Analysis
-
max time kernel
119s -
max time network
133s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 10:29
Static task
static1
Behavioral task
behavioral1
Sample
070debefff3c4bb58a5c46cda624f2a5c61688aac065e10db36cc8e508454709.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
070debefff3c4bb58a5c46cda624f2a5c61688aac065e10db36cc8e508454709.exe
Resource
win10v2004-en-20220113
General
-
Target
070debefff3c4bb58a5c46cda624f2a5c61688aac065e10db36cc8e508454709.exe
-
Size
99KB
-
MD5
7ae7dd73bf0d896d5536798a51d91366
-
SHA1
286cb6b952007c24f9cc0d7928987bc7a6972559
-
SHA256
070debefff3c4bb58a5c46cda624f2a5c61688aac065e10db36cc8e508454709
-
SHA512
0ff80e510a77a4af6b9478803a9fca50e46e896d25b1257f625b73d74fdee19eaa13089791ec6b79104a56a06944fc17b373b4d9b3b16224e14bd47fbac26435
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1880 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1260 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
070debefff3c4bb58a5c46cda624f2a5c61688aac065e10db36cc8e508454709.exepid process 1596 070debefff3c4bb58a5c46cda624f2a5c61688aac065e10db36cc8e508454709.exe 1596 070debefff3c4bb58a5c46cda624f2a5c61688aac065e10db36cc8e508454709.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
070debefff3c4bb58a5c46cda624f2a5c61688aac065e10db36cc8e508454709.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 070debefff3c4bb58a5c46cda624f2a5c61688aac065e10db36cc8e508454709.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
070debefff3c4bb58a5c46cda624f2a5c61688aac065e10db36cc8e508454709.exedescription pid process Token: SeIncBasePriorityPrivilege 1596 070debefff3c4bb58a5c46cda624f2a5c61688aac065e10db36cc8e508454709.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
070debefff3c4bb58a5c46cda624f2a5c61688aac065e10db36cc8e508454709.execmd.exedescription pid process target process PID 1596 wrote to memory of 1880 1596 070debefff3c4bb58a5c46cda624f2a5c61688aac065e10db36cc8e508454709.exe MediaCenter.exe PID 1596 wrote to memory of 1880 1596 070debefff3c4bb58a5c46cda624f2a5c61688aac065e10db36cc8e508454709.exe MediaCenter.exe PID 1596 wrote to memory of 1880 1596 070debefff3c4bb58a5c46cda624f2a5c61688aac065e10db36cc8e508454709.exe MediaCenter.exe PID 1596 wrote to memory of 1880 1596 070debefff3c4bb58a5c46cda624f2a5c61688aac065e10db36cc8e508454709.exe MediaCenter.exe PID 1596 wrote to memory of 1260 1596 070debefff3c4bb58a5c46cda624f2a5c61688aac065e10db36cc8e508454709.exe cmd.exe PID 1596 wrote to memory of 1260 1596 070debefff3c4bb58a5c46cda624f2a5c61688aac065e10db36cc8e508454709.exe cmd.exe PID 1596 wrote to memory of 1260 1596 070debefff3c4bb58a5c46cda624f2a5c61688aac065e10db36cc8e508454709.exe cmd.exe PID 1596 wrote to memory of 1260 1596 070debefff3c4bb58a5c46cda624f2a5c61688aac065e10db36cc8e508454709.exe cmd.exe PID 1260 wrote to memory of 1896 1260 cmd.exe PING.EXE PID 1260 wrote to memory of 1896 1260 cmd.exe PING.EXE PID 1260 wrote to memory of 1896 1260 cmd.exe PING.EXE PID 1260 wrote to memory of 1896 1260 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\070debefff3c4bb58a5c46cda624f2a5c61688aac065e10db36cc8e508454709.exe"C:\Users\Admin\AppData\Local\Temp\070debefff3c4bb58a5c46cda624f2a5c61688aac065e10db36cc8e508454709.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1596 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1880 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\070debefff3c4bb58a5c46cda624f2a5c61688aac065e10db36cc8e508454709.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1260 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1896
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
7a22f694d25fb909498ca8e9c2aced70
SHA14729eea8953d8c77d2cdd3f25bbd35c2c01de0c6
SHA256dcc946759bcf020d23b60d5653f46131c09cf73635d879d6bc936b305e9a2e0f
SHA51213f2c80410344fe999c0af9d138b167b18318fbad1605dd41be082d79e1a14eb7ee9865745e2c7f613ef9367967d67331b26679f14759a3fdeb05766fd3bf2a3
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
7a22f694d25fb909498ca8e9c2aced70
SHA14729eea8953d8c77d2cdd3f25bbd35c2c01de0c6
SHA256dcc946759bcf020d23b60d5653f46131c09cf73635d879d6bc936b305e9a2e0f
SHA51213f2c80410344fe999c0af9d138b167b18318fbad1605dd41be082d79e1a14eb7ee9865745e2c7f613ef9367967d67331b26679f14759a3fdeb05766fd3bf2a3
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
7a22f694d25fb909498ca8e9c2aced70
SHA14729eea8953d8c77d2cdd3f25bbd35c2c01de0c6
SHA256dcc946759bcf020d23b60d5653f46131c09cf73635d879d6bc936b305e9a2e0f
SHA51213f2c80410344fe999c0af9d138b167b18318fbad1605dd41be082d79e1a14eb7ee9865745e2c7f613ef9367967d67331b26679f14759a3fdeb05766fd3bf2a3
-
memory/1596-54-0x0000000076001000-0x0000000076003000-memory.dmpFilesize
8KB