Analysis
-
max time kernel
159s -
max time network
171s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 11:18
Static task
static1
Behavioral task
behavioral1
Sample
04beeeed03945418d2f63517889d5184d7732e0df6a1bd7dbd8499960263c0de.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
04beeeed03945418d2f63517889d5184d7732e0df6a1bd7dbd8499960263c0de.exe
Resource
win10v2004-en-20220113
General
-
Target
04beeeed03945418d2f63517889d5184d7732e0df6a1bd7dbd8499960263c0de.exe
-
Size
99KB
-
MD5
903c81535e36bcb044bb4a3770516177
-
SHA1
331e47db8f24321701d2c7a192094116acd84c2c
-
SHA256
04beeeed03945418d2f63517889d5184d7732e0df6a1bd7dbd8499960263c0de
-
SHA512
7531c19b13aa62824198529f8d15226ccbeba217c8fb5fdb47d626659e9c3c7022a468f5f399ede9a5bc656fc295fe781d5a30ffb25933846703f77e796b75d0
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 316 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 836 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
04beeeed03945418d2f63517889d5184d7732e0df6a1bd7dbd8499960263c0de.exepid process 1648 04beeeed03945418d2f63517889d5184d7732e0df6a1bd7dbd8499960263c0de.exe 1648 04beeeed03945418d2f63517889d5184d7732e0df6a1bd7dbd8499960263c0de.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
04beeeed03945418d2f63517889d5184d7732e0df6a1bd7dbd8499960263c0de.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 04beeeed03945418d2f63517889d5184d7732e0df6a1bd7dbd8499960263c0de.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
04beeeed03945418d2f63517889d5184d7732e0df6a1bd7dbd8499960263c0de.exedescription pid process Token: SeIncBasePriorityPrivilege 1648 04beeeed03945418d2f63517889d5184d7732e0df6a1bd7dbd8499960263c0de.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
04beeeed03945418d2f63517889d5184d7732e0df6a1bd7dbd8499960263c0de.execmd.exedescription pid process target process PID 1648 wrote to memory of 316 1648 04beeeed03945418d2f63517889d5184d7732e0df6a1bd7dbd8499960263c0de.exe MediaCenter.exe PID 1648 wrote to memory of 316 1648 04beeeed03945418d2f63517889d5184d7732e0df6a1bd7dbd8499960263c0de.exe MediaCenter.exe PID 1648 wrote to memory of 316 1648 04beeeed03945418d2f63517889d5184d7732e0df6a1bd7dbd8499960263c0de.exe MediaCenter.exe PID 1648 wrote to memory of 316 1648 04beeeed03945418d2f63517889d5184d7732e0df6a1bd7dbd8499960263c0de.exe MediaCenter.exe PID 1648 wrote to memory of 836 1648 04beeeed03945418d2f63517889d5184d7732e0df6a1bd7dbd8499960263c0de.exe cmd.exe PID 1648 wrote to memory of 836 1648 04beeeed03945418d2f63517889d5184d7732e0df6a1bd7dbd8499960263c0de.exe cmd.exe PID 1648 wrote to memory of 836 1648 04beeeed03945418d2f63517889d5184d7732e0df6a1bd7dbd8499960263c0de.exe cmd.exe PID 1648 wrote to memory of 836 1648 04beeeed03945418d2f63517889d5184d7732e0df6a1bd7dbd8499960263c0de.exe cmd.exe PID 836 wrote to memory of 1064 836 cmd.exe PING.EXE PID 836 wrote to memory of 1064 836 cmd.exe PING.EXE PID 836 wrote to memory of 1064 836 cmd.exe PING.EXE PID 836 wrote to memory of 1064 836 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\04beeeed03945418d2f63517889d5184d7732e0df6a1bd7dbd8499960263c0de.exe"C:\Users\Admin\AppData\Local\Temp\04beeeed03945418d2f63517889d5184d7732e0df6a1bd7dbd8499960263c0de.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1648 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:316 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\04beeeed03945418d2f63517889d5184d7732e0df6a1bd7dbd8499960263c0de.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:836 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1064
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
a31f14ce8f851de2c82ec2f72363f123
SHA159ea5e8f93db06b8b73f7da56ab7165576ced35b
SHA256199399c94f6b3a8ceeb532e24499705fd638bb5d73585d367195cfb8bc5665a2
SHA51295b22851b497a061a19c25844783c43309c4134c280a15fdfc510667cc59757236d1753e61bbe6a406701eb8f59bf548c645058863132f8d544b43820b2b258d
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
a31f14ce8f851de2c82ec2f72363f123
SHA159ea5e8f93db06b8b73f7da56ab7165576ced35b
SHA256199399c94f6b3a8ceeb532e24499705fd638bb5d73585d367195cfb8bc5665a2
SHA51295b22851b497a061a19c25844783c43309c4134c280a15fdfc510667cc59757236d1753e61bbe6a406701eb8f59bf548c645058863132f8d544b43820b2b258d
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
a31f14ce8f851de2c82ec2f72363f123
SHA159ea5e8f93db06b8b73f7da56ab7165576ced35b
SHA256199399c94f6b3a8ceeb532e24499705fd638bb5d73585d367195cfb8bc5665a2
SHA51295b22851b497a061a19c25844783c43309c4134c280a15fdfc510667cc59757236d1753e61bbe6a406701eb8f59bf548c645058863132f8d544b43820b2b258d
-
memory/1648-54-0x0000000076451000-0x0000000076453000-memory.dmpFilesize
8KB