Analysis
-
max time kernel
142s -
max time network
169s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 11:22
Static task
static1
Behavioral task
behavioral1
Sample
048b44ffa904c7420c4f74629b585de101f38e84387186fcbe64f6c933d6c953.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
048b44ffa904c7420c4f74629b585de101f38e84387186fcbe64f6c933d6c953.exe
Resource
win10v2004-en-20220113
General
-
Target
048b44ffa904c7420c4f74629b585de101f38e84387186fcbe64f6c933d6c953.exe
-
Size
99KB
-
MD5
0a02e96ee0126427ffbeb69acdd41a2f
-
SHA1
a6f5cad892b065111acdd2062e9df1fae2e94cf6
-
SHA256
048b44ffa904c7420c4f74629b585de101f38e84387186fcbe64f6c933d6c953
-
SHA512
cb7e4b520c678bf2d6e4278f052c718e59deb509cceadc071881ae4f45d78ee23d2ea4b8e2a7d4d670173143ec27b0563134c926f90970f4d30120be611c4672
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1716 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 976 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
048b44ffa904c7420c4f74629b585de101f38e84387186fcbe64f6c933d6c953.exepid process 860 048b44ffa904c7420c4f74629b585de101f38e84387186fcbe64f6c933d6c953.exe 860 048b44ffa904c7420c4f74629b585de101f38e84387186fcbe64f6c933d6c953.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
048b44ffa904c7420c4f74629b585de101f38e84387186fcbe64f6c933d6c953.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 048b44ffa904c7420c4f74629b585de101f38e84387186fcbe64f6c933d6c953.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
048b44ffa904c7420c4f74629b585de101f38e84387186fcbe64f6c933d6c953.exedescription pid process Token: SeIncBasePriorityPrivilege 860 048b44ffa904c7420c4f74629b585de101f38e84387186fcbe64f6c933d6c953.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
048b44ffa904c7420c4f74629b585de101f38e84387186fcbe64f6c933d6c953.execmd.exedescription pid process target process PID 860 wrote to memory of 1716 860 048b44ffa904c7420c4f74629b585de101f38e84387186fcbe64f6c933d6c953.exe MediaCenter.exe PID 860 wrote to memory of 1716 860 048b44ffa904c7420c4f74629b585de101f38e84387186fcbe64f6c933d6c953.exe MediaCenter.exe PID 860 wrote to memory of 1716 860 048b44ffa904c7420c4f74629b585de101f38e84387186fcbe64f6c933d6c953.exe MediaCenter.exe PID 860 wrote to memory of 1716 860 048b44ffa904c7420c4f74629b585de101f38e84387186fcbe64f6c933d6c953.exe MediaCenter.exe PID 860 wrote to memory of 976 860 048b44ffa904c7420c4f74629b585de101f38e84387186fcbe64f6c933d6c953.exe cmd.exe PID 860 wrote to memory of 976 860 048b44ffa904c7420c4f74629b585de101f38e84387186fcbe64f6c933d6c953.exe cmd.exe PID 860 wrote to memory of 976 860 048b44ffa904c7420c4f74629b585de101f38e84387186fcbe64f6c933d6c953.exe cmd.exe PID 860 wrote to memory of 976 860 048b44ffa904c7420c4f74629b585de101f38e84387186fcbe64f6c933d6c953.exe cmd.exe PID 976 wrote to memory of 924 976 cmd.exe PING.EXE PID 976 wrote to memory of 924 976 cmd.exe PING.EXE PID 976 wrote to memory of 924 976 cmd.exe PING.EXE PID 976 wrote to memory of 924 976 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\048b44ffa904c7420c4f74629b585de101f38e84387186fcbe64f6c933d6c953.exe"C:\Users\Admin\AppData\Local\Temp\048b44ffa904c7420c4f74629b585de101f38e84387186fcbe64f6c933d6c953.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:860 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1716 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\048b44ffa904c7420c4f74629b585de101f38e84387186fcbe64f6c933d6c953.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:976 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:924
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
0bb81ab5167052d8c7357f4e35d3323f
SHA12dfae9c1b7ece99e8b2a9d103b4959ed28bc8b3c
SHA256d022e24aaa000c64af06ede7b4b805452081b5dcae2d99fcfdf12bac529bb6e1
SHA51217865ce30453971f6d684046ae269e4d96c685ca0d99e731aea033bb012d26ab3b4f8f1481a9ff9b3cbeacdc8df61f17dd0de9869c584b0f052c5338d8eb77cb
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
0bb81ab5167052d8c7357f4e35d3323f
SHA12dfae9c1b7ece99e8b2a9d103b4959ed28bc8b3c
SHA256d022e24aaa000c64af06ede7b4b805452081b5dcae2d99fcfdf12bac529bb6e1
SHA51217865ce30453971f6d684046ae269e4d96c685ca0d99e731aea033bb012d26ab3b4f8f1481a9ff9b3cbeacdc8df61f17dd0de9869c584b0f052c5338d8eb77cb
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
0bb81ab5167052d8c7357f4e35d3323f
SHA12dfae9c1b7ece99e8b2a9d103b4959ed28bc8b3c
SHA256d022e24aaa000c64af06ede7b4b805452081b5dcae2d99fcfdf12bac529bb6e1
SHA51217865ce30453971f6d684046ae269e4d96c685ca0d99e731aea033bb012d26ab3b4f8f1481a9ff9b3cbeacdc8df61f17dd0de9869c584b0f052c5338d8eb77cb
-
memory/860-55-0x0000000076731000-0x0000000076733000-memory.dmpFilesize
8KB