Analysis
-
max time kernel
122s -
max time network
144s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 10:20
Static task
static1
Behavioral task
behavioral1
Sample
078d69c5f07e2d53cbf501e1fa7f125184b15ccaaee3e453ea3ba51496e52ea6.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
078d69c5f07e2d53cbf501e1fa7f125184b15ccaaee3e453ea3ba51496e52ea6.exe
Resource
win10v2004-en-20220112
General
-
Target
078d69c5f07e2d53cbf501e1fa7f125184b15ccaaee3e453ea3ba51496e52ea6.exe
-
Size
101KB
-
MD5
bb43fe37869ddcbf937d2b7ee2a945d7
-
SHA1
921240a16e15dc94a840796a8b6ff1e4e4575184
-
SHA256
078d69c5f07e2d53cbf501e1fa7f125184b15ccaaee3e453ea3ba51496e52ea6
-
SHA512
6d6a3c616cf2669d9d585bdda1d3b4a076c0d2722adb12a512a325479708c3bdfe01f0b1b490d4531b7d253b1eb955c8ad1dc4a0b563bd0432bcbb201454b97e
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1380 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1156 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
078d69c5f07e2d53cbf501e1fa7f125184b15ccaaee3e453ea3ba51496e52ea6.exepid process 1648 078d69c5f07e2d53cbf501e1fa7f125184b15ccaaee3e453ea3ba51496e52ea6.exe 1648 078d69c5f07e2d53cbf501e1fa7f125184b15ccaaee3e453ea3ba51496e52ea6.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
078d69c5f07e2d53cbf501e1fa7f125184b15ccaaee3e453ea3ba51496e52ea6.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 078d69c5f07e2d53cbf501e1fa7f125184b15ccaaee3e453ea3ba51496e52ea6.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
078d69c5f07e2d53cbf501e1fa7f125184b15ccaaee3e453ea3ba51496e52ea6.exedescription pid process Token: SeIncBasePriorityPrivilege 1648 078d69c5f07e2d53cbf501e1fa7f125184b15ccaaee3e453ea3ba51496e52ea6.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
078d69c5f07e2d53cbf501e1fa7f125184b15ccaaee3e453ea3ba51496e52ea6.execmd.exedescription pid process target process PID 1648 wrote to memory of 1380 1648 078d69c5f07e2d53cbf501e1fa7f125184b15ccaaee3e453ea3ba51496e52ea6.exe MediaCenter.exe PID 1648 wrote to memory of 1380 1648 078d69c5f07e2d53cbf501e1fa7f125184b15ccaaee3e453ea3ba51496e52ea6.exe MediaCenter.exe PID 1648 wrote to memory of 1380 1648 078d69c5f07e2d53cbf501e1fa7f125184b15ccaaee3e453ea3ba51496e52ea6.exe MediaCenter.exe PID 1648 wrote to memory of 1380 1648 078d69c5f07e2d53cbf501e1fa7f125184b15ccaaee3e453ea3ba51496e52ea6.exe MediaCenter.exe PID 1648 wrote to memory of 1156 1648 078d69c5f07e2d53cbf501e1fa7f125184b15ccaaee3e453ea3ba51496e52ea6.exe cmd.exe PID 1648 wrote to memory of 1156 1648 078d69c5f07e2d53cbf501e1fa7f125184b15ccaaee3e453ea3ba51496e52ea6.exe cmd.exe PID 1648 wrote to memory of 1156 1648 078d69c5f07e2d53cbf501e1fa7f125184b15ccaaee3e453ea3ba51496e52ea6.exe cmd.exe PID 1648 wrote to memory of 1156 1648 078d69c5f07e2d53cbf501e1fa7f125184b15ccaaee3e453ea3ba51496e52ea6.exe cmd.exe PID 1156 wrote to memory of 968 1156 cmd.exe PING.EXE PID 1156 wrote to memory of 968 1156 cmd.exe PING.EXE PID 1156 wrote to memory of 968 1156 cmd.exe PING.EXE PID 1156 wrote to memory of 968 1156 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\078d69c5f07e2d53cbf501e1fa7f125184b15ccaaee3e453ea3ba51496e52ea6.exe"C:\Users\Admin\AppData\Local\Temp\078d69c5f07e2d53cbf501e1fa7f125184b15ccaaee3e453ea3ba51496e52ea6.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1648 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1380 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\078d69c5f07e2d53cbf501e1fa7f125184b15ccaaee3e453ea3ba51496e52ea6.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1156 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:968
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
13aa0573b6b4c1e7fb7bd6fe8b33469b
SHA1f538814654267397bcdbff6bb9921c4925aae345
SHA2568db8129155df41618a08fab0c5a90567aa5d4a348276c7b725362daa3e6272b7
SHA512e2153fcacf564123e1c664b544146583f457ab91a9b684cb32365bbae1fa61c80dcf1606a689d33e7e35443fd8f29b33e0d707d4caca8823ebdaa101f88b6570
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
13aa0573b6b4c1e7fb7bd6fe8b33469b
SHA1f538814654267397bcdbff6bb9921c4925aae345
SHA2568db8129155df41618a08fab0c5a90567aa5d4a348276c7b725362daa3e6272b7
SHA512e2153fcacf564123e1c664b544146583f457ab91a9b684cb32365bbae1fa61c80dcf1606a689d33e7e35443fd8f29b33e0d707d4caca8823ebdaa101f88b6570
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
13aa0573b6b4c1e7fb7bd6fe8b33469b
SHA1f538814654267397bcdbff6bb9921c4925aae345
SHA2568db8129155df41618a08fab0c5a90567aa5d4a348276c7b725362daa3e6272b7
SHA512e2153fcacf564123e1c664b544146583f457ab91a9b684cb32365bbae1fa61c80dcf1606a689d33e7e35443fd8f29b33e0d707d4caca8823ebdaa101f88b6570
-
memory/1648-55-0x0000000075DF1000-0x0000000075DF3000-memory.dmpFilesize
8KB