Analysis
-
max time kernel
149s -
max time network
157s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 10:18
Static task
static1
Behavioral task
behavioral1
Sample
079d84abded287611392160e7d90a69d37b0f8e7f83c4baec57f3df751b33fde.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
079d84abded287611392160e7d90a69d37b0f8e7f83c4baec57f3df751b33fde.exe
Resource
win10v2004-en-20220113
General
-
Target
079d84abded287611392160e7d90a69d37b0f8e7f83c4baec57f3df751b33fde.exe
-
Size
152KB
-
MD5
20e41425a563a5361236b0583b0f1bba
-
SHA1
995e232181b047e496ca56a1326ebd2af5fbaea8
-
SHA256
079d84abded287611392160e7d90a69d37b0f8e7f83c4baec57f3df751b33fde
-
SHA512
f8f5ad46233d12bbe6e6803106b7da74fe42ccd6b28b89e963731aac33007daeb9ff69b0f0872407439188231e907d7707c59221abbbd555e7ea8025b29099b4
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1576 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 800 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
079d84abded287611392160e7d90a69d37b0f8e7f83c4baec57f3df751b33fde.exepid process 1664 079d84abded287611392160e7d90a69d37b0f8e7f83c4baec57f3df751b33fde.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
079d84abded287611392160e7d90a69d37b0f8e7f83c4baec57f3df751b33fde.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 079d84abded287611392160e7d90a69d37b0f8e7f83c4baec57f3df751b33fde.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
079d84abded287611392160e7d90a69d37b0f8e7f83c4baec57f3df751b33fde.exedescription pid process Token: SeIncBasePriorityPrivilege 1664 079d84abded287611392160e7d90a69d37b0f8e7f83c4baec57f3df751b33fde.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
079d84abded287611392160e7d90a69d37b0f8e7f83c4baec57f3df751b33fde.execmd.exedescription pid process target process PID 1664 wrote to memory of 1576 1664 079d84abded287611392160e7d90a69d37b0f8e7f83c4baec57f3df751b33fde.exe MediaCenter.exe PID 1664 wrote to memory of 1576 1664 079d84abded287611392160e7d90a69d37b0f8e7f83c4baec57f3df751b33fde.exe MediaCenter.exe PID 1664 wrote to memory of 1576 1664 079d84abded287611392160e7d90a69d37b0f8e7f83c4baec57f3df751b33fde.exe MediaCenter.exe PID 1664 wrote to memory of 1576 1664 079d84abded287611392160e7d90a69d37b0f8e7f83c4baec57f3df751b33fde.exe MediaCenter.exe PID 1664 wrote to memory of 800 1664 079d84abded287611392160e7d90a69d37b0f8e7f83c4baec57f3df751b33fde.exe cmd.exe PID 1664 wrote to memory of 800 1664 079d84abded287611392160e7d90a69d37b0f8e7f83c4baec57f3df751b33fde.exe cmd.exe PID 1664 wrote to memory of 800 1664 079d84abded287611392160e7d90a69d37b0f8e7f83c4baec57f3df751b33fde.exe cmd.exe PID 1664 wrote to memory of 800 1664 079d84abded287611392160e7d90a69d37b0f8e7f83c4baec57f3df751b33fde.exe cmd.exe PID 800 wrote to memory of 1832 800 cmd.exe PING.EXE PID 800 wrote to memory of 1832 800 cmd.exe PING.EXE PID 800 wrote to memory of 1832 800 cmd.exe PING.EXE PID 800 wrote to memory of 1832 800 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\079d84abded287611392160e7d90a69d37b0f8e7f83c4baec57f3df751b33fde.exe"C:\Users\Admin\AppData\Local\Temp\079d84abded287611392160e7d90a69d37b0f8e7f83c4baec57f3df751b33fde.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1576 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\079d84abded287611392160e7d90a69d37b0f8e7f83c4baec57f3df751b33fde.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:800 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1832
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
5d1747ff4da945e32eb32260421cad1e
SHA16a9db2c319a4ed6252aa279f55e9bbbc0363e15d
SHA2561b9233dce835446bf4108c2aaf3f3ca5bda3af2f67f2600eeace774a2c37aded
SHA512880364db8171d42856001afb3331111586090ce0b2ac2db753ffc3462f8c6d7c60c7fdda163cb9289ddfd876c23d688bea2d9880ac5ddd166d63b4383d39b700
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
5d1747ff4da945e32eb32260421cad1e
SHA16a9db2c319a4ed6252aa279f55e9bbbc0363e15d
SHA2561b9233dce835446bf4108c2aaf3f3ca5bda3af2f67f2600eeace774a2c37aded
SHA512880364db8171d42856001afb3331111586090ce0b2ac2db753ffc3462f8c6d7c60c7fdda163cb9289ddfd876c23d688bea2d9880ac5ddd166d63b4383d39b700
-
memory/1664-54-0x00000000754B1000-0x00000000754B3000-memory.dmpFilesize
8KB