3c117b689d20ee72657afd28e528f4645d0879aef2c0fb2c2ed7865d7101143ddd7af30c7dca2b78308e729e7
-
memory/832-54-0x0000000075891000-0x0000000075893000-memory.dmpFilesize
8KB