Analysis
-
max time kernel
121s -
max time network
140s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 11:53
Static task
static1
Behavioral task
behavioral1
Sample
032124fdd2697b2f94dda58ff2b2ca275d7bf7467ce22c119c7521c15752fa6d.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
032124fdd2697b2f94dda58ff2b2ca275d7bf7467ce22c119c7521c15752fa6d.exe
Resource
win10v2004-en-20220112
General
-
Target
032124fdd2697b2f94dda58ff2b2ca275d7bf7467ce22c119c7521c15752fa6d.exe
-
Size
101KB
-
MD5
a33efe91398284a5bddea2ebeb7fa642
-
SHA1
a68def0c4c38d63d7f5649d50e7d96bd859e1c0a
-
SHA256
032124fdd2697b2f94dda58ff2b2ca275d7bf7467ce22c119c7521c15752fa6d
-
SHA512
d80f785d8e4d107ca65021e1073c0d578763ff26e4576ac2c5304a13bd7837cf563621b360034b8d560cb6a2a1fea17fc0b22a1d0847c238c30a194d2c3cf314
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1552 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1528 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
032124fdd2697b2f94dda58ff2b2ca275d7bf7467ce22c119c7521c15752fa6d.exepid process 1700 032124fdd2697b2f94dda58ff2b2ca275d7bf7467ce22c119c7521c15752fa6d.exe 1700 032124fdd2697b2f94dda58ff2b2ca275d7bf7467ce22c119c7521c15752fa6d.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
032124fdd2697b2f94dda58ff2b2ca275d7bf7467ce22c119c7521c15752fa6d.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 032124fdd2697b2f94dda58ff2b2ca275d7bf7467ce22c119c7521c15752fa6d.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
032124fdd2697b2f94dda58ff2b2ca275d7bf7467ce22c119c7521c15752fa6d.exedescription pid process Token: SeIncBasePriorityPrivilege 1700 032124fdd2697b2f94dda58ff2b2ca275d7bf7467ce22c119c7521c15752fa6d.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
032124fdd2697b2f94dda58ff2b2ca275d7bf7467ce22c119c7521c15752fa6d.execmd.exedescription pid process target process PID 1700 wrote to memory of 1552 1700 032124fdd2697b2f94dda58ff2b2ca275d7bf7467ce22c119c7521c15752fa6d.exe MediaCenter.exe PID 1700 wrote to memory of 1552 1700 032124fdd2697b2f94dda58ff2b2ca275d7bf7467ce22c119c7521c15752fa6d.exe MediaCenter.exe PID 1700 wrote to memory of 1552 1700 032124fdd2697b2f94dda58ff2b2ca275d7bf7467ce22c119c7521c15752fa6d.exe MediaCenter.exe PID 1700 wrote to memory of 1552 1700 032124fdd2697b2f94dda58ff2b2ca275d7bf7467ce22c119c7521c15752fa6d.exe MediaCenter.exe PID 1700 wrote to memory of 1528 1700 032124fdd2697b2f94dda58ff2b2ca275d7bf7467ce22c119c7521c15752fa6d.exe cmd.exe PID 1700 wrote to memory of 1528 1700 032124fdd2697b2f94dda58ff2b2ca275d7bf7467ce22c119c7521c15752fa6d.exe cmd.exe PID 1700 wrote to memory of 1528 1700 032124fdd2697b2f94dda58ff2b2ca275d7bf7467ce22c119c7521c15752fa6d.exe cmd.exe PID 1700 wrote to memory of 1528 1700 032124fdd2697b2f94dda58ff2b2ca275d7bf7467ce22c119c7521c15752fa6d.exe cmd.exe PID 1528 wrote to memory of 816 1528 cmd.exe PING.EXE PID 1528 wrote to memory of 816 1528 cmd.exe PING.EXE PID 1528 wrote to memory of 816 1528 cmd.exe PING.EXE PID 1528 wrote to memory of 816 1528 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\032124fdd2697b2f94dda58ff2b2ca275d7bf7467ce22c119c7521c15752fa6d.exe"C:\Users\Admin\AppData\Local\Temp\032124fdd2697b2f94dda58ff2b2ca275d7bf7467ce22c119c7521c15752fa6d.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1700 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1552 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\032124fdd2697b2f94dda58ff2b2ca275d7bf7467ce22c119c7521c15752fa6d.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1528 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:816
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
2bf6b8a83111903dd4332ba759c37290
SHA1153dd6b366fef117a52052852e9dd6a92dd0bf0c
SHA2565635e547585296812272a7f23dffd1ab61fe12e98e5b43af17039c46a127b2de
SHA5120fcda33ae5a1dcc7800f490f13bc09b0b2da5525477d0c6be4ef4bff501015aec49f3508a7f051414f818379bbc4c3464eb54eba6414c00adf33f4c9f18d5ea9
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
2bf6b8a83111903dd4332ba759c37290
SHA1153dd6b366fef117a52052852e9dd6a92dd0bf0c
SHA2565635e547585296812272a7f23dffd1ab61fe12e98e5b43af17039c46a127b2de
SHA5120fcda33ae5a1dcc7800f490f13bc09b0b2da5525477d0c6be4ef4bff501015aec49f3508a7f051414f818379bbc4c3464eb54eba6414c00adf33f4c9f18d5ea9
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
2bf6b8a83111903dd4332ba759c37290
SHA1153dd6b366fef117a52052852e9dd6a92dd0bf0c
SHA2565635e547585296812272a7f23dffd1ab61fe12e98e5b43af17039c46a127b2de
SHA5120fcda33ae5a1dcc7800f490f13bc09b0b2da5525477d0c6be4ef4bff501015aec49f3508a7f051414f818379bbc4c3464eb54eba6414c00adf33f4c9f18d5ea9
-
memory/1700-54-0x0000000075601000-0x0000000075603000-memory.dmpFilesize
8KB