Analysis
-
max time kernel
121s -
max time network
151s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 11:11
Static task
static1
Behavioral task
behavioral1
Sample
05132eed5065552a3be2cc40346bff127455896954935b8b2c8beba39c027e0a.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
05132eed5065552a3be2cc40346bff127455896954935b8b2c8beba39c027e0a.exe
Resource
win10v2004-en-20220113
General
-
Target
05132eed5065552a3be2cc40346bff127455896954935b8b2c8beba39c027e0a.exe
-
Size
101KB
-
MD5
6af5b78e7507583e68812c3c3a96ff01
-
SHA1
0ae8898672017046ad6a8648c3d27d13f43c7ad4
-
SHA256
05132eed5065552a3be2cc40346bff127455896954935b8b2c8beba39c027e0a
-
SHA512
ba24ee8326a4b574f42eb4525a79c35538645ce9041cb71330cd8da210358c3d4dfea4a728f7dc8068fd60ae3e44f255ea513cef81a364ef4893d79b7a40bd02
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 520 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1136 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
05132eed5065552a3be2cc40346bff127455896954935b8b2c8beba39c027e0a.exepid process 1876 05132eed5065552a3be2cc40346bff127455896954935b8b2c8beba39c027e0a.exe 1876 05132eed5065552a3be2cc40346bff127455896954935b8b2c8beba39c027e0a.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
05132eed5065552a3be2cc40346bff127455896954935b8b2c8beba39c027e0a.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 05132eed5065552a3be2cc40346bff127455896954935b8b2c8beba39c027e0a.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
05132eed5065552a3be2cc40346bff127455896954935b8b2c8beba39c027e0a.exedescription pid process Token: SeIncBasePriorityPrivilege 1876 05132eed5065552a3be2cc40346bff127455896954935b8b2c8beba39c027e0a.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
05132eed5065552a3be2cc40346bff127455896954935b8b2c8beba39c027e0a.execmd.exedescription pid process target process PID 1876 wrote to memory of 520 1876 05132eed5065552a3be2cc40346bff127455896954935b8b2c8beba39c027e0a.exe MediaCenter.exe PID 1876 wrote to memory of 520 1876 05132eed5065552a3be2cc40346bff127455896954935b8b2c8beba39c027e0a.exe MediaCenter.exe PID 1876 wrote to memory of 520 1876 05132eed5065552a3be2cc40346bff127455896954935b8b2c8beba39c027e0a.exe MediaCenter.exe PID 1876 wrote to memory of 520 1876 05132eed5065552a3be2cc40346bff127455896954935b8b2c8beba39c027e0a.exe MediaCenter.exe PID 1876 wrote to memory of 1136 1876 05132eed5065552a3be2cc40346bff127455896954935b8b2c8beba39c027e0a.exe cmd.exe PID 1876 wrote to memory of 1136 1876 05132eed5065552a3be2cc40346bff127455896954935b8b2c8beba39c027e0a.exe cmd.exe PID 1876 wrote to memory of 1136 1876 05132eed5065552a3be2cc40346bff127455896954935b8b2c8beba39c027e0a.exe cmd.exe PID 1876 wrote to memory of 1136 1876 05132eed5065552a3be2cc40346bff127455896954935b8b2c8beba39c027e0a.exe cmd.exe PID 1136 wrote to memory of 744 1136 cmd.exe PING.EXE PID 1136 wrote to memory of 744 1136 cmd.exe PING.EXE PID 1136 wrote to memory of 744 1136 cmd.exe PING.EXE PID 1136 wrote to memory of 744 1136 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\05132eed5065552a3be2cc40346bff127455896954935b8b2c8beba39c027e0a.exe"C:\Users\Admin\AppData\Local\Temp\05132eed5065552a3be2cc40346bff127455896954935b8b2c8beba39c027e0a.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1876 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:520 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\05132eed5065552a3be2cc40346bff127455896954935b8b2c8beba39c027e0a.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1136 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:744
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
232eec95e7bbdeab3ec0ac26ea725dad
SHA1afe8a52305767206a4d2b021a6ffb4f836aa24c1
SHA256179245ae7e2df93533669f2b1dbadcfb323f6165c96947461fea57da49bf6bf5
SHA5125e261be4138ae93cc40ff3bf9354064e72a16f57406ffa3c105ca19db1d439e7381b85d6ca5acaac32fd428a6e917cde24eb9a3ef991bf175f2f0892eb463446
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
232eec95e7bbdeab3ec0ac26ea725dad
SHA1afe8a52305767206a4d2b021a6ffb4f836aa24c1
SHA256179245ae7e2df93533669f2b1dbadcfb323f6165c96947461fea57da49bf6bf5
SHA5125e261be4138ae93cc40ff3bf9354064e72a16f57406ffa3c105ca19db1d439e7381b85d6ca5acaac32fd428a6e917cde24eb9a3ef991bf175f2f0892eb463446
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
232eec95e7bbdeab3ec0ac26ea725dad
SHA1afe8a52305767206a4d2b021a6ffb4f836aa24c1
SHA256179245ae7e2df93533669f2b1dbadcfb323f6165c96947461fea57da49bf6bf5
SHA5125e261be4138ae93cc40ff3bf9354064e72a16f57406ffa3c105ca19db1d439e7381b85d6ca5acaac32fd428a6e917cde24eb9a3ef991bf175f2f0892eb463446
-
memory/1876-54-0x0000000076121000-0x0000000076123000-memory.dmpFilesize
8KB