Analysis
-
max time kernel
125s -
max time network
146s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 10:54
Static task
static1
Behavioral task
behavioral1
Sample
05de185145ee4285f9bf1b20d66b00c49f2ae367320fe98a95b009ee327cd0d3.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
05de185145ee4285f9bf1b20d66b00c49f2ae367320fe98a95b009ee327cd0d3.exe
Resource
win10v2004-en-20220113
General
-
Target
05de185145ee4285f9bf1b20d66b00c49f2ae367320fe98a95b009ee327cd0d3.exe
-
Size
100KB
-
MD5
ce2ac0eca54a6a9e61a5a0584e43158c
-
SHA1
1708f300d31ad2b65d865e715c306646b08f5587
-
SHA256
05de185145ee4285f9bf1b20d66b00c49f2ae367320fe98a95b009ee327cd0d3
-
SHA512
00ba903ee26ceda173aaf82a2f4f66e9dce3a858d57399d6679466d7ddcd44331b42f31a9763e2dd570325dfa85ca397f64aed3fb85f4487cdd9a22d933586bb
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1636 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1564 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
05de185145ee4285f9bf1b20d66b00c49f2ae367320fe98a95b009ee327cd0d3.exepid process 1648 05de185145ee4285f9bf1b20d66b00c49f2ae367320fe98a95b009ee327cd0d3.exe 1648 05de185145ee4285f9bf1b20d66b00c49f2ae367320fe98a95b009ee327cd0d3.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
05de185145ee4285f9bf1b20d66b00c49f2ae367320fe98a95b009ee327cd0d3.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 05de185145ee4285f9bf1b20d66b00c49f2ae367320fe98a95b009ee327cd0d3.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
05de185145ee4285f9bf1b20d66b00c49f2ae367320fe98a95b009ee327cd0d3.exedescription pid process Token: SeIncBasePriorityPrivilege 1648 05de185145ee4285f9bf1b20d66b00c49f2ae367320fe98a95b009ee327cd0d3.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
05de185145ee4285f9bf1b20d66b00c49f2ae367320fe98a95b009ee327cd0d3.execmd.exedescription pid process target process PID 1648 wrote to memory of 1636 1648 05de185145ee4285f9bf1b20d66b00c49f2ae367320fe98a95b009ee327cd0d3.exe MediaCenter.exe PID 1648 wrote to memory of 1636 1648 05de185145ee4285f9bf1b20d66b00c49f2ae367320fe98a95b009ee327cd0d3.exe MediaCenter.exe PID 1648 wrote to memory of 1636 1648 05de185145ee4285f9bf1b20d66b00c49f2ae367320fe98a95b009ee327cd0d3.exe MediaCenter.exe PID 1648 wrote to memory of 1636 1648 05de185145ee4285f9bf1b20d66b00c49f2ae367320fe98a95b009ee327cd0d3.exe MediaCenter.exe PID 1648 wrote to memory of 1564 1648 05de185145ee4285f9bf1b20d66b00c49f2ae367320fe98a95b009ee327cd0d3.exe cmd.exe PID 1648 wrote to memory of 1564 1648 05de185145ee4285f9bf1b20d66b00c49f2ae367320fe98a95b009ee327cd0d3.exe cmd.exe PID 1648 wrote to memory of 1564 1648 05de185145ee4285f9bf1b20d66b00c49f2ae367320fe98a95b009ee327cd0d3.exe cmd.exe PID 1648 wrote to memory of 1564 1648 05de185145ee4285f9bf1b20d66b00c49f2ae367320fe98a95b009ee327cd0d3.exe cmd.exe PID 1564 wrote to memory of 744 1564 cmd.exe PING.EXE PID 1564 wrote to memory of 744 1564 cmd.exe PING.EXE PID 1564 wrote to memory of 744 1564 cmd.exe PING.EXE PID 1564 wrote to memory of 744 1564 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\05de185145ee4285f9bf1b20d66b00c49f2ae367320fe98a95b009ee327cd0d3.exe"C:\Users\Admin\AppData\Local\Temp\05de185145ee4285f9bf1b20d66b00c49f2ae367320fe98a95b009ee327cd0d3.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1648 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1636 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\05de185145ee4285f9bf1b20d66b00c49f2ae367320fe98a95b009ee327cd0d3.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1564 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:744
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
01e5d4408242e063fd2f8198207142b4
SHA1ff85d991ef174c9b66002eaa7efab51ecc2ea724
SHA2563eb939454a2c46fdf20c65299842725d5100c04937a84904f9b599f57709676c
SHA512aca543048d17f0acebbfcbe80389321296c60d80d5a519656d5640118fefd6a4807c79b38318a5ea205a4d166515d559a026980fb32e87a72dbe7dac07d1873e
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
01e5d4408242e063fd2f8198207142b4
SHA1ff85d991ef174c9b66002eaa7efab51ecc2ea724
SHA2563eb939454a2c46fdf20c65299842725d5100c04937a84904f9b599f57709676c
SHA512aca543048d17f0acebbfcbe80389321296c60d80d5a519656d5640118fefd6a4807c79b38318a5ea205a4d166515d559a026980fb32e87a72dbe7dac07d1873e
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
01e5d4408242e063fd2f8198207142b4
SHA1ff85d991ef174c9b66002eaa7efab51ecc2ea724
SHA2563eb939454a2c46fdf20c65299842725d5100c04937a84904f9b599f57709676c
SHA512aca543048d17f0acebbfcbe80389321296c60d80d5a519656d5640118fefd6a4807c79b38318a5ea205a4d166515d559a026980fb32e87a72dbe7dac07d1873e
-
memory/1648-55-0x0000000075021000-0x0000000075023000-memory.dmpFilesize
8KB