Analysis
-
max time kernel
142s -
max time network
156s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 11:20
Static task
static1
Behavioral task
behavioral1
Sample
04a2e3b5d9f94300d1cc791649fa3d903edef79b7efe0207ade15755a91dfe2c.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
04a2e3b5d9f94300d1cc791649fa3d903edef79b7efe0207ade15755a91dfe2c.exe
Resource
win10v2004-en-20220113
General
-
Target
04a2e3b5d9f94300d1cc791649fa3d903edef79b7efe0207ade15755a91dfe2c.exe
-
Size
216KB
-
MD5
6cb110e70e3a7d6d2d69a9bf829d24dd
-
SHA1
4552f20f64f73da4d51597950611b4c72dcf8716
-
SHA256
04a2e3b5d9f94300d1cc791649fa3d903edef79b7efe0207ade15755a91dfe2c
-
SHA512
3e4fb9a9c5729e23aceefca097a53824dbdffb9a3bc7ea0a6c4f444d7156257f3f1615a61b0bc47ab7d8e20b48a4ccb4fb9bd6db508d735f55fd9a1aa657743d
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral1/memory/1140-59-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral1/memory/816-60-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 816 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2040 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
04a2e3b5d9f94300d1cc791649fa3d903edef79b7efe0207ade15755a91dfe2c.exepid process 1140 04a2e3b5d9f94300d1cc791649fa3d903edef79b7efe0207ade15755a91dfe2c.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
04a2e3b5d9f94300d1cc791649fa3d903edef79b7efe0207ade15755a91dfe2c.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 04a2e3b5d9f94300d1cc791649fa3d903edef79b7efe0207ade15755a91dfe2c.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
04a2e3b5d9f94300d1cc791649fa3d903edef79b7efe0207ade15755a91dfe2c.exedescription pid process Token: SeIncBasePriorityPrivilege 1140 04a2e3b5d9f94300d1cc791649fa3d903edef79b7efe0207ade15755a91dfe2c.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
04a2e3b5d9f94300d1cc791649fa3d903edef79b7efe0207ade15755a91dfe2c.execmd.exedescription pid process target process PID 1140 wrote to memory of 816 1140 04a2e3b5d9f94300d1cc791649fa3d903edef79b7efe0207ade15755a91dfe2c.exe MediaCenter.exe PID 1140 wrote to memory of 816 1140 04a2e3b5d9f94300d1cc791649fa3d903edef79b7efe0207ade15755a91dfe2c.exe MediaCenter.exe PID 1140 wrote to memory of 816 1140 04a2e3b5d9f94300d1cc791649fa3d903edef79b7efe0207ade15755a91dfe2c.exe MediaCenter.exe PID 1140 wrote to memory of 816 1140 04a2e3b5d9f94300d1cc791649fa3d903edef79b7efe0207ade15755a91dfe2c.exe MediaCenter.exe PID 1140 wrote to memory of 2040 1140 04a2e3b5d9f94300d1cc791649fa3d903edef79b7efe0207ade15755a91dfe2c.exe cmd.exe PID 1140 wrote to memory of 2040 1140 04a2e3b5d9f94300d1cc791649fa3d903edef79b7efe0207ade15755a91dfe2c.exe cmd.exe PID 1140 wrote to memory of 2040 1140 04a2e3b5d9f94300d1cc791649fa3d903edef79b7efe0207ade15755a91dfe2c.exe cmd.exe PID 1140 wrote to memory of 2040 1140 04a2e3b5d9f94300d1cc791649fa3d903edef79b7efe0207ade15755a91dfe2c.exe cmd.exe PID 2040 wrote to memory of 1084 2040 cmd.exe PING.EXE PID 2040 wrote to memory of 1084 2040 cmd.exe PING.EXE PID 2040 wrote to memory of 1084 2040 cmd.exe PING.EXE PID 2040 wrote to memory of 1084 2040 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\04a2e3b5d9f94300d1cc791649fa3d903edef79b7efe0207ade15755a91dfe2c.exe"C:\Users\Admin\AppData\Local\Temp\04a2e3b5d9f94300d1cc791649fa3d903edef79b7efe0207ade15755a91dfe2c.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1140 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:816 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\04a2e3b5d9f94300d1cc791649fa3d903edef79b7efe0207ade15755a91dfe2c.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1084
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
67d15dd1ce4c811feab9f750e34f7d96
SHA1d18c3921da6b3465110b88cc85a8cabb8c946557
SHA256b42e7b9662b9c39d061dd1b048d9a698b021776a91d8831c36375096839c40c8
SHA512a197db7400d3fffab066d8f0c3dd53556e713a14d01ef87d885ce2d3f65e6df428718337f7bad258bb3a7227e4b1b101bb5c95b8017251eb6c1b01fc9b444e67
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
67d15dd1ce4c811feab9f750e34f7d96
SHA1d18c3921da6b3465110b88cc85a8cabb8c946557
SHA256b42e7b9662b9c39d061dd1b048d9a698b021776a91d8831c36375096839c40c8
SHA512a197db7400d3fffab066d8f0c3dd53556e713a14d01ef87d885ce2d3f65e6df428718337f7bad258bb3a7227e4b1b101bb5c95b8017251eb6c1b01fc9b444e67
-
memory/816-60-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1140-55-0x0000000076511000-0x0000000076513000-memory.dmpFilesize
8KB
-
memory/1140-59-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB