Analysis
-
max time kernel
119s -
max time network
139s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 11:19
Static task
static1
Behavioral task
behavioral1
Sample
04b7d89a90d733d3dc7195349212dbff514520f2bf6898c2070617eacafac490.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
04b7d89a90d733d3dc7195349212dbff514520f2bf6898c2070617eacafac490.exe
Resource
win10v2004-en-20220113
General
-
Target
04b7d89a90d733d3dc7195349212dbff514520f2bf6898c2070617eacafac490.exe
-
Size
79KB
-
MD5
d7ab3ffe61d0a3e4dc4c83ead9dd042b
-
SHA1
05e60bd5d2aff88057aa493470574f3e798a8a65
-
SHA256
04b7d89a90d733d3dc7195349212dbff514520f2bf6898c2070617eacafac490
-
SHA512
e61b1101bd826991dfa782bf183500723d9267fa5e4b203f24a63437a4ce93154308ff4fb3cd70f0eb268df2b93ae4bf8e1405b1b475fe3ba811e27ac4029298
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 744 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 932 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
04b7d89a90d733d3dc7195349212dbff514520f2bf6898c2070617eacafac490.exepid process 1084 04b7d89a90d733d3dc7195349212dbff514520f2bf6898c2070617eacafac490.exe 1084 04b7d89a90d733d3dc7195349212dbff514520f2bf6898c2070617eacafac490.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
04b7d89a90d733d3dc7195349212dbff514520f2bf6898c2070617eacafac490.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 04b7d89a90d733d3dc7195349212dbff514520f2bf6898c2070617eacafac490.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
04b7d89a90d733d3dc7195349212dbff514520f2bf6898c2070617eacafac490.exedescription pid process Token: SeIncBasePriorityPrivilege 1084 04b7d89a90d733d3dc7195349212dbff514520f2bf6898c2070617eacafac490.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
04b7d89a90d733d3dc7195349212dbff514520f2bf6898c2070617eacafac490.execmd.exedescription pid process target process PID 1084 wrote to memory of 744 1084 04b7d89a90d733d3dc7195349212dbff514520f2bf6898c2070617eacafac490.exe MediaCenter.exe PID 1084 wrote to memory of 744 1084 04b7d89a90d733d3dc7195349212dbff514520f2bf6898c2070617eacafac490.exe MediaCenter.exe PID 1084 wrote to memory of 744 1084 04b7d89a90d733d3dc7195349212dbff514520f2bf6898c2070617eacafac490.exe MediaCenter.exe PID 1084 wrote to memory of 744 1084 04b7d89a90d733d3dc7195349212dbff514520f2bf6898c2070617eacafac490.exe MediaCenter.exe PID 1084 wrote to memory of 932 1084 04b7d89a90d733d3dc7195349212dbff514520f2bf6898c2070617eacafac490.exe cmd.exe PID 1084 wrote to memory of 932 1084 04b7d89a90d733d3dc7195349212dbff514520f2bf6898c2070617eacafac490.exe cmd.exe PID 1084 wrote to memory of 932 1084 04b7d89a90d733d3dc7195349212dbff514520f2bf6898c2070617eacafac490.exe cmd.exe PID 1084 wrote to memory of 932 1084 04b7d89a90d733d3dc7195349212dbff514520f2bf6898c2070617eacafac490.exe cmd.exe PID 932 wrote to memory of 1980 932 cmd.exe PING.EXE PID 932 wrote to memory of 1980 932 cmd.exe PING.EXE PID 932 wrote to memory of 1980 932 cmd.exe PING.EXE PID 932 wrote to memory of 1980 932 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\04b7d89a90d733d3dc7195349212dbff514520f2bf6898c2070617eacafac490.exe"C:\Users\Admin\AppData\Local\Temp\04b7d89a90d733d3dc7195349212dbff514520f2bf6898c2070617eacafac490.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1084 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:744 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\04b7d89a90d733d3dc7195349212dbff514520f2bf6898c2070617eacafac490.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:932 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1980
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
c2a334882ca93addc3e9ea14272f6d67
SHA1111fa559c9a1ee292cdf54795e2ed254e8d91e4c
SHA25651b1c0d94a7a4f66074b868f3f4fabaa034a65f860632087570ce1cdc1f72665
SHA512c0d6cf2e3b46f3447877ce94495643f9a52985777562e8ccf0cb77494b8c22478789efd9a5fbdb91072438e8df3b7704d8e873a8d8e0d87b9e6eb8c1708cbac4
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
c2a334882ca93addc3e9ea14272f6d67
SHA1111fa559c9a1ee292cdf54795e2ed254e8d91e4c
SHA25651b1c0d94a7a4f66074b868f3f4fabaa034a65f860632087570ce1cdc1f72665
SHA512c0d6cf2e3b46f3447877ce94495643f9a52985777562e8ccf0cb77494b8c22478789efd9a5fbdb91072438e8df3b7704d8e873a8d8e0d87b9e6eb8c1708cbac4
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
c2a334882ca93addc3e9ea14272f6d67
SHA1111fa559c9a1ee292cdf54795e2ed254e8d91e4c
SHA25651b1c0d94a7a4f66074b868f3f4fabaa034a65f860632087570ce1cdc1f72665
SHA512c0d6cf2e3b46f3447877ce94495643f9a52985777562e8ccf0cb77494b8c22478789efd9a5fbdb91072438e8df3b7704d8e873a8d8e0d87b9e6eb8c1708cbac4
-
memory/1084-54-0x0000000075341000-0x0000000075343000-memory.dmpFilesize
8KB