Analysis
-
max time kernel
146s -
max time network
163s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 11:13
Static task
static1
Behavioral task
behavioral1
Sample
04f7a907eb531d1121b13f3ba0f941b69685ca2e1698087b68ee16eebce80183.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
04f7a907eb531d1121b13f3ba0f941b69685ca2e1698087b68ee16eebce80183.exe
Resource
win10v2004-en-20220112
General
-
Target
04f7a907eb531d1121b13f3ba0f941b69685ca2e1698087b68ee16eebce80183.exe
-
Size
200KB
-
MD5
dc20bcf7b6d6677032b6c40f917d7044
-
SHA1
27da706859a88791568387ab484bb9634beb86ee
-
SHA256
04f7a907eb531d1121b13f3ba0f941b69685ca2e1698087b68ee16eebce80183
-
SHA512
c4e95fb85b024eb0938b19a4f750cfeead73190a7015e9c34c5dc6d6846286fc192c9544fc250d3155364e298d0b9e8f6bda3361e8fceb674f2b47586e921a1e
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral1/memory/1044-58-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral1/memory/524-59-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 524 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1832 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
04f7a907eb531d1121b13f3ba0f941b69685ca2e1698087b68ee16eebce80183.exepid process 1044 04f7a907eb531d1121b13f3ba0f941b69685ca2e1698087b68ee16eebce80183.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
04f7a907eb531d1121b13f3ba0f941b69685ca2e1698087b68ee16eebce80183.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 04f7a907eb531d1121b13f3ba0f941b69685ca2e1698087b68ee16eebce80183.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
04f7a907eb531d1121b13f3ba0f941b69685ca2e1698087b68ee16eebce80183.exedescription pid process Token: SeIncBasePriorityPrivilege 1044 04f7a907eb531d1121b13f3ba0f941b69685ca2e1698087b68ee16eebce80183.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
04f7a907eb531d1121b13f3ba0f941b69685ca2e1698087b68ee16eebce80183.execmd.exedescription pid process target process PID 1044 wrote to memory of 524 1044 04f7a907eb531d1121b13f3ba0f941b69685ca2e1698087b68ee16eebce80183.exe MediaCenter.exe PID 1044 wrote to memory of 524 1044 04f7a907eb531d1121b13f3ba0f941b69685ca2e1698087b68ee16eebce80183.exe MediaCenter.exe PID 1044 wrote to memory of 524 1044 04f7a907eb531d1121b13f3ba0f941b69685ca2e1698087b68ee16eebce80183.exe MediaCenter.exe PID 1044 wrote to memory of 524 1044 04f7a907eb531d1121b13f3ba0f941b69685ca2e1698087b68ee16eebce80183.exe MediaCenter.exe PID 1044 wrote to memory of 1832 1044 04f7a907eb531d1121b13f3ba0f941b69685ca2e1698087b68ee16eebce80183.exe cmd.exe PID 1044 wrote to memory of 1832 1044 04f7a907eb531d1121b13f3ba0f941b69685ca2e1698087b68ee16eebce80183.exe cmd.exe PID 1044 wrote to memory of 1832 1044 04f7a907eb531d1121b13f3ba0f941b69685ca2e1698087b68ee16eebce80183.exe cmd.exe PID 1044 wrote to memory of 1832 1044 04f7a907eb531d1121b13f3ba0f941b69685ca2e1698087b68ee16eebce80183.exe cmd.exe PID 1832 wrote to memory of 1824 1832 cmd.exe PING.EXE PID 1832 wrote to memory of 1824 1832 cmd.exe PING.EXE PID 1832 wrote to memory of 1824 1832 cmd.exe PING.EXE PID 1832 wrote to memory of 1824 1832 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\04f7a907eb531d1121b13f3ba0f941b69685ca2e1698087b68ee16eebce80183.exe"C:\Users\Admin\AppData\Local\Temp\04f7a907eb531d1121b13f3ba0f941b69685ca2e1698087b68ee16eebce80183.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1044 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:524 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\04f7a907eb531d1121b13f3ba0f941b69685ca2e1698087b68ee16eebce80183.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1832 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1824
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
baa8f75a69afdd74882ac1b55f44eba7
SHA166191f35be7d76cb62d6792bba5a71909711270a
SHA2567d5a6088eb4015b0b311410aa2a20c2abd995b14177110a6bec1ccae9c454ca0
SHA512fab5613a829af5ccd86da4db9bf7f3d7cdaad2980181aef538e387853ea82244527dfe4986e208c956875059bd2ad7f7f3c5640564b234ffcbc4a37c3c91bb2c
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
baa8f75a69afdd74882ac1b55f44eba7
SHA166191f35be7d76cb62d6792bba5a71909711270a
SHA2567d5a6088eb4015b0b311410aa2a20c2abd995b14177110a6bec1ccae9c454ca0
SHA512fab5613a829af5ccd86da4db9bf7f3d7cdaad2980181aef538e387853ea82244527dfe4986e208c956875059bd2ad7f7f3c5640564b234ffcbc4a37c3c91bb2c
-
memory/524-59-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1044-54-0x0000000076001000-0x0000000076003000-memory.dmpFilesize
8KB
-
memory/1044-58-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB