Analysis
-
max time kernel
131s -
max time network
141s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 10:44
Static task
static1
Behavioral task
behavioral1
Sample
0643f2cd9e5e8af4df9be896e93f758f5f2cf92b9aba29aa22d8a36afb56bf56.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0643f2cd9e5e8af4df9be896e93f758f5f2cf92b9aba29aa22d8a36afb56bf56.exe
Resource
win10v2004-en-20220112
General
-
Target
0643f2cd9e5e8af4df9be896e93f758f5f2cf92b9aba29aa22d8a36afb56bf56.exe
-
Size
92KB
-
MD5
e1b788ede6adde51696a4bb3237b185f
-
SHA1
0e95e623da58696d8e1e27f8acaf8ab8c5537810
-
SHA256
0643f2cd9e5e8af4df9be896e93f758f5f2cf92b9aba29aa22d8a36afb56bf56
-
SHA512
fa462a83222e19e10312254522e0c814966695dbad68d40bc6559f2ab608c2e496f624d7472a0acf4cf5c39d56a5388c99d8935d829358e2e55c418262187ed8
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 652 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 988 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
0643f2cd9e5e8af4df9be896e93f758f5f2cf92b9aba29aa22d8a36afb56bf56.exepid process 1668 0643f2cd9e5e8af4df9be896e93f758f5f2cf92b9aba29aa22d8a36afb56bf56.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0643f2cd9e5e8af4df9be896e93f758f5f2cf92b9aba29aa22d8a36afb56bf56.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0643f2cd9e5e8af4df9be896e93f758f5f2cf92b9aba29aa22d8a36afb56bf56.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0643f2cd9e5e8af4df9be896e93f758f5f2cf92b9aba29aa22d8a36afb56bf56.exedescription pid process Token: SeIncBasePriorityPrivilege 1668 0643f2cd9e5e8af4df9be896e93f758f5f2cf92b9aba29aa22d8a36afb56bf56.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0643f2cd9e5e8af4df9be896e93f758f5f2cf92b9aba29aa22d8a36afb56bf56.execmd.exedescription pid process target process PID 1668 wrote to memory of 652 1668 0643f2cd9e5e8af4df9be896e93f758f5f2cf92b9aba29aa22d8a36afb56bf56.exe MediaCenter.exe PID 1668 wrote to memory of 652 1668 0643f2cd9e5e8af4df9be896e93f758f5f2cf92b9aba29aa22d8a36afb56bf56.exe MediaCenter.exe PID 1668 wrote to memory of 652 1668 0643f2cd9e5e8af4df9be896e93f758f5f2cf92b9aba29aa22d8a36afb56bf56.exe MediaCenter.exe PID 1668 wrote to memory of 652 1668 0643f2cd9e5e8af4df9be896e93f758f5f2cf92b9aba29aa22d8a36afb56bf56.exe MediaCenter.exe PID 1668 wrote to memory of 988 1668 0643f2cd9e5e8af4df9be896e93f758f5f2cf92b9aba29aa22d8a36afb56bf56.exe cmd.exe PID 1668 wrote to memory of 988 1668 0643f2cd9e5e8af4df9be896e93f758f5f2cf92b9aba29aa22d8a36afb56bf56.exe cmd.exe PID 1668 wrote to memory of 988 1668 0643f2cd9e5e8af4df9be896e93f758f5f2cf92b9aba29aa22d8a36afb56bf56.exe cmd.exe PID 1668 wrote to memory of 988 1668 0643f2cd9e5e8af4df9be896e93f758f5f2cf92b9aba29aa22d8a36afb56bf56.exe cmd.exe PID 988 wrote to memory of 1524 988 cmd.exe PING.EXE PID 988 wrote to memory of 1524 988 cmd.exe PING.EXE PID 988 wrote to memory of 1524 988 cmd.exe PING.EXE PID 988 wrote to memory of 1524 988 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0643f2cd9e5e8af4df9be896e93f758f5f2cf92b9aba29aa22d8a36afb56bf56.exe"C:\Users\Admin\AppData\Local\Temp\0643f2cd9e5e8af4df9be896e93f758f5f2cf92b9aba29aa22d8a36afb56bf56.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1668 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:652 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0643f2cd9e5e8af4df9be896e93f758f5f2cf92b9aba29aa22d8a36afb56bf56.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:988 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1524
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
b8fccc51b95a9acc8ab925dff5d7e538
SHA1ee21aa886b1c51e84361abcb844efbf38cb5c76c
SHA256275f30345e89110647ccf79b71cc780324198a1e792468dcc567697070a68c92
SHA512f92f76f7d60b6a53f0f4c5a37d8ff98dd9b9290994ca9026d3c520cdb048cf69e37bdd54007281eb543f3fdca75d06b8cc101b3032c30cee0eb2f0c761f47ab0
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
b8fccc51b95a9acc8ab925dff5d7e538
SHA1ee21aa886b1c51e84361abcb844efbf38cb5c76c
SHA256275f30345e89110647ccf79b71cc780324198a1e792468dcc567697070a68c92
SHA512f92f76f7d60b6a53f0f4c5a37d8ff98dd9b9290994ca9026d3c520cdb048cf69e37bdd54007281eb543f3fdca75d06b8cc101b3032c30cee0eb2f0c761f47ab0
-
memory/1668-55-0x0000000076141000-0x0000000076143000-memory.dmpFilesize
8KB