Analysis
-
max time kernel
135s -
max time network
161s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 11:19
Static task
static1
Behavioral task
behavioral1
Sample
04ab5e421107f1313eade160015b969a6f71a70c1d2dc8bcede4ab825e28bc17.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
04ab5e421107f1313eade160015b969a6f71a70c1d2dc8bcede4ab825e28bc17.exe
Resource
win10v2004-en-20220113
General
-
Target
04ab5e421107f1313eade160015b969a6f71a70c1d2dc8bcede4ab825e28bc17.exe
-
Size
99KB
-
MD5
92610180bcecce7015077ac1ec78b369
-
SHA1
84a5393196e17841cdf759a24b1ea0ea063dd96f
-
SHA256
04ab5e421107f1313eade160015b969a6f71a70c1d2dc8bcede4ab825e28bc17
-
SHA512
1549e542d0456b279e8e8c579bf0a8d30f66fa9f53bc86477aba015bce7bdf8a3396162ac56996a2458dd4adc4fc158421625eb31668565998bc8ef75d2e2b5b
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 268 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1944 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
04ab5e421107f1313eade160015b969a6f71a70c1d2dc8bcede4ab825e28bc17.exepid process 1632 04ab5e421107f1313eade160015b969a6f71a70c1d2dc8bcede4ab825e28bc17.exe 1632 04ab5e421107f1313eade160015b969a6f71a70c1d2dc8bcede4ab825e28bc17.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
04ab5e421107f1313eade160015b969a6f71a70c1d2dc8bcede4ab825e28bc17.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 04ab5e421107f1313eade160015b969a6f71a70c1d2dc8bcede4ab825e28bc17.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
04ab5e421107f1313eade160015b969a6f71a70c1d2dc8bcede4ab825e28bc17.exedescription pid process Token: SeIncBasePriorityPrivilege 1632 04ab5e421107f1313eade160015b969a6f71a70c1d2dc8bcede4ab825e28bc17.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
04ab5e421107f1313eade160015b969a6f71a70c1d2dc8bcede4ab825e28bc17.execmd.exedescription pid process target process PID 1632 wrote to memory of 268 1632 04ab5e421107f1313eade160015b969a6f71a70c1d2dc8bcede4ab825e28bc17.exe MediaCenter.exe PID 1632 wrote to memory of 268 1632 04ab5e421107f1313eade160015b969a6f71a70c1d2dc8bcede4ab825e28bc17.exe MediaCenter.exe PID 1632 wrote to memory of 268 1632 04ab5e421107f1313eade160015b969a6f71a70c1d2dc8bcede4ab825e28bc17.exe MediaCenter.exe PID 1632 wrote to memory of 268 1632 04ab5e421107f1313eade160015b969a6f71a70c1d2dc8bcede4ab825e28bc17.exe MediaCenter.exe PID 1632 wrote to memory of 1944 1632 04ab5e421107f1313eade160015b969a6f71a70c1d2dc8bcede4ab825e28bc17.exe cmd.exe PID 1632 wrote to memory of 1944 1632 04ab5e421107f1313eade160015b969a6f71a70c1d2dc8bcede4ab825e28bc17.exe cmd.exe PID 1632 wrote to memory of 1944 1632 04ab5e421107f1313eade160015b969a6f71a70c1d2dc8bcede4ab825e28bc17.exe cmd.exe PID 1632 wrote to memory of 1944 1632 04ab5e421107f1313eade160015b969a6f71a70c1d2dc8bcede4ab825e28bc17.exe cmd.exe PID 1944 wrote to memory of 1032 1944 cmd.exe PING.EXE PID 1944 wrote to memory of 1032 1944 cmd.exe PING.EXE PID 1944 wrote to memory of 1032 1944 cmd.exe PING.EXE PID 1944 wrote to memory of 1032 1944 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\04ab5e421107f1313eade160015b969a6f71a70c1d2dc8bcede4ab825e28bc17.exe"C:\Users\Admin\AppData\Local\Temp\04ab5e421107f1313eade160015b969a6f71a70c1d2dc8bcede4ab825e28bc17.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1632 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:268 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\04ab5e421107f1313eade160015b969a6f71a70c1d2dc8bcede4ab825e28bc17.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1944 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1032
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
e64e6b1cfb5186fd4aa13c0629c76c12
SHA1fc3e9459ca9e75944da4d41960b8675a1f1ca2ae
SHA256fd3fa9a4e1fe1ddeae2dc6656e376b95b159e3eb21a88c7dbde02a986dc08d10
SHA5121312cd773ea1d47fc60c025e3278dec17b33d6e7812b343a02f0cf3697b355644e2c3763f04239bca722d28ba1760ce9eba934f6ba515c1a598dbde1000f3b9a
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
e64e6b1cfb5186fd4aa13c0629c76c12
SHA1fc3e9459ca9e75944da4d41960b8675a1f1ca2ae
SHA256fd3fa9a4e1fe1ddeae2dc6656e376b95b159e3eb21a88c7dbde02a986dc08d10
SHA5121312cd773ea1d47fc60c025e3278dec17b33d6e7812b343a02f0cf3697b355644e2c3763f04239bca722d28ba1760ce9eba934f6ba515c1a598dbde1000f3b9a
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
e64e6b1cfb5186fd4aa13c0629c76c12
SHA1fc3e9459ca9e75944da4d41960b8675a1f1ca2ae
SHA256fd3fa9a4e1fe1ddeae2dc6656e376b95b159e3eb21a88c7dbde02a986dc08d10
SHA5121312cd773ea1d47fc60c025e3278dec17b33d6e7812b343a02f0cf3697b355644e2c3763f04239bca722d28ba1760ce9eba934f6ba515c1a598dbde1000f3b9a
-
memory/1632-55-0x0000000076141000-0x0000000076143000-memory.dmpFilesize
8KB