Analysis
-
max time kernel
149s -
max time network
175s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 11:14
Static task
static1
Behavioral task
behavioral1
Sample
04f0b59852ff8840c9ecfdb0b3d232f334215b39b7d69773d6f393a72b84fafd.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
04f0b59852ff8840c9ecfdb0b3d232f334215b39b7d69773d6f393a72b84fafd.exe
Resource
win10v2004-en-20220113
General
-
Target
04f0b59852ff8840c9ecfdb0b3d232f334215b39b7d69773d6f393a72b84fafd.exe
-
Size
99KB
-
MD5
c9c08c21781d6a32ac538b5223c8d698
-
SHA1
dc865f901083fbd577a6ba55b34d9969626c9a56
-
SHA256
04f0b59852ff8840c9ecfdb0b3d232f334215b39b7d69773d6f393a72b84fafd
-
SHA512
a858e4dfbe08a3e23b846db96e44fe5440e42518f6323b62333b00db92de8afaa55d7a5ac492acdfde5c4c0fac32281df0f338373933f026341471627f21e2ed
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1224 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 600 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
04f0b59852ff8840c9ecfdb0b3d232f334215b39b7d69773d6f393a72b84fafd.exepid process 1892 04f0b59852ff8840c9ecfdb0b3d232f334215b39b7d69773d6f393a72b84fafd.exe 1892 04f0b59852ff8840c9ecfdb0b3d232f334215b39b7d69773d6f393a72b84fafd.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
04f0b59852ff8840c9ecfdb0b3d232f334215b39b7d69773d6f393a72b84fafd.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 04f0b59852ff8840c9ecfdb0b3d232f334215b39b7d69773d6f393a72b84fafd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
04f0b59852ff8840c9ecfdb0b3d232f334215b39b7d69773d6f393a72b84fafd.exedescription pid process Token: SeIncBasePriorityPrivilege 1892 04f0b59852ff8840c9ecfdb0b3d232f334215b39b7d69773d6f393a72b84fafd.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
04f0b59852ff8840c9ecfdb0b3d232f334215b39b7d69773d6f393a72b84fafd.execmd.exedescription pid process target process PID 1892 wrote to memory of 1224 1892 04f0b59852ff8840c9ecfdb0b3d232f334215b39b7d69773d6f393a72b84fafd.exe MediaCenter.exe PID 1892 wrote to memory of 1224 1892 04f0b59852ff8840c9ecfdb0b3d232f334215b39b7d69773d6f393a72b84fafd.exe MediaCenter.exe PID 1892 wrote to memory of 1224 1892 04f0b59852ff8840c9ecfdb0b3d232f334215b39b7d69773d6f393a72b84fafd.exe MediaCenter.exe PID 1892 wrote to memory of 1224 1892 04f0b59852ff8840c9ecfdb0b3d232f334215b39b7d69773d6f393a72b84fafd.exe MediaCenter.exe PID 1892 wrote to memory of 600 1892 04f0b59852ff8840c9ecfdb0b3d232f334215b39b7d69773d6f393a72b84fafd.exe cmd.exe PID 1892 wrote to memory of 600 1892 04f0b59852ff8840c9ecfdb0b3d232f334215b39b7d69773d6f393a72b84fafd.exe cmd.exe PID 1892 wrote to memory of 600 1892 04f0b59852ff8840c9ecfdb0b3d232f334215b39b7d69773d6f393a72b84fafd.exe cmd.exe PID 1892 wrote to memory of 600 1892 04f0b59852ff8840c9ecfdb0b3d232f334215b39b7d69773d6f393a72b84fafd.exe cmd.exe PID 600 wrote to memory of 1084 600 cmd.exe PING.EXE PID 600 wrote to memory of 1084 600 cmd.exe PING.EXE PID 600 wrote to memory of 1084 600 cmd.exe PING.EXE PID 600 wrote to memory of 1084 600 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\04f0b59852ff8840c9ecfdb0b3d232f334215b39b7d69773d6f393a72b84fafd.exe"C:\Users\Admin\AppData\Local\Temp\04f0b59852ff8840c9ecfdb0b3d232f334215b39b7d69773d6f393a72b84fafd.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1892 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1224 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\04f0b59852ff8840c9ecfdb0b3d232f334215b39b7d69773d6f393a72b84fafd.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:600 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1084
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
2407c5055e63dbaef2f6b20e9f095f70
SHA1b07cbbc511fad1ece844c6245052f33cc2ed452b
SHA256614c60e658c5a57dc6e8f434d723fc22c6b85f3cd03ef91cbadff0295da90a4e
SHA5122bbdf83a4c475321a0e436527e9f72cb30ad3406a676ac6b150cfd0b068bd80474bb980900eb81b88db74d43afa810c16bdc5db6246a29b47c1c44742e07a32d
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
2407c5055e63dbaef2f6b20e9f095f70
SHA1b07cbbc511fad1ece844c6245052f33cc2ed452b
SHA256614c60e658c5a57dc6e8f434d723fc22c6b85f3cd03ef91cbadff0295da90a4e
SHA5122bbdf83a4c475321a0e436527e9f72cb30ad3406a676ac6b150cfd0b068bd80474bb980900eb81b88db74d43afa810c16bdc5db6246a29b47c1c44742e07a32d
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
2407c5055e63dbaef2f6b20e9f095f70
SHA1b07cbbc511fad1ece844c6245052f33cc2ed452b
SHA256614c60e658c5a57dc6e8f434d723fc22c6b85f3cd03ef91cbadff0295da90a4e
SHA5122bbdf83a4c475321a0e436527e9f72cb30ad3406a676ac6b150cfd0b068bd80474bb980900eb81b88db74d43afa810c16bdc5db6246a29b47c1c44742e07a32d
-
memory/1892-54-0x0000000076071000-0x0000000076073000-memory.dmpFilesize
8KB