Analysis
-
max time kernel
156s -
max time network
177s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 11:33
Static task
static1
Behavioral task
behavioral1
Sample
04224614cf64a00956257cfb05308159a7f1f6a8aaead50d62448628cef98aa2.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
04224614cf64a00956257cfb05308159a7f1f6a8aaead50d62448628cef98aa2.exe
Resource
win10v2004-en-20220112
General
-
Target
04224614cf64a00956257cfb05308159a7f1f6a8aaead50d62448628cef98aa2.exe
-
Size
92KB
-
MD5
43ecf054084ded53fad0dc367e1fb56c
-
SHA1
f51851719dfb6fa101f378ea99efe0fcf8e31344
-
SHA256
04224614cf64a00956257cfb05308159a7f1f6a8aaead50d62448628cef98aa2
-
SHA512
e4fbe9b423fb8fef1e16d473fad7ef58726ebeb6f8972e48735388c48f9f99ecf258f0090a6b67f79db658fd41c8375ff501992ce471c1ce7f2dcabc7248edde
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 520 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1604 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
04224614cf64a00956257cfb05308159a7f1f6a8aaead50d62448628cef98aa2.exepid process 1876 04224614cf64a00956257cfb05308159a7f1f6a8aaead50d62448628cef98aa2.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
04224614cf64a00956257cfb05308159a7f1f6a8aaead50d62448628cef98aa2.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 04224614cf64a00956257cfb05308159a7f1f6a8aaead50d62448628cef98aa2.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
04224614cf64a00956257cfb05308159a7f1f6a8aaead50d62448628cef98aa2.exedescription pid process Token: SeIncBasePriorityPrivilege 1876 04224614cf64a00956257cfb05308159a7f1f6a8aaead50d62448628cef98aa2.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
04224614cf64a00956257cfb05308159a7f1f6a8aaead50d62448628cef98aa2.execmd.exedescription pid process target process PID 1876 wrote to memory of 520 1876 04224614cf64a00956257cfb05308159a7f1f6a8aaead50d62448628cef98aa2.exe MediaCenter.exe PID 1876 wrote to memory of 520 1876 04224614cf64a00956257cfb05308159a7f1f6a8aaead50d62448628cef98aa2.exe MediaCenter.exe PID 1876 wrote to memory of 520 1876 04224614cf64a00956257cfb05308159a7f1f6a8aaead50d62448628cef98aa2.exe MediaCenter.exe PID 1876 wrote to memory of 520 1876 04224614cf64a00956257cfb05308159a7f1f6a8aaead50d62448628cef98aa2.exe MediaCenter.exe PID 1876 wrote to memory of 1604 1876 04224614cf64a00956257cfb05308159a7f1f6a8aaead50d62448628cef98aa2.exe cmd.exe PID 1876 wrote to memory of 1604 1876 04224614cf64a00956257cfb05308159a7f1f6a8aaead50d62448628cef98aa2.exe cmd.exe PID 1876 wrote to memory of 1604 1876 04224614cf64a00956257cfb05308159a7f1f6a8aaead50d62448628cef98aa2.exe cmd.exe PID 1876 wrote to memory of 1604 1876 04224614cf64a00956257cfb05308159a7f1f6a8aaead50d62448628cef98aa2.exe cmd.exe PID 1604 wrote to memory of 1644 1604 cmd.exe PING.EXE PID 1604 wrote to memory of 1644 1604 cmd.exe PING.EXE PID 1604 wrote to memory of 1644 1604 cmd.exe PING.EXE PID 1604 wrote to memory of 1644 1604 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\04224614cf64a00956257cfb05308159a7f1f6a8aaead50d62448628cef98aa2.exe"C:\Users\Admin\AppData\Local\Temp\04224614cf64a00956257cfb05308159a7f1f6a8aaead50d62448628cef98aa2.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1876 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:520 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\04224614cf64a00956257cfb05308159a7f1f6a8aaead50d62448628cef98aa2.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1604 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1644
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
e88ed5108dbbe6030c14c2bcbdb61a1a
SHA1b57addf751a1d6812ab8895e63c034a0ae407395
SHA256a5e2a27ce7ed4a91d0452d3bcfa271b462a30f8fa691e3f3b3aeff66063c3e26
SHA512be6a89e31b66a8ab1e6de17c70ec2c7b7571249b33df074b5460cf11fd40943542ef871bf0763d10a3c2a7863b5f98044a70f3a225ca7924a8b90f85e7537051
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
e88ed5108dbbe6030c14c2bcbdb61a1a
SHA1b57addf751a1d6812ab8895e63c034a0ae407395
SHA256a5e2a27ce7ed4a91d0452d3bcfa271b462a30f8fa691e3f3b3aeff66063c3e26
SHA512be6a89e31b66a8ab1e6de17c70ec2c7b7571249b33df074b5460cf11fd40943542ef871bf0763d10a3c2a7863b5f98044a70f3a225ca7924a8b90f85e7537051
-
memory/1876-54-0x0000000076121000-0x0000000076123000-memory.dmpFilesize
8KB