Analysis
-
max time kernel
124s -
max time network
155s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 10:26
Static task
static1
Behavioral task
behavioral1
Sample
0735f6ade0963aa1ccdcc718b462c52a14387e0465d4986e7fb673e32f87a26f.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0735f6ade0963aa1ccdcc718b462c52a14387e0465d4986e7fb673e32f87a26f.exe
Resource
win10v2004-en-20220113
General
-
Target
0735f6ade0963aa1ccdcc718b462c52a14387e0465d4986e7fb673e32f87a26f.exe
-
Size
79KB
-
MD5
24f601d494ec38f0ada395f99249d05b
-
SHA1
e93e78d7a15d0d5572c53f41ca6a31b7df4f3ecf
-
SHA256
0735f6ade0963aa1ccdcc718b462c52a14387e0465d4986e7fb673e32f87a26f
-
SHA512
a5fedd7fe6377efc5c8078a843cf068f95ac367a725b6d590791f6a9539be1b8562fc74a8a976b3e41e224f7e118fbcb4f7f722088ab7937779a9ace134e3f3b
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1660 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1084 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0735f6ade0963aa1ccdcc718b462c52a14387e0465d4986e7fb673e32f87a26f.exepid process 1488 0735f6ade0963aa1ccdcc718b462c52a14387e0465d4986e7fb673e32f87a26f.exe 1488 0735f6ade0963aa1ccdcc718b462c52a14387e0465d4986e7fb673e32f87a26f.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0735f6ade0963aa1ccdcc718b462c52a14387e0465d4986e7fb673e32f87a26f.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0735f6ade0963aa1ccdcc718b462c52a14387e0465d4986e7fb673e32f87a26f.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0735f6ade0963aa1ccdcc718b462c52a14387e0465d4986e7fb673e32f87a26f.exedescription pid process Token: SeIncBasePriorityPrivilege 1488 0735f6ade0963aa1ccdcc718b462c52a14387e0465d4986e7fb673e32f87a26f.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0735f6ade0963aa1ccdcc718b462c52a14387e0465d4986e7fb673e32f87a26f.execmd.exedescription pid process target process PID 1488 wrote to memory of 1660 1488 0735f6ade0963aa1ccdcc718b462c52a14387e0465d4986e7fb673e32f87a26f.exe MediaCenter.exe PID 1488 wrote to memory of 1660 1488 0735f6ade0963aa1ccdcc718b462c52a14387e0465d4986e7fb673e32f87a26f.exe MediaCenter.exe PID 1488 wrote to memory of 1660 1488 0735f6ade0963aa1ccdcc718b462c52a14387e0465d4986e7fb673e32f87a26f.exe MediaCenter.exe PID 1488 wrote to memory of 1660 1488 0735f6ade0963aa1ccdcc718b462c52a14387e0465d4986e7fb673e32f87a26f.exe MediaCenter.exe PID 1488 wrote to memory of 1084 1488 0735f6ade0963aa1ccdcc718b462c52a14387e0465d4986e7fb673e32f87a26f.exe cmd.exe PID 1488 wrote to memory of 1084 1488 0735f6ade0963aa1ccdcc718b462c52a14387e0465d4986e7fb673e32f87a26f.exe cmd.exe PID 1488 wrote to memory of 1084 1488 0735f6ade0963aa1ccdcc718b462c52a14387e0465d4986e7fb673e32f87a26f.exe cmd.exe PID 1488 wrote to memory of 1084 1488 0735f6ade0963aa1ccdcc718b462c52a14387e0465d4986e7fb673e32f87a26f.exe cmd.exe PID 1084 wrote to memory of 1928 1084 cmd.exe PING.EXE PID 1084 wrote to memory of 1928 1084 cmd.exe PING.EXE PID 1084 wrote to memory of 1928 1084 cmd.exe PING.EXE PID 1084 wrote to memory of 1928 1084 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0735f6ade0963aa1ccdcc718b462c52a14387e0465d4986e7fb673e32f87a26f.exe"C:\Users\Admin\AppData\Local\Temp\0735f6ade0963aa1ccdcc718b462c52a14387e0465d4986e7fb673e32f87a26f.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1488 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1660 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0735f6ade0963aa1ccdcc718b462c52a14387e0465d4986e7fb673e32f87a26f.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1084 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1928
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
feb12a4921e070dec44ead1967c167fc
SHA18bb21ee4bbb92e11cf4b7f3a770d9d9ca104700a
SHA256d5a7782104a5d146d6ec15917ee38cb0514800860a1a64588cc201c9ce423d82
SHA512148fa5143f1d857c8191050734ace67296c3b88c78dd7baad243669e9698b8ec43c1a236d129dbaec3171b8c64d36a1e281ec087268a0cb636061f3a9d7c4532
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
feb12a4921e070dec44ead1967c167fc
SHA18bb21ee4bbb92e11cf4b7f3a770d9d9ca104700a
SHA256d5a7782104a5d146d6ec15917ee38cb0514800860a1a64588cc201c9ce423d82
SHA512148fa5143f1d857c8191050734ace67296c3b88c78dd7baad243669e9698b8ec43c1a236d129dbaec3171b8c64d36a1e281ec087268a0cb636061f3a9d7c4532
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
feb12a4921e070dec44ead1967c167fc
SHA18bb21ee4bbb92e11cf4b7f3a770d9d9ca104700a
SHA256d5a7782104a5d146d6ec15917ee38cb0514800860a1a64588cc201c9ce423d82
SHA512148fa5143f1d857c8191050734ace67296c3b88c78dd7baad243669e9698b8ec43c1a236d129dbaec3171b8c64d36a1e281ec087268a0cb636061f3a9d7c4532
-
memory/1488-55-0x0000000076851000-0x0000000076853000-memory.dmpFilesize
8KB