Analysis
-
max time kernel
122s -
max time network
145s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 11:19
Static task
static1
Behavioral task
behavioral1
Sample
04b583509c5bde03adc187c8dc78d6626ea0f4f2f65f51d64404c40ebff0a3cd.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
04b583509c5bde03adc187c8dc78d6626ea0f4f2f65f51d64404c40ebff0a3cd.exe
Resource
win10v2004-en-20220113
General
-
Target
04b583509c5bde03adc187c8dc78d6626ea0f4f2f65f51d64404c40ebff0a3cd.exe
-
Size
191KB
-
MD5
34e51a4764fd62a652e34715f70fa570
-
SHA1
161f32eebbc7d47a263dfc9e2fb2e8fa64817cb6
-
SHA256
04b583509c5bde03adc187c8dc78d6626ea0f4f2f65f51d64404c40ebff0a3cd
-
SHA512
a93894b03542051a89c047faff03bc7554cf67bad2563d23a1c83454a0b595d845a7405b6c3ed1c93efb77cd25213ba370881af4c41aa7522efe044fb50f37b8
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1648 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1056 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
04b583509c5bde03adc187c8dc78d6626ea0f4f2f65f51d64404c40ebff0a3cd.exepid process 956 04b583509c5bde03adc187c8dc78d6626ea0f4f2f65f51d64404c40ebff0a3cd.exe 956 04b583509c5bde03adc187c8dc78d6626ea0f4f2f65f51d64404c40ebff0a3cd.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
04b583509c5bde03adc187c8dc78d6626ea0f4f2f65f51d64404c40ebff0a3cd.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 04b583509c5bde03adc187c8dc78d6626ea0f4f2f65f51d64404c40ebff0a3cd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
04b583509c5bde03adc187c8dc78d6626ea0f4f2f65f51d64404c40ebff0a3cd.exedescription pid process Token: SeIncBasePriorityPrivilege 956 04b583509c5bde03adc187c8dc78d6626ea0f4f2f65f51d64404c40ebff0a3cd.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
04b583509c5bde03adc187c8dc78d6626ea0f4f2f65f51d64404c40ebff0a3cd.execmd.exedescription pid process target process PID 956 wrote to memory of 1648 956 04b583509c5bde03adc187c8dc78d6626ea0f4f2f65f51d64404c40ebff0a3cd.exe MediaCenter.exe PID 956 wrote to memory of 1648 956 04b583509c5bde03adc187c8dc78d6626ea0f4f2f65f51d64404c40ebff0a3cd.exe MediaCenter.exe PID 956 wrote to memory of 1648 956 04b583509c5bde03adc187c8dc78d6626ea0f4f2f65f51d64404c40ebff0a3cd.exe MediaCenter.exe PID 956 wrote to memory of 1648 956 04b583509c5bde03adc187c8dc78d6626ea0f4f2f65f51d64404c40ebff0a3cd.exe MediaCenter.exe PID 956 wrote to memory of 1056 956 04b583509c5bde03adc187c8dc78d6626ea0f4f2f65f51d64404c40ebff0a3cd.exe cmd.exe PID 956 wrote to memory of 1056 956 04b583509c5bde03adc187c8dc78d6626ea0f4f2f65f51d64404c40ebff0a3cd.exe cmd.exe PID 956 wrote to memory of 1056 956 04b583509c5bde03adc187c8dc78d6626ea0f4f2f65f51d64404c40ebff0a3cd.exe cmd.exe PID 956 wrote to memory of 1056 956 04b583509c5bde03adc187c8dc78d6626ea0f4f2f65f51d64404c40ebff0a3cd.exe cmd.exe PID 1056 wrote to memory of 1468 1056 cmd.exe PING.EXE PID 1056 wrote to memory of 1468 1056 cmd.exe PING.EXE PID 1056 wrote to memory of 1468 1056 cmd.exe PING.EXE PID 1056 wrote to memory of 1468 1056 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\04b583509c5bde03adc187c8dc78d6626ea0f4f2f65f51d64404c40ebff0a3cd.exe"C:\Users\Admin\AppData\Local\Temp\04b583509c5bde03adc187c8dc78d6626ea0f4f2f65f51d64404c40ebff0a3cd.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:956 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1648 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\04b583509c5bde03adc187c8dc78d6626ea0f4f2f65f51d64404c40ebff0a3cd.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1056 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1468
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
8ceb04cf63d2580fa9a50aae9ee0ae8d
SHA18252e72a8fb2bfcde6debca32ffdc89664b9548a
SHA2560c18145d5e0c1a8b5c230790a0c03e1491ccc2eb6cc007c2758eadb6d83b145b
SHA512dda0719683344ec1ca5acb701ce414d61fa5c3b29ec18505c822d7fdc875aae36c8b991a01d5bf544e38516f69d01b407369039a10d2dfdcbe7fc4f18cd01d9b
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
8ceb04cf63d2580fa9a50aae9ee0ae8d
SHA18252e72a8fb2bfcde6debca32ffdc89664b9548a
SHA2560c18145d5e0c1a8b5c230790a0c03e1491ccc2eb6cc007c2758eadb6d83b145b
SHA512dda0719683344ec1ca5acb701ce414d61fa5c3b29ec18505c822d7fdc875aae36c8b991a01d5bf544e38516f69d01b407369039a10d2dfdcbe7fc4f18cd01d9b
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
8ceb04cf63d2580fa9a50aae9ee0ae8d
SHA18252e72a8fb2bfcde6debca32ffdc89664b9548a
SHA2560c18145d5e0c1a8b5c230790a0c03e1491ccc2eb6cc007c2758eadb6d83b145b
SHA512dda0719683344ec1ca5acb701ce414d61fa5c3b29ec18505c822d7fdc875aae36c8b991a01d5bf544e38516f69d01b407369039a10d2dfdcbe7fc4f18cd01d9b
-
memory/956-55-0x00000000763B1000-0x00000000763B3000-memory.dmpFilesize
8KB