Analysis
-
max time kernel
122s -
max time network
152s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 10:41
Static task
static1
Behavioral task
behavioral1
Sample
0666d2f9b6173234a5829aeb84edc98141d17dacec7aaa79ceea69acbb5972f7.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0666d2f9b6173234a5829aeb84edc98141d17dacec7aaa79ceea69acbb5972f7.exe
Resource
win10v2004-en-20220113
General
-
Target
0666d2f9b6173234a5829aeb84edc98141d17dacec7aaa79ceea69acbb5972f7.exe
-
Size
192KB
-
MD5
5f5bce3bd17241c0e46c5a2cbcf7d9d8
-
SHA1
69d614d35a68a012d18d08ed5f5892f95f3ee8fe
-
SHA256
0666d2f9b6173234a5829aeb84edc98141d17dacec7aaa79ceea69acbb5972f7
-
SHA512
8eac6ff1c55ff09240b651c100ec47129dfeaf61ba4d5a8d97eec21287881998d9295ee21388325e6618faa0e48caff0969395881288fef0e98ab7cef479d6f4
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 764 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1664 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0666d2f9b6173234a5829aeb84edc98141d17dacec7aaa79ceea69acbb5972f7.exepid process 1804 0666d2f9b6173234a5829aeb84edc98141d17dacec7aaa79ceea69acbb5972f7.exe 1804 0666d2f9b6173234a5829aeb84edc98141d17dacec7aaa79ceea69acbb5972f7.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0666d2f9b6173234a5829aeb84edc98141d17dacec7aaa79ceea69acbb5972f7.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0666d2f9b6173234a5829aeb84edc98141d17dacec7aaa79ceea69acbb5972f7.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0666d2f9b6173234a5829aeb84edc98141d17dacec7aaa79ceea69acbb5972f7.exedescription pid process Token: SeIncBasePriorityPrivilege 1804 0666d2f9b6173234a5829aeb84edc98141d17dacec7aaa79ceea69acbb5972f7.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0666d2f9b6173234a5829aeb84edc98141d17dacec7aaa79ceea69acbb5972f7.execmd.exedescription pid process target process PID 1804 wrote to memory of 764 1804 0666d2f9b6173234a5829aeb84edc98141d17dacec7aaa79ceea69acbb5972f7.exe MediaCenter.exe PID 1804 wrote to memory of 764 1804 0666d2f9b6173234a5829aeb84edc98141d17dacec7aaa79ceea69acbb5972f7.exe MediaCenter.exe PID 1804 wrote to memory of 764 1804 0666d2f9b6173234a5829aeb84edc98141d17dacec7aaa79ceea69acbb5972f7.exe MediaCenter.exe PID 1804 wrote to memory of 764 1804 0666d2f9b6173234a5829aeb84edc98141d17dacec7aaa79ceea69acbb5972f7.exe MediaCenter.exe PID 1804 wrote to memory of 1664 1804 0666d2f9b6173234a5829aeb84edc98141d17dacec7aaa79ceea69acbb5972f7.exe cmd.exe PID 1804 wrote to memory of 1664 1804 0666d2f9b6173234a5829aeb84edc98141d17dacec7aaa79ceea69acbb5972f7.exe cmd.exe PID 1804 wrote to memory of 1664 1804 0666d2f9b6173234a5829aeb84edc98141d17dacec7aaa79ceea69acbb5972f7.exe cmd.exe PID 1804 wrote to memory of 1664 1804 0666d2f9b6173234a5829aeb84edc98141d17dacec7aaa79ceea69acbb5972f7.exe cmd.exe PID 1664 wrote to memory of 1212 1664 cmd.exe PING.EXE PID 1664 wrote to memory of 1212 1664 cmd.exe PING.EXE PID 1664 wrote to memory of 1212 1664 cmd.exe PING.EXE PID 1664 wrote to memory of 1212 1664 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0666d2f9b6173234a5829aeb84edc98141d17dacec7aaa79ceea69acbb5972f7.exe"C:\Users\Admin\AppData\Local\Temp\0666d2f9b6173234a5829aeb84edc98141d17dacec7aaa79ceea69acbb5972f7.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1804 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:764 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0666d2f9b6173234a5829aeb84edc98141d17dacec7aaa79ceea69acbb5972f7.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1212
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
63518b47402c149fadb48b294eb0c98b
SHA156b7f19acd2a6162b55c57d8a37f795787ddd512
SHA2561107d6cdf01308aab661074f4f2ed07e253cbfb6b007a60de3692d9204afe9b5
SHA512642d063858c1d3a344bf271e7d6f6d489b6de59ade8e6780914e92eec690a467b919ef809c13b38e813aa03ee3dcdb00f29f8b679c0513be29887c3eb369da63
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
63518b47402c149fadb48b294eb0c98b
SHA156b7f19acd2a6162b55c57d8a37f795787ddd512
SHA2561107d6cdf01308aab661074f4f2ed07e253cbfb6b007a60de3692d9204afe9b5
SHA512642d063858c1d3a344bf271e7d6f6d489b6de59ade8e6780914e92eec690a467b919ef809c13b38e813aa03ee3dcdb00f29f8b679c0513be29887c3eb369da63
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
63518b47402c149fadb48b294eb0c98b
SHA156b7f19acd2a6162b55c57d8a37f795787ddd512
SHA2561107d6cdf01308aab661074f4f2ed07e253cbfb6b007a60de3692d9204afe9b5
SHA512642d063858c1d3a344bf271e7d6f6d489b6de59ade8e6780914e92eec690a467b919ef809c13b38e813aa03ee3dcdb00f29f8b679c0513be29887c3eb369da63
-
memory/1804-55-0x0000000075831000-0x0000000075833000-memory.dmpFilesize
8KB