Analysis
-
max time kernel
145s -
max time network
162s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 10:29
Static task
static1
Behavioral task
behavioral1
Sample
070a018871d62d5b14ec58ceae306a76693f31bd9434fc6f767b989418ab8a48.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
070a018871d62d5b14ec58ceae306a76693f31bd9434fc6f767b989418ab8a48.exe
Resource
win10v2004-en-20220113
General
-
Target
070a018871d62d5b14ec58ceae306a76693f31bd9434fc6f767b989418ab8a48.exe
-
Size
99KB
-
MD5
d7aa2b5a0c8bddf28c0263e82bbefd58
-
SHA1
ee527ccd06efefa5edc88335baa3a219b0e62861
-
SHA256
070a018871d62d5b14ec58ceae306a76693f31bd9434fc6f767b989418ab8a48
-
SHA512
1b94517c02cab495fcf43685af9d75e0480f3a4c66c830efc50be6fcbf76780c174450757214ccf30f9843a734069e0103f35a2888f7e9b96f01e304be87fa2c
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 960 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1988 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
070a018871d62d5b14ec58ceae306a76693f31bd9434fc6f767b989418ab8a48.exepid process 1684 070a018871d62d5b14ec58ceae306a76693f31bd9434fc6f767b989418ab8a48.exe 1684 070a018871d62d5b14ec58ceae306a76693f31bd9434fc6f767b989418ab8a48.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
070a018871d62d5b14ec58ceae306a76693f31bd9434fc6f767b989418ab8a48.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 070a018871d62d5b14ec58ceae306a76693f31bd9434fc6f767b989418ab8a48.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
070a018871d62d5b14ec58ceae306a76693f31bd9434fc6f767b989418ab8a48.exedescription pid process Token: SeIncBasePriorityPrivilege 1684 070a018871d62d5b14ec58ceae306a76693f31bd9434fc6f767b989418ab8a48.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
070a018871d62d5b14ec58ceae306a76693f31bd9434fc6f767b989418ab8a48.execmd.exedescription pid process target process PID 1684 wrote to memory of 960 1684 070a018871d62d5b14ec58ceae306a76693f31bd9434fc6f767b989418ab8a48.exe MediaCenter.exe PID 1684 wrote to memory of 960 1684 070a018871d62d5b14ec58ceae306a76693f31bd9434fc6f767b989418ab8a48.exe MediaCenter.exe PID 1684 wrote to memory of 960 1684 070a018871d62d5b14ec58ceae306a76693f31bd9434fc6f767b989418ab8a48.exe MediaCenter.exe PID 1684 wrote to memory of 960 1684 070a018871d62d5b14ec58ceae306a76693f31bd9434fc6f767b989418ab8a48.exe MediaCenter.exe PID 1684 wrote to memory of 1988 1684 070a018871d62d5b14ec58ceae306a76693f31bd9434fc6f767b989418ab8a48.exe cmd.exe PID 1684 wrote to memory of 1988 1684 070a018871d62d5b14ec58ceae306a76693f31bd9434fc6f767b989418ab8a48.exe cmd.exe PID 1684 wrote to memory of 1988 1684 070a018871d62d5b14ec58ceae306a76693f31bd9434fc6f767b989418ab8a48.exe cmd.exe PID 1684 wrote to memory of 1988 1684 070a018871d62d5b14ec58ceae306a76693f31bd9434fc6f767b989418ab8a48.exe cmd.exe PID 1988 wrote to memory of 1032 1988 cmd.exe PING.EXE PID 1988 wrote to memory of 1032 1988 cmd.exe PING.EXE PID 1988 wrote to memory of 1032 1988 cmd.exe PING.EXE PID 1988 wrote to memory of 1032 1988 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\070a018871d62d5b14ec58ceae306a76693f31bd9434fc6f767b989418ab8a48.exe"C:\Users\Admin\AppData\Local\Temp\070a018871d62d5b14ec58ceae306a76693f31bd9434fc6f767b989418ab8a48.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1684 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:960 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\070a018871d62d5b14ec58ceae306a76693f31bd9434fc6f767b989418ab8a48.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1988 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1032
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
6944fa3db3b7bf0b249eab80dbda4a4e
SHA14c31938cdb3d758e690627da3224110675edb8cf
SHA256070b6520bc19d78f787b2583329dc064456f00dd4a85837d3ab509cc38e09ad9
SHA5125907b09a1503ad6c9f9018571fb102f520ee954b7b9a4fd53520e57a80396e313618ef7914274c4aa97f9b90d8ea278741daced3c7e534a843e99ae9a2b59b47
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
6944fa3db3b7bf0b249eab80dbda4a4e
SHA14c31938cdb3d758e690627da3224110675edb8cf
SHA256070b6520bc19d78f787b2583329dc064456f00dd4a85837d3ab509cc38e09ad9
SHA5125907b09a1503ad6c9f9018571fb102f520ee954b7b9a4fd53520e57a80396e313618ef7914274c4aa97f9b90d8ea278741daced3c7e534a843e99ae9a2b59b47
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
6944fa3db3b7bf0b249eab80dbda4a4e
SHA14c31938cdb3d758e690627da3224110675edb8cf
SHA256070b6520bc19d78f787b2583329dc064456f00dd4a85837d3ab509cc38e09ad9
SHA5125907b09a1503ad6c9f9018571fb102f520ee954b7b9a4fd53520e57a80396e313618ef7914274c4aa97f9b90d8ea278741daced3c7e534a843e99ae9a2b59b47
-
memory/1684-54-0x0000000075761000-0x0000000075763000-memory.dmpFilesize
8KB