Analysis
-
max time kernel
143s -
max time network
167s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 11:12
Static task
static1
Behavioral task
behavioral1
Sample
0506621b53a2714a1fc5e80161e1802bd4b5aa46381ec507d3a7cf713acee49f.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0506621b53a2714a1fc5e80161e1802bd4b5aa46381ec507d3a7cf713acee49f.exe
Resource
win10v2004-en-20220112
General
-
Target
0506621b53a2714a1fc5e80161e1802bd4b5aa46381ec507d3a7cf713acee49f.exe
-
Size
99KB
-
MD5
5f893d14ac3029cb3956cd9db5948c45
-
SHA1
8ea339fb9171a4931830df49361a2f11b1fa820a
-
SHA256
0506621b53a2714a1fc5e80161e1802bd4b5aa46381ec507d3a7cf713acee49f
-
SHA512
d9fc9fd2a67def54494afe340131302e7fa29d6845c45bca38ad8b1cb1fc6688176e0c0456b0db3b9a3aea1d43a415b23aa9bffc53a2069d884b757323c3d5ff
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1588 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1044 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0506621b53a2714a1fc5e80161e1802bd4b5aa46381ec507d3a7cf713acee49f.exepid process 1568 0506621b53a2714a1fc5e80161e1802bd4b5aa46381ec507d3a7cf713acee49f.exe 1568 0506621b53a2714a1fc5e80161e1802bd4b5aa46381ec507d3a7cf713acee49f.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0506621b53a2714a1fc5e80161e1802bd4b5aa46381ec507d3a7cf713acee49f.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0506621b53a2714a1fc5e80161e1802bd4b5aa46381ec507d3a7cf713acee49f.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0506621b53a2714a1fc5e80161e1802bd4b5aa46381ec507d3a7cf713acee49f.exedescription pid process Token: SeIncBasePriorityPrivilege 1568 0506621b53a2714a1fc5e80161e1802bd4b5aa46381ec507d3a7cf713acee49f.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0506621b53a2714a1fc5e80161e1802bd4b5aa46381ec507d3a7cf713acee49f.execmd.exedescription pid process target process PID 1568 wrote to memory of 1588 1568 0506621b53a2714a1fc5e80161e1802bd4b5aa46381ec507d3a7cf713acee49f.exe MediaCenter.exe PID 1568 wrote to memory of 1588 1568 0506621b53a2714a1fc5e80161e1802bd4b5aa46381ec507d3a7cf713acee49f.exe MediaCenter.exe PID 1568 wrote to memory of 1588 1568 0506621b53a2714a1fc5e80161e1802bd4b5aa46381ec507d3a7cf713acee49f.exe MediaCenter.exe PID 1568 wrote to memory of 1588 1568 0506621b53a2714a1fc5e80161e1802bd4b5aa46381ec507d3a7cf713acee49f.exe MediaCenter.exe PID 1568 wrote to memory of 1044 1568 0506621b53a2714a1fc5e80161e1802bd4b5aa46381ec507d3a7cf713acee49f.exe cmd.exe PID 1568 wrote to memory of 1044 1568 0506621b53a2714a1fc5e80161e1802bd4b5aa46381ec507d3a7cf713acee49f.exe cmd.exe PID 1568 wrote to memory of 1044 1568 0506621b53a2714a1fc5e80161e1802bd4b5aa46381ec507d3a7cf713acee49f.exe cmd.exe PID 1568 wrote to memory of 1044 1568 0506621b53a2714a1fc5e80161e1802bd4b5aa46381ec507d3a7cf713acee49f.exe cmd.exe PID 1044 wrote to memory of 1492 1044 cmd.exe PING.EXE PID 1044 wrote to memory of 1492 1044 cmd.exe PING.EXE PID 1044 wrote to memory of 1492 1044 cmd.exe PING.EXE PID 1044 wrote to memory of 1492 1044 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0506621b53a2714a1fc5e80161e1802bd4b5aa46381ec507d3a7cf713acee49f.exe"C:\Users\Admin\AppData\Local\Temp\0506621b53a2714a1fc5e80161e1802bd4b5aa46381ec507d3a7cf713acee49f.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1568 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1588 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0506621b53a2714a1fc5e80161e1802bd4b5aa46381ec507d3a7cf713acee49f.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1044 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1492
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
eb5fd3cf3b0d23a0da3ba478791f5b48
SHA18a732d6d7f7226d85f5b88a80fa7874adb8b12e8
SHA256315f2b0ba280fc7971eb0bedcc195708adf84e8e38b377593d19eebf9bbc5dc8
SHA5128bbd26222f2b87c85c282450c49be7b6bdddef8a4d6d69dd1d7a456e2e0023c4aa58b297ed29eaf37aa3e5416bc441e733b1f670468e20d17c9dda798a206fdc
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
eb5fd3cf3b0d23a0da3ba478791f5b48
SHA18a732d6d7f7226d85f5b88a80fa7874adb8b12e8
SHA256315f2b0ba280fc7971eb0bedcc195708adf84e8e38b377593d19eebf9bbc5dc8
SHA5128bbd26222f2b87c85c282450c49be7b6bdddef8a4d6d69dd1d7a456e2e0023c4aa58b297ed29eaf37aa3e5416bc441e733b1f670468e20d17c9dda798a206fdc
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
eb5fd3cf3b0d23a0da3ba478791f5b48
SHA18a732d6d7f7226d85f5b88a80fa7874adb8b12e8
SHA256315f2b0ba280fc7971eb0bedcc195708adf84e8e38b377593d19eebf9bbc5dc8
SHA5128bbd26222f2b87c85c282450c49be7b6bdddef8a4d6d69dd1d7a456e2e0023c4aa58b297ed29eaf37aa3e5416bc441e733b1f670468e20d17c9dda798a206fdc
-
memory/1568-55-0x0000000076371000-0x0000000076373000-memory.dmpFilesize
8KB