Analysis
-
max time kernel
145s -
max time network
173s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 11:29
Static task
static1
Behavioral task
behavioral1
Sample
044b7529207314a1b456c706287bc80ce5b8a1423b5a3051a9ed1e5b08ae50b9.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
044b7529207314a1b456c706287bc80ce5b8a1423b5a3051a9ed1e5b08ae50b9.exe
Resource
win10v2004-en-20220113
General
-
Target
044b7529207314a1b456c706287bc80ce5b8a1423b5a3051a9ed1e5b08ae50b9.exe
-
Size
99KB
-
MD5
099464c4161ed353d710aadb83cd8e7c
-
SHA1
582cee0ef60ecd41c7ff1a5b0680c2709df34edd
-
SHA256
044b7529207314a1b456c706287bc80ce5b8a1423b5a3051a9ed1e5b08ae50b9
-
SHA512
5cced9a05589d779e2cc7840ab4d8d824cdd1d48ff46823e30fe6772966bd07f23c2d5421051709520f21f83b6e37f24f1d2be398fa518dee9601f6238e0a9bf
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1612 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1652 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
044b7529207314a1b456c706287bc80ce5b8a1423b5a3051a9ed1e5b08ae50b9.exepid process 1636 044b7529207314a1b456c706287bc80ce5b8a1423b5a3051a9ed1e5b08ae50b9.exe 1636 044b7529207314a1b456c706287bc80ce5b8a1423b5a3051a9ed1e5b08ae50b9.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
044b7529207314a1b456c706287bc80ce5b8a1423b5a3051a9ed1e5b08ae50b9.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 044b7529207314a1b456c706287bc80ce5b8a1423b5a3051a9ed1e5b08ae50b9.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
044b7529207314a1b456c706287bc80ce5b8a1423b5a3051a9ed1e5b08ae50b9.exedescription pid process Token: SeIncBasePriorityPrivilege 1636 044b7529207314a1b456c706287bc80ce5b8a1423b5a3051a9ed1e5b08ae50b9.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
044b7529207314a1b456c706287bc80ce5b8a1423b5a3051a9ed1e5b08ae50b9.execmd.exedescription pid process target process PID 1636 wrote to memory of 1612 1636 044b7529207314a1b456c706287bc80ce5b8a1423b5a3051a9ed1e5b08ae50b9.exe MediaCenter.exe PID 1636 wrote to memory of 1612 1636 044b7529207314a1b456c706287bc80ce5b8a1423b5a3051a9ed1e5b08ae50b9.exe MediaCenter.exe PID 1636 wrote to memory of 1612 1636 044b7529207314a1b456c706287bc80ce5b8a1423b5a3051a9ed1e5b08ae50b9.exe MediaCenter.exe PID 1636 wrote to memory of 1612 1636 044b7529207314a1b456c706287bc80ce5b8a1423b5a3051a9ed1e5b08ae50b9.exe MediaCenter.exe PID 1636 wrote to memory of 1652 1636 044b7529207314a1b456c706287bc80ce5b8a1423b5a3051a9ed1e5b08ae50b9.exe cmd.exe PID 1636 wrote to memory of 1652 1636 044b7529207314a1b456c706287bc80ce5b8a1423b5a3051a9ed1e5b08ae50b9.exe cmd.exe PID 1636 wrote to memory of 1652 1636 044b7529207314a1b456c706287bc80ce5b8a1423b5a3051a9ed1e5b08ae50b9.exe cmd.exe PID 1636 wrote to memory of 1652 1636 044b7529207314a1b456c706287bc80ce5b8a1423b5a3051a9ed1e5b08ae50b9.exe cmd.exe PID 1652 wrote to memory of 1140 1652 cmd.exe PING.EXE PID 1652 wrote to memory of 1140 1652 cmd.exe PING.EXE PID 1652 wrote to memory of 1140 1652 cmd.exe PING.EXE PID 1652 wrote to memory of 1140 1652 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\044b7529207314a1b456c706287bc80ce5b8a1423b5a3051a9ed1e5b08ae50b9.exe"C:\Users\Admin\AppData\Local\Temp\044b7529207314a1b456c706287bc80ce5b8a1423b5a3051a9ed1e5b08ae50b9.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1612 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\044b7529207314a1b456c706287bc80ce5b8a1423b5a3051a9ed1e5b08ae50b9.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1652 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1140
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
c182e9e8ba1ac034369e38f45dc92681
SHA1b978ec2e6c817bd0778fa246422e928b842ff82a
SHA256181df6d6644de693cc98c24dd6998727983889735b40937623759efa2f803ff3
SHA5120c81893299be62d0271cef4affb01c9accb6ce7a5eee035e51faf148940d64a80ed0aa8d271da4d50759f0f0a11f979ac6fe21c07142f14548ea59557fc93b29
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
c182e9e8ba1ac034369e38f45dc92681
SHA1b978ec2e6c817bd0778fa246422e928b842ff82a
SHA256181df6d6644de693cc98c24dd6998727983889735b40937623759efa2f803ff3
SHA5120c81893299be62d0271cef4affb01c9accb6ce7a5eee035e51faf148940d64a80ed0aa8d271da4d50759f0f0a11f979ac6fe21c07142f14548ea59557fc93b29
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
c182e9e8ba1ac034369e38f45dc92681
SHA1b978ec2e6c817bd0778fa246422e928b842ff82a
SHA256181df6d6644de693cc98c24dd6998727983889735b40937623759efa2f803ff3
SHA5120c81893299be62d0271cef4affb01c9accb6ce7a5eee035e51faf148940d64a80ed0aa8d271da4d50759f0f0a11f979ac6fe21c07142f14548ea59557fc93b29
-
memory/1636-55-0x0000000076921000-0x0000000076923000-memory.dmpFilesize
8KB