Analysis
-
max time kernel
121s -
max time network
131s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 10:44
Static task
static1
Behavioral task
behavioral1
Sample
063a2b291e4309199b63f23b45b2f9d4f49f8e24865510678cb6e9f8469cc28d.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
063a2b291e4309199b63f23b45b2f9d4f49f8e24865510678cb6e9f8469cc28d.exe
Resource
win10v2004-en-20220113
General
-
Target
063a2b291e4309199b63f23b45b2f9d4f49f8e24865510678cb6e9f8469cc28d.exe
-
Size
100KB
-
MD5
7b094b96acb1f8362977de458caf5a8d
-
SHA1
8ae952b814eeb2be218591bd3a936a128b6bff12
-
SHA256
063a2b291e4309199b63f23b45b2f9d4f49f8e24865510678cb6e9f8469cc28d
-
SHA512
28236ab4e94ea655a042189257a1c1ddf043f1fcd6793efe60cc11ce25708ba0c941bc7bf1ef8cf6cfce50ba4fc56262f5196b387594797ece8c8355c5e4f901
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1644 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1076 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
063a2b291e4309199b63f23b45b2f9d4f49f8e24865510678cb6e9f8469cc28d.exepid process 304 063a2b291e4309199b63f23b45b2f9d4f49f8e24865510678cb6e9f8469cc28d.exe 304 063a2b291e4309199b63f23b45b2f9d4f49f8e24865510678cb6e9f8469cc28d.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
063a2b291e4309199b63f23b45b2f9d4f49f8e24865510678cb6e9f8469cc28d.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 063a2b291e4309199b63f23b45b2f9d4f49f8e24865510678cb6e9f8469cc28d.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
063a2b291e4309199b63f23b45b2f9d4f49f8e24865510678cb6e9f8469cc28d.exedescription pid process Token: SeIncBasePriorityPrivilege 304 063a2b291e4309199b63f23b45b2f9d4f49f8e24865510678cb6e9f8469cc28d.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
063a2b291e4309199b63f23b45b2f9d4f49f8e24865510678cb6e9f8469cc28d.execmd.exedescription pid process target process PID 304 wrote to memory of 1644 304 063a2b291e4309199b63f23b45b2f9d4f49f8e24865510678cb6e9f8469cc28d.exe MediaCenter.exe PID 304 wrote to memory of 1644 304 063a2b291e4309199b63f23b45b2f9d4f49f8e24865510678cb6e9f8469cc28d.exe MediaCenter.exe PID 304 wrote to memory of 1644 304 063a2b291e4309199b63f23b45b2f9d4f49f8e24865510678cb6e9f8469cc28d.exe MediaCenter.exe PID 304 wrote to memory of 1644 304 063a2b291e4309199b63f23b45b2f9d4f49f8e24865510678cb6e9f8469cc28d.exe MediaCenter.exe PID 304 wrote to memory of 1076 304 063a2b291e4309199b63f23b45b2f9d4f49f8e24865510678cb6e9f8469cc28d.exe cmd.exe PID 304 wrote to memory of 1076 304 063a2b291e4309199b63f23b45b2f9d4f49f8e24865510678cb6e9f8469cc28d.exe cmd.exe PID 304 wrote to memory of 1076 304 063a2b291e4309199b63f23b45b2f9d4f49f8e24865510678cb6e9f8469cc28d.exe cmd.exe PID 304 wrote to memory of 1076 304 063a2b291e4309199b63f23b45b2f9d4f49f8e24865510678cb6e9f8469cc28d.exe cmd.exe PID 1076 wrote to memory of 1160 1076 cmd.exe PING.EXE PID 1076 wrote to memory of 1160 1076 cmd.exe PING.EXE PID 1076 wrote to memory of 1160 1076 cmd.exe PING.EXE PID 1076 wrote to memory of 1160 1076 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\063a2b291e4309199b63f23b45b2f9d4f49f8e24865510678cb6e9f8469cc28d.exe"C:\Users\Admin\AppData\Local\Temp\063a2b291e4309199b63f23b45b2f9d4f49f8e24865510678cb6e9f8469cc28d.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:304 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1644 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\063a2b291e4309199b63f23b45b2f9d4f49f8e24865510678cb6e9f8469cc28d.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1076 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1160
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
fad0005f3f6a4886c66aecc27c8133a8
SHA183ae62af38f3b76e119f91d2536fd712f9d5a3b9
SHA25651c1ddd0b81bfa3e102b862b6e889d802f97113714dbedac3ef7caa6b06eb9fa
SHA5129cc99231fdbee9df66a730fd41972bd70ad875a3192db3f31efd40909cce5de34451ec52b6bdd58b44332db854fd23af165b751ac17bfa6ac398dcef7ad98766
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
fad0005f3f6a4886c66aecc27c8133a8
SHA183ae62af38f3b76e119f91d2536fd712f9d5a3b9
SHA25651c1ddd0b81bfa3e102b862b6e889d802f97113714dbedac3ef7caa6b06eb9fa
SHA5129cc99231fdbee9df66a730fd41972bd70ad875a3192db3f31efd40909cce5de34451ec52b6bdd58b44332db854fd23af165b751ac17bfa6ac398dcef7ad98766
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
fad0005f3f6a4886c66aecc27c8133a8
SHA183ae62af38f3b76e119f91d2536fd712f9d5a3b9
SHA25651c1ddd0b81bfa3e102b862b6e889d802f97113714dbedac3ef7caa6b06eb9fa
SHA5129cc99231fdbee9df66a730fd41972bd70ad875a3192db3f31efd40909cce5de34451ec52b6bdd58b44332db854fd23af165b751ac17bfa6ac398dcef7ad98766
-
memory/304-55-0x00000000762C1000-0x00000000762C3000-memory.dmpFilesize
8KB