Analysis
-
max time kernel
152s -
max time network
168s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 10:54
Static task
static1
Behavioral task
behavioral1
Sample
05d937ee6b04d9c64e2ba0abe440b5e888e1b70fc8bf4a0518f896d08aa6a6d2.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
05d937ee6b04d9c64e2ba0abe440b5e888e1b70fc8bf4a0518f896d08aa6a6d2.exe
Resource
win10v2004-en-20220113
General
-
Target
05d937ee6b04d9c64e2ba0abe440b5e888e1b70fc8bf4a0518f896d08aa6a6d2.exe
-
Size
192KB
-
MD5
0a14b6a5b5bef15d7418404c5a3f8ca2
-
SHA1
df74b88e00e15d3863c45ddc309e224d93fcdb04
-
SHA256
05d937ee6b04d9c64e2ba0abe440b5e888e1b70fc8bf4a0518f896d08aa6a6d2
-
SHA512
062fae83a3c26e92b60700de310544d125caa9377cb4b140d09c963c413d69875ca7dc1fc17973a444f073f20c8b7e74d3764cb79c75b78239f28ffc4ed9079a
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1224 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 396 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
05d937ee6b04d9c64e2ba0abe440b5e888e1b70fc8bf4a0518f896d08aa6a6d2.exepid process 1892 05d937ee6b04d9c64e2ba0abe440b5e888e1b70fc8bf4a0518f896d08aa6a6d2.exe 1892 05d937ee6b04d9c64e2ba0abe440b5e888e1b70fc8bf4a0518f896d08aa6a6d2.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
05d937ee6b04d9c64e2ba0abe440b5e888e1b70fc8bf4a0518f896d08aa6a6d2.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 05d937ee6b04d9c64e2ba0abe440b5e888e1b70fc8bf4a0518f896d08aa6a6d2.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
05d937ee6b04d9c64e2ba0abe440b5e888e1b70fc8bf4a0518f896d08aa6a6d2.exedescription pid process Token: SeIncBasePriorityPrivilege 1892 05d937ee6b04d9c64e2ba0abe440b5e888e1b70fc8bf4a0518f896d08aa6a6d2.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
05d937ee6b04d9c64e2ba0abe440b5e888e1b70fc8bf4a0518f896d08aa6a6d2.execmd.exedescription pid process target process PID 1892 wrote to memory of 1224 1892 05d937ee6b04d9c64e2ba0abe440b5e888e1b70fc8bf4a0518f896d08aa6a6d2.exe MediaCenter.exe PID 1892 wrote to memory of 1224 1892 05d937ee6b04d9c64e2ba0abe440b5e888e1b70fc8bf4a0518f896d08aa6a6d2.exe MediaCenter.exe PID 1892 wrote to memory of 1224 1892 05d937ee6b04d9c64e2ba0abe440b5e888e1b70fc8bf4a0518f896d08aa6a6d2.exe MediaCenter.exe PID 1892 wrote to memory of 1224 1892 05d937ee6b04d9c64e2ba0abe440b5e888e1b70fc8bf4a0518f896d08aa6a6d2.exe MediaCenter.exe PID 1892 wrote to memory of 396 1892 05d937ee6b04d9c64e2ba0abe440b5e888e1b70fc8bf4a0518f896d08aa6a6d2.exe cmd.exe PID 1892 wrote to memory of 396 1892 05d937ee6b04d9c64e2ba0abe440b5e888e1b70fc8bf4a0518f896d08aa6a6d2.exe cmd.exe PID 1892 wrote to memory of 396 1892 05d937ee6b04d9c64e2ba0abe440b5e888e1b70fc8bf4a0518f896d08aa6a6d2.exe cmd.exe PID 1892 wrote to memory of 396 1892 05d937ee6b04d9c64e2ba0abe440b5e888e1b70fc8bf4a0518f896d08aa6a6d2.exe cmd.exe PID 396 wrote to memory of 1184 396 cmd.exe PING.EXE PID 396 wrote to memory of 1184 396 cmd.exe PING.EXE PID 396 wrote to memory of 1184 396 cmd.exe PING.EXE PID 396 wrote to memory of 1184 396 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\05d937ee6b04d9c64e2ba0abe440b5e888e1b70fc8bf4a0518f896d08aa6a6d2.exe"C:\Users\Admin\AppData\Local\Temp\05d937ee6b04d9c64e2ba0abe440b5e888e1b70fc8bf4a0518f896d08aa6a6d2.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1892 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1224 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\05d937ee6b04d9c64e2ba0abe440b5e888e1b70fc8bf4a0518f896d08aa6a6d2.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:396 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1184
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
98e33bf4184d0605df8de7df8b1d0d28
SHA179fdf1f12455d0d31cd2d6429bc6c90290f42ae0
SHA256718a98b9cfed73d7d61761b2b33fa5bef8db38bd503152798f07803a09e88c38
SHA51265de46873b9d95b5b3831de0545a6197c1d490d9746db99f8b98f9ade69b5394041382da6c5e6c4e17f78002aba19d96d64577fb128912cafc0fc830b39ad663
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
98e33bf4184d0605df8de7df8b1d0d28
SHA179fdf1f12455d0d31cd2d6429bc6c90290f42ae0
SHA256718a98b9cfed73d7d61761b2b33fa5bef8db38bd503152798f07803a09e88c38
SHA51265de46873b9d95b5b3831de0545a6197c1d490d9746db99f8b98f9ade69b5394041382da6c5e6c4e17f78002aba19d96d64577fb128912cafc0fc830b39ad663
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
98e33bf4184d0605df8de7df8b1d0d28
SHA179fdf1f12455d0d31cd2d6429bc6c90290f42ae0
SHA256718a98b9cfed73d7d61761b2b33fa5bef8db38bd503152798f07803a09e88c38
SHA51265de46873b9d95b5b3831de0545a6197c1d490d9746db99f8b98f9ade69b5394041382da6c5e6c4e17f78002aba19d96d64577fb128912cafc0fc830b39ad663
-
memory/1892-54-0x0000000076071000-0x0000000076073000-memory.dmpFilesize
8KB