Analysis
-
max time kernel
124s -
max time network
140s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 10:50
Static task
static1
Behavioral task
behavioral1
Sample
06046fb72ed0ffa01602ef9317c3aaa2f6e71b4cb85029ea3cb6e6809130b76d.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
06046fb72ed0ffa01602ef9317c3aaa2f6e71b4cb85029ea3cb6e6809130b76d.exe
Resource
win10v2004-en-20220113
General
-
Target
06046fb72ed0ffa01602ef9317c3aaa2f6e71b4cb85029ea3cb6e6809130b76d.exe
-
Size
100KB
-
MD5
5bbe87d18fb91852336e56b904266004
-
SHA1
3e1a9460570a2a25c8ec1faf3db6e29d4202bbc1
-
SHA256
06046fb72ed0ffa01602ef9317c3aaa2f6e71b4cb85029ea3cb6e6809130b76d
-
SHA512
46a25317151f73df1e04c2ffaf48fb6fed151e2df93fa5c4f84eb6909f4ce92ebefa65c031c5344f81c832cae818bb05f7f2fa47a32e2cbcb442d1bead4544e5
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 516 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 812 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
06046fb72ed0ffa01602ef9317c3aaa2f6e71b4cb85029ea3cb6e6809130b76d.exepid process 956 06046fb72ed0ffa01602ef9317c3aaa2f6e71b4cb85029ea3cb6e6809130b76d.exe 956 06046fb72ed0ffa01602ef9317c3aaa2f6e71b4cb85029ea3cb6e6809130b76d.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
06046fb72ed0ffa01602ef9317c3aaa2f6e71b4cb85029ea3cb6e6809130b76d.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 06046fb72ed0ffa01602ef9317c3aaa2f6e71b4cb85029ea3cb6e6809130b76d.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
06046fb72ed0ffa01602ef9317c3aaa2f6e71b4cb85029ea3cb6e6809130b76d.exedescription pid process Token: SeIncBasePriorityPrivilege 956 06046fb72ed0ffa01602ef9317c3aaa2f6e71b4cb85029ea3cb6e6809130b76d.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
06046fb72ed0ffa01602ef9317c3aaa2f6e71b4cb85029ea3cb6e6809130b76d.execmd.exedescription pid process target process PID 956 wrote to memory of 516 956 06046fb72ed0ffa01602ef9317c3aaa2f6e71b4cb85029ea3cb6e6809130b76d.exe MediaCenter.exe PID 956 wrote to memory of 516 956 06046fb72ed0ffa01602ef9317c3aaa2f6e71b4cb85029ea3cb6e6809130b76d.exe MediaCenter.exe PID 956 wrote to memory of 516 956 06046fb72ed0ffa01602ef9317c3aaa2f6e71b4cb85029ea3cb6e6809130b76d.exe MediaCenter.exe PID 956 wrote to memory of 516 956 06046fb72ed0ffa01602ef9317c3aaa2f6e71b4cb85029ea3cb6e6809130b76d.exe MediaCenter.exe PID 956 wrote to memory of 812 956 06046fb72ed0ffa01602ef9317c3aaa2f6e71b4cb85029ea3cb6e6809130b76d.exe cmd.exe PID 956 wrote to memory of 812 956 06046fb72ed0ffa01602ef9317c3aaa2f6e71b4cb85029ea3cb6e6809130b76d.exe cmd.exe PID 956 wrote to memory of 812 956 06046fb72ed0ffa01602ef9317c3aaa2f6e71b4cb85029ea3cb6e6809130b76d.exe cmd.exe PID 956 wrote to memory of 812 956 06046fb72ed0ffa01602ef9317c3aaa2f6e71b4cb85029ea3cb6e6809130b76d.exe cmd.exe PID 812 wrote to memory of 1200 812 cmd.exe PING.EXE PID 812 wrote to memory of 1200 812 cmd.exe PING.EXE PID 812 wrote to memory of 1200 812 cmd.exe PING.EXE PID 812 wrote to memory of 1200 812 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\06046fb72ed0ffa01602ef9317c3aaa2f6e71b4cb85029ea3cb6e6809130b76d.exe"C:\Users\Admin\AppData\Local\Temp\06046fb72ed0ffa01602ef9317c3aaa2f6e71b4cb85029ea3cb6e6809130b76d.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:956 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:516 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\06046fb72ed0ffa01602ef9317c3aaa2f6e71b4cb85029ea3cb6e6809130b76d.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:812 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1200
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
3214624d3992d7d1913a0b4f820e63db
SHA11fdc099e4a7700272364f56b8985bd05441b654f
SHA256f13d6d48c2fc47397caab8e6d0fc76ca236e8db7310828e972dd449d40a16a7e
SHA512e56d1f6f2289ebcd2c2aa7a324cfe62a0ed9a9eacfa387e1a3225c83eeea579dee90661eecb6e7bd15d8af5d3452674d4ba35f175b83b73500b63f7d38322771
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
3214624d3992d7d1913a0b4f820e63db
SHA11fdc099e4a7700272364f56b8985bd05441b654f
SHA256f13d6d48c2fc47397caab8e6d0fc76ca236e8db7310828e972dd449d40a16a7e
SHA512e56d1f6f2289ebcd2c2aa7a324cfe62a0ed9a9eacfa387e1a3225c83eeea579dee90661eecb6e7bd15d8af5d3452674d4ba35f175b83b73500b63f7d38322771
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
3214624d3992d7d1913a0b4f820e63db
SHA11fdc099e4a7700272364f56b8985bd05441b654f
SHA256f13d6d48c2fc47397caab8e6d0fc76ca236e8db7310828e972dd449d40a16a7e
SHA512e56d1f6f2289ebcd2c2aa7a324cfe62a0ed9a9eacfa387e1a3225c83eeea579dee90661eecb6e7bd15d8af5d3452674d4ba35f175b83b73500b63f7d38322771
-
memory/956-54-0x0000000075AB1000-0x0000000075AB3000-memory.dmpFilesize
8KB