Analysis
-
max time kernel
149s -
max time network
163s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 11:24
Static task
static1
Behavioral task
behavioral1
Sample
047aa570d4c77a8cd4fa59b357ba2ed40f39b54665eb87c3e82023a3c3524d96.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
047aa570d4c77a8cd4fa59b357ba2ed40f39b54665eb87c3e82023a3c3524d96.exe
Resource
win10v2004-en-20220112
General
-
Target
047aa570d4c77a8cd4fa59b357ba2ed40f39b54665eb87c3e82023a3c3524d96.exe
-
Size
168KB
-
MD5
0ec244048ed30d7c9354f3551a9fe862
-
SHA1
5e922039669b38290890c7044a257ceee317bef1
-
SHA256
047aa570d4c77a8cd4fa59b357ba2ed40f39b54665eb87c3e82023a3c3524d96
-
SHA512
0908cb7201b31cb4d894c6d1bab732bfdb4907c9c814abdf48f62a4602806577be7b28a528b61ebcf5b747e9adafd6a23236977d41af727c847ed318b9a6e8a8
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral1/memory/1680-58-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral1/memory/524-60-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 524 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 776 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
047aa570d4c77a8cd4fa59b357ba2ed40f39b54665eb87c3e82023a3c3524d96.exepid process 1680 047aa570d4c77a8cd4fa59b357ba2ed40f39b54665eb87c3e82023a3c3524d96.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
047aa570d4c77a8cd4fa59b357ba2ed40f39b54665eb87c3e82023a3c3524d96.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 047aa570d4c77a8cd4fa59b357ba2ed40f39b54665eb87c3e82023a3c3524d96.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
047aa570d4c77a8cd4fa59b357ba2ed40f39b54665eb87c3e82023a3c3524d96.exedescription pid process Token: SeIncBasePriorityPrivilege 1680 047aa570d4c77a8cd4fa59b357ba2ed40f39b54665eb87c3e82023a3c3524d96.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
047aa570d4c77a8cd4fa59b357ba2ed40f39b54665eb87c3e82023a3c3524d96.execmd.exedescription pid process target process PID 1680 wrote to memory of 524 1680 047aa570d4c77a8cd4fa59b357ba2ed40f39b54665eb87c3e82023a3c3524d96.exe MediaCenter.exe PID 1680 wrote to memory of 524 1680 047aa570d4c77a8cd4fa59b357ba2ed40f39b54665eb87c3e82023a3c3524d96.exe MediaCenter.exe PID 1680 wrote to memory of 524 1680 047aa570d4c77a8cd4fa59b357ba2ed40f39b54665eb87c3e82023a3c3524d96.exe MediaCenter.exe PID 1680 wrote to memory of 524 1680 047aa570d4c77a8cd4fa59b357ba2ed40f39b54665eb87c3e82023a3c3524d96.exe MediaCenter.exe PID 1680 wrote to memory of 776 1680 047aa570d4c77a8cd4fa59b357ba2ed40f39b54665eb87c3e82023a3c3524d96.exe cmd.exe PID 1680 wrote to memory of 776 1680 047aa570d4c77a8cd4fa59b357ba2ed40f39b54665eb87c3e82023a3c3524d96.exe cmd.exe PID 1680 wrote to memory of 776 1680 047aa570d4c77a8cd4fa59b357ba2ed40f39b54665eb87c3e82023a3c3524d96.exe cmd.exe PID 1680 wrote to memory of 776 1680 047aa570d4c77a8cd4fa59b357ba2ed40f39b54665eb87c3e82023a3c3524d96.exe cmd.exe PID 776 wrote to memory of 2000 776 cmd.exe PING.EXE PID 776 wrote to memory of 2000 776 cmd.exe PING.EXE PID 776 wrote to memory of 2000 776 cmd.exe PING.EXE PID 776 wrote to memory of 2000 776 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\047aa570d4c77a8cd4fa59b357ba2ed40f39b54665eb87c3e82023a3c3524d96.exe"C:\Users\Admin\AppData\Local\Temp\047aa570d4c77a8cd4fa59b357ba2ed40f39b54665eb87c3e82023a3c3524d96.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:524 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\047aa570d4c77a8cd4fa59b357ba2ed40f39b54665eb87c3e82023a3c3524d96.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:776 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:2000
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
0b104e4792362b62258b8f6171de84b2
SHA17fb4d64fbc9144848dda8777cae1e5d47414d962
SHA2560c0c90aeddc14a34373773a86ac46571118cf5a2105f52e775ad3fe4fda58409
SHA51222f6d865533be6d4c805ed1e299381af1ac802bb4282d75df11068ff5dd0f2b5378e6c3b088c95a65f23c4ffff9c585f33dccaaec448adb4e89dd706ef1f59a9
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
0b104e4792362b62258b8f6171de84b2
SHA17fb4d64fbc9144848dda8777cae1e5d47414d962
SHA2560c0c90aeddc14a34373773a86ac46571118cf5a2105f52e775ad3fe4fda58409
SHA51222f6d865533be6d4c805ed1e299381af1ac802bb4282d75df11068ff5dd0f2b5378e6c3b088c95a65f23c4ffff9c585f33dccaaec448adb4e89dd706ef1f59a9
-
memory/524-60-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1680-54-0x0000000075891000-0x0000000075893000-memory.dmpFilesize
8KB
-
memory/1680-58-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1680-59-0x0000000000240000-0x0000000000260000-memory.dmpFilesize
128KB