Analysis
-
max time kernel
145s -
max time network
176s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 11:13
Static task
static1
Behavioral task
behavioral1
Sample
04fbda2a81be576a2d139c12e9fe0d53ae563244567b452573272a8e9294077f.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
04fbda2a81be576a2d139c12e9fe0d53ae563244567b452573272a8e9294077f.exe
Resource
win10v2004-en-20220113
General
-
Target
04fbda2a81be576a2d139c12e9fe0d53ae563244567b452573272a8e9294077f.exe
-
Size
100KB
-
MD5
dff15118d202bebe52bfd9208b2c6e88
-
SHA1
d5a17c401838c6bdb38ee6599820435c363304f6
-
SHA256
04fbda2a81be576a2d139c12e9fe0d53ae563244567b452573272a8e9294077f
-
SHA512
6b96bffeabee15917c25fc0c9e78a6f5d7316a4afd4521f85df473b669cfda99f3f19444cc90be2135f1cc3f61cf98771493fae5a318080f91e5222571f61316
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1616 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 756 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
04fbda2a81be576a2d139c12e9fe0d53ae563244567b452573272a8e9294077f.exepid process 1752 04fbda2a81be576a2d139c12e9fe0d53ae563244567b452573272a8e9294077f.exe 1752 04fbda2a81be576a2d139c12e9fe0d53ae563244567b452573272a8e9294077f.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
04fbda2a81be576a2d139c12e9fe0d53ae563244567b452573272a8e9294077f.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 04fbda2a81be576a2d139c12e9fe0d53ae563244567b452573272a8e9294077f.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
04fbda2a81be576a2d139c12e9fe0d53ae563244567b452573272a8e9294077f.exedescription pid process Token: SeIncBasePriorityPrivilege 1752 04fbda2a81be576a2d139c12e9fe0d53ae563244567b452573272a8e9294077f.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
04fbda2a81be576a2d139c12e9fe0d53ae563244567b452573272a8e9294077f.execmd.exedescription pid process target process PID 1752 wrote to memory of 1616 1752 04fbda2a81be576a2d139c12e9fe0d53ae563244567b452573272a8e9294077f.exe MediaCenter.exe PID 1752 wrote to memory of 1616 1752 04fbda2a81be576a2d139c12e9fe0d53ae563244567b452573272a8e9294077f.exe MediaCenter.exe PID 1752 wrote to memory of 1616 1752 04fbda2a81be576a2d139c12e9fe0d53ae563244567b452573272a8e9294077f.exe MediaCenter.exe PID 1752 wrote to memory of 1616 1752 04fbda2a81be576a2d139c12e9fe0d53ae563244567b452573272a8e9294077f.exe MediaCenter.exe PID 1752 wrote to memory of 756 1752 04fbda2a81be576a2d139c12e9fe0d53ae563244567b452573272a8e9294077f.exe cmd.exe PID 1752 wrote to memory of 756 1752 04fbda2a81be576a2d139c12e9fe0d53ae563244567b452573272a8e9294077f.exe cmd.exe PID 1752 wrote to memory of 756 1752 04fbda2a81be576a2d139c12e9fe0d53ae563244567b452573272a8e9294077f.exe cmd.exe PID 1752 wrote to memory of 756 1752 04fbda2a81be576a2d139c12e9fe0d53ae563244567b452573272a8e9294077f.exe cmd.exe PID 756 wrote to memory of 1640 756 cmd.exe PING.EXE PID 756 wrote to memory of 1640 756 cmd.exe PING.EXE PID 756 wrote to memory of 1640 756 cmd.exe PING.EXE PID 756 wrote to memory of 1640 756 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\04fbda2a81be576a2d139c12e9fe0d53ae563244567b452573272a8e9294077f.exe"C:\Users\Admin\AppData\Local\Temp\04fbda2a81be576a2d139c12e9fe0d53ae563244567b452573272a8e9294077f.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1752 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1616 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\04fbda2a81be576a2d139c12e9fe0d53ae563244567b452573272a8e9294077f.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:756 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1640
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
497cb92a47c8fb941e005740cb9fa9e2
SHA14e2c2c7b6e6ea943604ca3205bcd7af47ec54b3a
SHA2566fa76ca955adc08ab27c8aad339e81bb564b372939bddcf813f24fadfc678a44
SHA512a5641db82300ab31c78c25843a4e7c745c40c9b52150e56455e788f5d071ba38174d69ec873fdc8b5368ecbc8251b243604522f0d9d25fee8a2009b7d20bde38
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
497cb92a47c8fb941e005740cb9fa9e2
SHA14e2c2c7b6e6ea943604ca3205bcd7af47ec54b3a
SHA2566fa76ca955adc08ab27c8aad339e81bb564b372939bddcf813f24fadfc678a44
SHA512a5641db82300ab31c78c25843a4e7c745c40c9b52150e56455e788f5d071ba38174d69ec873fdc8b5368ecbc8251b243604522f0d9d25fee8a2009b7d20bde38
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
497cb92a47c8fb941e005740cb9fa9e2
SHA14e2c2c7b6e6ea943604ca3205bcd7af47ec54b3a
SHA2566fa76ca955adc08ab27c8aad339e81bb564b372939bddcf813f24fadfc678a44
SHA512a5641db82300ab31c78c25843a4e7c745c40c9b52150e56455e788f5d071ba38174d69ec873fdc8b5368ecbc8251b243604522f0d9d25fee8a2009b7d20bde38
-
memory/1752-55-0x0000000076921000-0x0000000076923000-memory.dmpFilesize
8KB