Analysis
-
max time kernel
133s -
max time network
166s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 11:16
Static task
static1
Behavioral task
behavioral1
Sample
04cceb51136a02238e5ed058e4c23440161b238af128be8f135c0d4380c136c4.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
04cceb51136a02238e5ed058e4c23440161b238af128be8f135c0d4380c136c4.exe
Resource
win10v2004-en-20220112
General
-
Target
04cceb51136a02238e5ed058e4c23440161b238af128be8f135c0d4380c136c4.exe
-
Size
192KB
-
MD5
f734b6891330672078731100de3e0bd3
-
SHA1
b21302b3e9c4a24aced6a52e635b8e4864bcbe2b
-
SHA256
04cceb51136a02238e5ed058e4c23440161b238af128be8f135c0d4380c136c4
-
SHA512
4ff3f1051f1dae03ff713df006352e5186fa621c16827a2d9a82578cb27633f19e72211b3fef5db722d1f8dcab14a15f88781d1138fff4081acb65c7c3d0ef28
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 564 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1808 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
04cceb51136a02238e5ed058e4c23440161b238af128be8f135c0d4380c136c4.exepid process 1872 04cceb51136a02238e5ed058e4c23440161b238af128be8f135c0d4380c136c4.exe 1872 04cceb51136a02238e5ed058e4c23440161b238af128be8f135c0d4380c136c4.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
04cceb51136a02238e5ed058e4c23440161b238af128be8f135c0d4380c136c4.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 04cceb51136a02238e5ed058e4c23440161b238af128be8f135c0d4380c136c4.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
04cceb51136a02238e5ed058e4c23440161b238af128be8f135c0d4380c136c4.exedescription pid process Token: SeIncBasePriorityPrivilege 1872 04cceb51136a02238e5ed058e4c23440161b238af128be8f135c0d4380c136c4.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
04cceb51136a02238e5ed058e4c23440161b238af128be8f135c0d4380c136c4.execmd.exedescription pid process target process PID 1872 wrote to memory of 564 1872 04cceb51136a02238e5ed058e4c23440161b238af128be8f135c0d4380c136c4.exe MediaCenter.exe PID 1872 wrote to memory of 564 1872 04cceb51136a02238e5ed058e4c23440161b238af128be8f135c0d4380c136c4.exe MediaCenter.exe PID 1872 wrote to memory of 564 1872 04cceb51136a02238e5ed058e4c23440161b238af128be8f135c0d4380c136c4.exe MediaCenter.exe PID 1872 wrote to memory of 564 1872 04cceb51136a02238e5ed058e4c23440161b238af128be8f135c0d4380c136c4.exe MediaCenter.exe PID 1872 wrote to memory of 1808 1872 04cceb51136a02238e5ed058e4c23440161b238af128be8f135c0d4380c136c4.exe cmd.exe PID 1872 wrote to memory of 1808 1872 04cceb51136a02238e5ed058e4c23440161b238af128be8f135c0d4380c136c4.exe cmd.exe PID 1872 wrote to memory of 1808 1872 04cceb51136a02238e5ed058e4c23440161b238af128be8f135c0d4380c136c4.exe cmd.exe PID 1872 wrote to memory of 1808 1872 04cceb51136a02238e5ed058e4c23440161b238af128be8f135c0d4380c136c4.exe cmd.exe PID 1808 wrote to memory of 1160 1808 cmd.exe PING.EXE PID 1808 wrote to memory of 1160 1808 cmd.exe PING.EXE PID 1808 wrote to memory of 1160 1808 cmd.exe PING.EXE PID 1808 wrote to memory of 1160 1808 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\04cceb51136a02238e5ed058e4c23440161b238af128be8f135c0d4380c136c4.exe"C:\Users\Admin\AppData\Local\Temp\04cceb51136a02238e5ed058e4c23440161b238af128be8f135c0d4380c136c4.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1872 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:564 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\04cceb51136a02238e5ed058e4c23440161b238af128be8f135c0d4380c136c4.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1808 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1160
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
8488fbb8e64edf34a60d77b2aab3c319
SHA147c166116e6bc293ef792c2b62dd03e3603a85b5
SHA256f6d881e432270c344c35738fd4d8b94ce25fc59cb81c63fb52c6b8956b38608c
SHA5120638928e11574f1847a9b692d7ba1dbebb0987d4c99a748ffa11058038a05c2a6a121ffa5ba99cfb4f8eea60fc2e1e2509d4bfa9b7a6b6e93f9486f78316ce43
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
8488fbb8e64edf34a60d77b2aab3c319
SHA147c166116e6bc293ef792c2b62dd03e3603a85b5
SHA256f6d881e432270c344c35738fd4d8b94ce25fc59cb81c63fb52c6b8956b38608c
SHA5120638928e11574f1847a9b692d7ba1dbebb0987d4c99a748ffa11058038a05c2a6a121ffa5ba99cfb4f8eea60fc2e1e2509d4bfa9b7a6b6e93f9486f78316ce43
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
8488fbb8e64edf34a60d77b2aab3c319
SHA147c166116e6bc293ef792c2b62dd03e3603a85b5
SHA256f6d881e432270c344c35738fd4d8b94ce25fc59cb81c63fb52c6b8956b38608c
SHA5120638928e11574f1847a9b692d7ba1dbebb0987d4c99a748ffa11058038a05c2a6a121ffa5ba99cfb4f8eea60fc2e1e2509d4bfa9b7a6b6e93f9486f78316ce43
-
memory/1872-54-0x0000000076121000-0x0000000076123000-memory.dmpFilesize
8KB