Analysis
-
max time kernel
140s -
max time network
164s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 11:21
Static task
static1
Behavioral task
behavioral1
Sample
04987294b5882639c61eb1b7e0101c4ecd6c0e781649bca8752d4cd48efb9c8c.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
04987294b5882639c61eb1b7e0101c4ecd6c0e781649bca8752d4cd48efb9c8c.exe
Resource
win10v2004-en-20220112
General
-
Target
04987294b5882639c61eb1b7e0101c4ecd6c0e781649bca8752d4cd48efb9c8c.exe
-
Size
101KB
-
MD5
dc6f9a9b83bfff258ba040f7e2f3501c
-
SHA1
bc0428d0bfe2b5be1f4a09fdf5c2b6dbe6250e39
-
SHA256
04987294b5882639c61eb1b7e0101c4ecd6c0e781649bca8752d4cd48efb9c8c
-
SHA512
f5cad8dba123a21cb6f75ef1c646f7d8f01f0a004dca7e58f4c51d1873ed8ef809edc3c8c2cf36589e2f5e81f67907abe08ff2c9d820eb2b19d7a4c44e9211a7
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 948 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1380 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
04987294b5882639c61eb1b7e0101c4ecd6c0e781649bca8752d4cd48efb9c8c.exepid process 732 04987294b5882639c61eb1b7e0101c4ecd6c0e781649bca8752d4cd48efb9c8c.exe 732 04987294b5882639c61eb1b7e0101c4ecd6c0e781649bca8752d4cd48efb9c8c.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
04987294b5882639c61eb1b7e0101c4ecd6c0e781649bca8752d4cd48efb9c8c.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 04987294b5882639c61eb1b7e0101c4ecd6c0e781649bca8752d4cd48efb9c8c.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
04987294b5882639c61eb1b7e0101c4ecd6c0e781649bca8752d4cd48efb9c8c.exedescription pid process Token: SeIncBasePriorityPrivilege 732 04987294b5882639c61eb1b7e0101c4ecd6c0e781649bca8752d4cd48efb9c8c.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
04987294b5882639c61eb1b7e0101c4ecd6c0e781649bca8752d4cd48efb9c8c.execmd.exedescription pid process target process PID 732 wrote to memory of 948 732 04987294b5882639c61eb1b7e0101c4ecd6c0e781649bca8752d4cd48efb9c8c.exe MediaCenter.exe PID 732 wrote to memory of 948 732 04987294b5882639c61eb1b7e0101c4ecd6c0e781649bca8752d4cd48efb9c8c.exe MediaCenter.exe PID 732 wrote to memory of 948 732 04987294b5882639c61eb1b7e0101c4ecd6c0e781649bca8752d4cd48efb9c8c.exe MediaCenter.exe PID 732 wrote to memory of 948 732 04987294b5882639c61eb1b7e0101c4ecd6c0e781649bca8752d4cd48efb9c8c.exe MediaCenter.exe PID 732 wrote to memory of 1380 732 04987294b5882639c61eb1b7e0101c4ecd6c0e781649bca8752d4cd48efb9c8c.exe cmd.exe PID 732 wrote to memory of 1380 732 04987294b5882639c61eb1b7e0101c4ecd6c0e781649bca8752d4cd48efb9c8c.exe cmd.exe PID 732 wrote to memory of 1380 732 04987294b5882639c61eb1b7e0101c4ecd6c0e781649bca8752d4cd48efb9c8c.exe cmd.exe PID 732 wrote to memory of 1380 732 04987294b5882639c61eb1b7e0101c4ecd6c0e781649bca8752d4cd48efb9c8c.exe cmd.exe PID 1380 wrote to memory of 420 1380 cmd.exe PING.EXE PID 1380 wrote to memory of 420 1380 cmd.exe PING.EXE PID 1380 wrote to memory of 420 1380 cmd.exe PING.EXE PID 1380 wrote to memory of 420 1380 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\04987294b5882639c61eb1b7e0101c4ecd6c0e781649bca8752d4cd48efb9c8c.exe"C:\Users\Admin\AppData\Local\Temp\04987294b5882639c61eb1b7e0101c4ecd6c0e781649bca8752d4cd48efb9c8c.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:732 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:948 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\04987294b5882639c61eb1b7e0101c4ecd6c0e781649bca8752d4cd48efb9c8c.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1380 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:420
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
7f34adda9af0837d654985d65e14b1b2
SHA18844f4e4f014289d159d0c9676ff1be41c75f178
SHA256ebcbbf9c173e95e7950e927db95bda177cb4f4613e93e2aacf6f27e92deaf3d9
SHA51251d99038bf2fe654431a08645e5e9e4cd19e06c566e07c8bbad94aaf2c3f75469c3be126c50581b2f2ac12a1e39d5788b9c2e971b0b5d17d3186eb1711d985b4
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
7f34adda9af0837d654985d65e14b1b2
SHA18844f4e4f014289d159d0c9676ff1be41c75f178
SHA256ebcbbf9c173e95e7950e927db95bda177cb4f4613e93e2aacf6f27e92deaf3d9
SHA51251d99038bf2fe654431a08645e5e9e4cd19e06c566e07c8bbad94aaf2c3f75469c3be126c50581b2f2ac12a1e39d5788b9c2e971b0b5d17d3186eb1711d985b4
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
7f34adda9af0837d654985d65e14b1b2
SHA18844f4e4f014289d159d0c9676ff1be41c75f178
SHA256ebcbbf9c173e95e7950e927db95bda177cb4f4613e93e2aacf6f27e92deaf3d9
SHA51251d99038bf2fe654431a08645e5e9e4cd19e06c566e07c8bbad94aaf2c3f75469c3be126c50581b2f2ac12a1e39d5788b9c2e971b0b5d17d3186eb1711d985b4
-
memory/732-55-0x0000000076B81000-0x0000000076B83000-memory.dmpFilesize
8KB