Analysis
-
max time kernel
125s -
max time network
147s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 11:30
Static task
static1
Behavioral task
behavioral1
Sample
04396c7638638da9796f5583867a8bc1dc446e0e33e19eeb5f7a64753adec2e2.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
04396c7638638da9796f5583867a8bc1dc446e0e33e19eeb5f7a64753adec2e2.exe
Resource
win10v2004-en-20220113
General
-
Target
04396c7638638da9796f5583867a8bc1dc446e0e33e19eeb5f7a64753adec2e2.exe
-
Size
99KB
-
MD5
376550eb42d7c55e1442e12b10f25e36
-
SHA1
6df93d7db01a59e1adfe5cd2c8f5464389c10c6c
-
SHA256
04396c7638638da9796f5583867a8bc1dc446e0e33e19eeb5f7a64753adec2e2
-
SHA512
553d7c228bfbd8b4b384cb5a323b004d3543197b4c5200e1a3d8b4c326a3abcf9de494d02eb8f63952ba59a172f4d2112471bd02bf75ec964920ce0c271fa139
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1608 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 396 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
04396c7638638da9796f5583867a8bc1dc446e0e33e19eeb5f7a64753adec2e2.exepid process 1548 04396c7638638da9796f5583867a8bc1dc446e0e33e19eeb5f7a64753adec2e2.exe 1548 04396c7638638da9796f5583867a8bc1dc446e0e33e19eeb5f7a64753adec2e2.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
04396c7638638da9796f5583867a8bc1dc446e0e33e19eeb5f7a64753adec2e2.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 04396c7638638da9796f5583867a8bc1dc446e0e33e19eeb5f7a64753adec2e2.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
04396c7638638da9796f5583867a8bc1dc446e0e33e19eeb5f7a64753adec2e2.exedescription pid process Token: SeIncBasePriorityPrivilege 1548 04396c7638638da9796f5583867a8bc1dc446e0e33e19eeb5f7a64753adec2e2.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
04396c7638638da9796f5583867a8bc1dc446e0e33e19eeb5f7a64753adec2e2.execmd.exedescription pid process target process PID 1548 wrote to memory of 1608 1548 04396c7638638da9796f5583867a8bc1dc446e0e33e19eeb5f7a64753adec2e2.exe MediaCenter.exe PID 1548 wrote to memory of 1608 1548 04396c7638638da9796f5583867a8bc1dc446e0e33e19eeb5f7a64753adec2e2.exe MediaCenter.exe PID 1548 wrote to memory of 1608 1548 04396c7638638da9796f5583867a8bc1dc446e0e33e19eeb5f7a64753adec2e2.exe MediaCenter.exe PID 1548 wrote to memory of 1608 1548 04396c7638638da9796f5583867a8bc1dc446e0e33e19eeb5f7a64753adec2e2.exe MediaCenter.exe PID 1548 wrote to memory of 396 1548 04396c7638638da9796f5583867a8bc1dc446e0e33e19eeb5f7a64753adec2e2.exe cmd.exe PID 1548 wrote to memory of 396 1548 04396c7638638da9796f5583867a8bc1dc446e0e33e19eeb5f7a64753adec2e2.exe cmd.exe PID 1548 wrote to memory of 396 1548 04396c7638638da9796f5583867a8bc1dc446e0e33e19eeb5f7a64753adec2e2.exe cmd.exe PID 1548 wrote to memory of 396 1548 04396c7638638da9796f5583867a8bc1dc446e0e33e19eeb5f7a64753adec2e2.exe cmd.exe PID 396 wrote to memory of 1672 396 cmd.exe PING.EXE PID 396 wrote to memory of 1672 396 cmd.exe PING.EXE PID 396 wrote to memory of 1672 396 cmd.exe PING.EXE PID 396 wrote to memory of 1672 396 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\04396c7638638da9796f5583867a8bc1dc446e0e33e19eeb5f7a64753adec2e2.exe"C:\Users\Admin\AppData\Local\Temp\04396c7638638da9796f5583867a8bc1dc446e0e33e19eeb5f7a64753adec2e2.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1548 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1608 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\04396c7638638da9796f5583867a8bc1dc446e0e33e19eeb5f7a64753adec2e2.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:396 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1672
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
6de6781ea255e5515b43c058f22f8349
SHA1c0366146fb95bd4dfc3f4e295f16bcfd46dabd5b
SHA256805eb6cd28a900b14a21b9d6841a24d444e579ca01f6bdd6382318575ba330bf
SHA512c0fc5412b3b6772f57d8ffc26ffd5ef8449dec0cb0e8ffe2e94fce25b26f30830f6b1ce198d0d8320c876532f5c642a0674ee5e15bf56ec82bab7257ad04db19
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
6de6781ea255e5515b43c058f22f8349
SHA1c0366146fb95bd4dfc3f4e295f16bcfd46dabd5b
SHA256805eb6cd28a900b14a21b9d6841a24d444e579ca01f6bdd6382318575ba330bf
SHA512c0fc5412b3b6772f57d8ffc26ffd5ef8449dec0cb0e8ffe2e94fce25b26f30830f6b1ce198d0d8320c876532f5c642a0674ee5e15bf56ec82bab7257ad04db19
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
6de6781ea255e5515b43c058f22f8349
SHA1c0366146fb95bd4dfc3f4e295f16bcfd46dabd5b
SHA256805eb6cd28a900b14a21b9d6841a24d444e579ca01f6bdd6382318575ba330bf
SHA512c0fc5412b3b6772f57d8ffc26ffd5ef8449dec0cb0e8ffe2e94fce25b26f30830f6b1ce198d0d8320c876532f5c642a0674ee5e15bf56ec82bab7257ad04db19
-
memory/1548-54-0x0000000076451000-0x0000000076453000-memory.dmpFilesize
8KB