Analysis
-
max time kernel
125s -
max time network
146s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 11:15
Static task
static1
Behavioral task
behavioral1
Sample
04d50dba13380a4d544ccb7485d680b42e0362e7207a3504f11da9c2e21f072f.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
04d50dba13380a4d544ccb7485d680b42e0362e7207a3504f11da9c2e21f072f.exe
Resource
win10v2004-en-20220112
General
-
Target
04d50dba13380a4d544ccb7485d680b42e0362e7207a3504f11da9c2e21f072f.exe
-
Size
79KB
-
MD5
2db9096916b587017be8ce7fa74f7b3c
-
SHA1
84e82086711d825808c7313289ef7ef89669e2d7
-
SHA256
04d50dba13380a4d544ccb7485d680b42e0362e7207a3504f11da9c2e21f072f
-
SHA512
30a01d7398dbb6d95d75f7b778fe8f07cece66bea9037c9754995659f3c36552d199b23290ce4b88892e1938b377a3d1b69b048644ab19de8ea56b6675e38af8
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1720 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1868 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
04d50dba13380a4d544ccb7485d680b42e0362e7207a3504f11da9c2e21f072f.exepid process 1588 04d50dba13380a4d544ccb7485d680b42e0362e7207a3504f11da9c2e21f072f.exe 1588 04d50dba13380a4d544ccb7485d680b42e0362e7207a3504f11da9c2e21f072f.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
04d50dba13380a4d544ccb7485d680b42e0362e7207a3504f11da9c2e21f072f.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 04d50dba13380a4d544ccb7485d680b42e0362e7207a3504f11da9c2e21f072f.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
04d50dba13380a4d544ccb7485d680b42e0362e7207a3504f11da9c2e21f072f.exedescription pid process Token: SeIncBasePriorityPrivilege 1588 04d50dba13380a4d544ccb7485d680b42e0362e7207a3504f11da9c2e21f072f.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
04d50dba13380a4d544ccb7485d680b42e0362e7207a3504f11da9c2e21f072f.execmd.exedescription pid process target process PID 1588 wrote to memory of 1720 1588 04d50dba13380a4d544ccb7485d680b42e0362e7207a3504f11da9c2e21f072f.exe MediaCenter.exe PID 1588 wrote to memory of 1720 1588 04d50dba13380a4d544ccb7485d680b42e0362e7207a3504f11da9c2e21f072f.exe MediaCenter.exe PID 1588 wrote to memory of 1720 1588 04d50dba13380a4d544ccb7485d680b42e0362e7207a3504f11da9c2e21f072f.exe MediaCenter.exe PID 1588 wrote to memory of 1720 1588 04d50dba13380a4d544ccb7485d680b42e0362e7207a3504f11da9c2e21f072f.exe MediaCenter.exe PID 1588 wrote to memory of 1868 1588 04d50dba13380a4d544ccb7485d680b42e0362e7207a3504f11da9c2e21f072f.exe cmd.exe PID 1588 wrote to memory of 1868 1588 04d50dba13380a4d544ccb7485d680b42e0362e7207a3504f11da9c2e21f072f.exe cmd.exe PID 1588 wrote to memory of 1868 1588 04d50dba13380a4d544ccb7485d680b42e0362e7207a3504f11da9c2e21f072f.exe cmd.exe PID 1588 wrote to memory of 1868 1588 04d50dba13380a4d544ccb7485d680b42e0362e7207a3504f11da9c2e21f072f.exe cmd.exe PID 1868 wrote to memory of 1168 1868 cmd.exe PING.EXE PID 1868 wrote to memory of 1168 1868 cmd.exe PING.EXE PID 1868 wrote to memory of 1168 1868 cmd.exe PING.EXE PID 1868 wrote to memory of 1168 1868 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\04d50dba13380a4d544ccb7485d680b42e0362e7207a3504f11da9c2e21f072f.exe"C:\Users\Admin\AppData\Local\Temp\04d50dba13380a4d544ccb7485d680b42e0362e7207a3504f11da9c2e21f072f.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1588 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1720 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\04d50dba13380a4d544ccb7485d680b42e0362e7207a3504f11da9c2e21f072f.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1868 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1168
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
c540c6b4bae99e4e5b0591e9188dcddc
SHA13709501e2c520cdb362d9018fe9ef83505cf3b7b
SHA256f743a2995f023e4591aab631f116f87663e5d690347a6807915695a9bd74635c
SHA5125db19f79a0530a288d98e373387cef97b775e2011a383f41d3c8e533a2ef76db694df3f849c8f14b58fc4a8c15c3beb3cad928b97687ad40131283797bd56d48
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
c540c6b4bae99e4e5b0591e9188dcddc
SHA13709501e2c520cdb362d9018fe9ef83505cf3b7b
SHA256f743a2995f023e4591aab631f116f87663e5d690347a6807915695a9bd74635c
SHA5125db19f79a0530a288d98e373387cef97b775e2011a383f41d3c8e533a2ef76db694df3f849c8f14b58fc4a8c15c3beb3cad928b97687ad40131283797bd56d48
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
c540c6b4bae99e4e5b0591e9188dcddc
SHA13709501e2c520cdb362d9018fe9ef83505cf3b7b
SHA256f743a2995f023e4591aab631f116f87663e5d690347a6807915695a9bd74635c
SHA5125db19f79a0530a288d98e373387cef97b775e2011a383f41d3c8e533a2ef76db694df3f849c8f14b58fc4a8c15c3beb3cad928b97687ad40131283797bd56d48
-
memory/1588-54-0x0000000076151000-0x0000000076153000-memory.dmpFilesize
8KB