Analysis
-
max time kernel
123s -
max time network
147s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 10:42
Static task
static1
Behavioral task
behavioral1
Sample
065642eea89a547b1db1fdd6e6e6eb89984523f46b7824c4a07cfbaa7ba93b60.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
065642eea89a547b1db1fdd6e6e6eb89984523f46b7824c4a07cfbaa7ba93b60.exe
Resource
win10v2004-en-20220112
General
-
Target
065642eea89a547b1db1fdd6e6e6eb89984523f46b7824c4a07cfbaa7ba93b60.exe
-
Size
99KB
-
MD5
730ba0ab7baf63252432bfa78c883c16
-
SHA1
66f6626a3c89ae6cdda42b4d54dcdb1790e7f259
-
SHA256
065642eea89a547b1db1fdd6e6e6eb89984523f46b7824c4a07cfbaa7ba93b60
-
SHA512
c10eca1889939d722a15892ab3d6af467fd14a1264e6c4278c9b4fcaa66ce628757017a7d23a8c961b4dfe120534b6a679dcf4ad734c2c299d36d2e4c78a6bd0
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1712 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1408 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
065642eea89a547b1db1fdd6e6e6eb89984523f46b7824c4a07cfbaa7ba93b60.exepid process 1368 065642eea89a547b1db1fdd6e6e6eb89984523f46b7824c4a07cfbaa7ba93b60.exe 1368 065642eea89a547b1db1fdd6e6e6eb89984523f46b7824c4a07cfbaa7ba93b60.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
065642eea89a547b1db1fdd6e6e6eb89984523f46b7824c4a07cfbaa7ba93b60.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 065642eea89a547b1db1fdd6e6e6eb89984523f46b7824c4a07cfbaa7ba93b60.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
065642eea89a547b1db1fdd6e6e6eb89984523f46b7824c4a07cfbaa7ba93b60.exedescription pid process Token: SeIncBasePriorityPrivilege 1368 065642eea89a547b1db1fdd6e6e6eb89984523f46b7824c4a07cfbaa7ba93b60.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
065642eea89a547b1db1fdd6e6e6eb89984523f46b7824c4a07cfbaa7ba93b60.execmd.exedescription pid process target process PID 1368 wrote to memory of 1712 1368 065642eea89a547b1db1fdd6e6e6eb89984523f46b7824c4a07cfbaa7ba93b60.exe MediaCenter.exe PID 1368 wrote to memory of 1712 1368 065642eea89a547b1db1fdd6e6e6eb89984523f46b7824c4a07cfbaa7ba93b60.exe MediaCenter.exe PID 1368 wrote to memory of 1712 1368 065642eea89a547b1db1fdd6e6e6eb89984523f46b7824c4a07cfbaa7ba93b60.exe MediaCenter.exe PID 1368 wrote to memory of 1712 1368 065642eea89a547b1db1fdd6e6e6eb89984523f46b7824c4a07cfbaa7ba93b60.exe MediaCenter.exe PID 1368 wrote to memory of 1408 1368 065642eea89a547b1db1fdd6e6e6eb89984523f46b7824c4a07cfbaa7ba93b60.exe cmd.exe PID 1368 wrote to memory of 1408 1368 065642eea89a547b1db1fdd6e6e6eb89984523f46b7824c4a07cfbaa7ba93b60.exe cmd.exe PID 1368 wrote to memory of 1408 1368 065642eea89a547b1db1fdd6e6e6eb89984523f46b7824c4a07cfbaa7ba93b60.exe cmd.exe PID 1368 wrote to memory of 1408 1368 065642eea89a547b1db1fdd6e6e6eb89984523f46b7824c4a07cfbaa7ba93b60.exe cmd.exe PID 1408 wrote to memory of 1156 1408 cmd.exe PING.EXE PID 1408 wrote to memory of 1156 1408 cmd.exe PING.EXE PID 1408 wrote to memory of 1156 1408 cmd.exe PING.EXE PID 1408 wrote to memory of 1156 1408 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\065642eea89a547b1db1fdd6e6e6eb89984523f46b7824c4a07cfbaa7ba93b60.exe"C:\Users\Admin\AppData\Local\Temp\065642eea89a547b1db1fdd6e6e6eb89984523f46b7824c4a07cfbaa7ba93b60.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1368 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1712 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\065642eea89a547b1db1fdd6e6e6eb89984523f46b7824c4a07cfbaa7ba93b60.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1408 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1156
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
8850ec928754afce4f4c4c26ed2c06a2
SHA1ab5fa8fde1bdfe633066102a9d9355e3d2401f8d
SHA256b0735a6fcf48977b9418a4b978430b15cbb7a426bcefa5f9bf9548defc419403
SHA512c1f8ffbb0a248d56e45dabcf90f52f16864b5ab1c751b36841c49cfbcdedbe51feeac03e2972ab18fc0f6d24973ffee5942e63ccfc191eeb4a4c637616f2099b
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
8850ec928754afce4f4c4c26ed2c06a2
SHA1ab5fa8fde1bdfe633066102a9d9355e3d2401f8d
SHA256b0735a6fcf48977b9418a4b978430b15cbb7a426bcefa5f9bf9548defc419403
SHA512c1f8ffbb0a248d56e45dabcf90f52f16864b5ab1c751b36841c49cfbcdedbe51feeac03e2972ab18fc0f6d24973ffee5942e63ccfc191eeb4a4c637616f2099b
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
8850ec928754afce4f4c4c26ed2c06a2
SHA1ab5fa8fde1bdfe633066102a9d9355e3d2401f8d
SHA256b0735a6fcf48977b9418a4b978430b15cbb7a426bcefa5f9bf9548defc419403
SHA512c1f8ffbb0a248d56e45dabcf90f52f16864b5ab1c751b36841c49cfbcdedbe51feeac03e2972ab18fc0f6d24973ffee5942e63ccfc191eeb4a4c637616f2099b
-
memory/1368-55-0x0000000075AC1000-0x0000000075AC3000-memory.dmpFilesize
8KB