Analysis
-
max time kernel
121s -
max time network
142s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 11:24
Static task
static1
Behavioral task
behavioral1
Sample
047c931cdebed77fd23f96be5c57a7c530e7655cb07929cff23cca940507201f.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
047c931cdebed77fd23f96be5c57a7c530e7655cb07929cff23cca940507201f.exe
Resource
win10v2004-en-20220113
General
-
Target
047c931cdebed77fd23f96be5c57a7c530e7655cb07929cff23cca940507201f.exe
-
Size
99KB
-
MD5
a6eafc33694684c931199e9e771ea682
-
SHA1
fb75e275fa6f8d6bda54681730a34f4afce4e56b
-
SHA256
047c931cdebed77fd23f96be5c57a7c530e7655cb07929cff23cca940507201f
-
SHA512
b5e8f7acba1607419f20e9e1065618c4e1f8456508aec3a746ca6f8cf6f7ded351603173a5799ef49409f717987feb364d2febc36b77d6729dfeae4f446dd5cf
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 2004 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2040 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
047c931cdebed77fd23f96be5c57a7c530e7655cb07929cff23cca940507201f.exepid process 1136 047c931cdebed77fd23f96be5c57a7c530e7655cb07929cff23cca940507201f.exe 1136 047c931cdebed77fd23f96be5c57a7c530e7655cb07929cff23cca940507201f.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
047c931cdebed77fd23f96be5c57a7c530e7655cb07929cff23cca940507201f.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 047c931cdebed77fd23f96be5c57a7c530e7655cb07929cff23cca940507201f.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
047c931cdebed77fd23f96be5c57a7c530e7655cb07929cff23cca940507201f.exedescription pid process Token: SeIncBasePriorityPrivilege 1136 047c931cdebed77fd23f96be5c57a7c530e7655cb07929cff23cca940507201f.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
047c931cdebed77fd23f96be5c57a7c530e7655cb07929cff23cca940507201f.execmd.exedescription pid process target process PID 1136 wrote to memory of 2004 1136 047c931cdebed77fd23f96be5c57a7c530e7655cb07929cff23cca940507201f.exe MediaCenter.exe PID 1136 wrote to memory of 2004 1136 047c931cdebed77fd23f96be5c57a7c530e7655cb07929cff23cca940507201f.exe MediaCenter.exe PID 1136 wrote to memory of 2004 1136 047c931cdebed77fd23f96be5c57a7c530e7655cb07929cff23cca940507201f.exe MediaCenter.exe PID 1136 wrote to memory of 2004 1136 047c931cdebed77fd23f96be5c57a7c530e7655cb07929cff23cca940507201f.exe MediaCenter.exe PID 1136 wrote to memory of 2040 1136 047c931cdebed77fd23f96be5c57a7c530e7655cb07929cff23cca940507201f.exe cmd.exe PID 1136 wrote to memory of 2040 1136 047c931cdebed77fd23f96be5c57a7c530e7655cb07929cff23cca940507201f.exe cmd.exe PID 1136 wrote to memory of 2040 1136 047c931cdebed77fd23f96be5c57a7c530e7655cb07929cff23cca940507201f.exe cmd.exe PID 1136 wrote to memory of 2040 1136 047c931cdebed77fd23f96be5c57a7c530e7655cb07929cff23cca940507201f.exe cmd.exe PID 2040 wrote to memory of 1244 2040 cmd.exe PING.EXE PID 2040 wrote to memory of 1244 2040 cmd.exe PING.EXE PID 2040 wrote to memory of 1244 2040 cmd.exe PING.EXE PID 2040 wrote to memory of 1244 2040 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\047c931cdebed77fd23f96be5c57a7c530e7655cb07929cff23cca940507201f.exe"C:\Users\Admin\AppData\Local\Temp\047c931cdebed77fd23f96be5c57a7c530e7655cb07929cff23cca940507201f.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1136 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:2004 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\047c931cdebed77fd23f96be5c57a7c530e7655cb07929cff23cca940507201f.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1244
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
a3bb3fd1e4f5a567bfe1f686f6ffcd81
SHA170691a4ad90f75329d32b9764706ac11b56544ba
SHA25635e5694adbab6968e3e9c51dbc8832fb9a5f90807c6e98026b851a905aaafa6c
SHA512bd682331b85b135b2764aa4c88872217e1750e1d9417c4d72c74a31fd55ce8ddf020ccb275b2bdb3f34354da89f6cabb4423b9869cf56ede23b1043858bf1521
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
a3bb3fd1e4f5a567bfe1f686f6ffcd81
SHA170691a4ad90f75329d32b9764706ac11b56544ba
SHA25635e5694adbab6968e3e9c51dbc8832fb9a5f90807c6e98026b851a905aaafa6c
SHA512bd682331b85b135b2764aa4c88872217e1750e1d9417c4d72c74a31fd55ce8ddf020ccb275b2bdb3f34354da89f6cabb4423b9869cf56ede23b1043858bf1521
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
a3bb3fd1e4f5a567bfe1f686f6ffcd81
SHA170691a4ad90f75329d32b9764706ac11b56544ba
SHA25635e5694adbab6968e3e9c51dbc8832fb9a5f90807c6e98026b851a905aaafa6c
SHA512bd682331b85b135b2764aa4c88872217e1750e1d9417c4d72c74a31fd55ce8ddf020ccb275b2bdb3f34354da89f6cabb4423b9869cf56ede23b1043858bf1521
-
memory/1136-55-0x0000000076511000-0x0000000076513000-memory.dmpFilesize
8KB