Analysis
-
max time kernel
152s -
max time network
160s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 11:35
Static task
static1
Behavioral task
behavioral1
Sample
03ff52b884aa1e75e34dee63355e43964395134c8b86c55a459370541c9e1dec.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
03ff52b884aa1e75e34dee63355e43964395134c8b86c55a459370541c9e1dec.exe
Resource
win10v2004-en-20220112
General
-
Target
03ff52b884aa1e75e34dee63355e43964395134c8b86c55a459370541c9e1dec.exe
-
Size
80KB
-
MD5
b7c2f52fc0fdbf9739b60d15868b2af4
-
SHA1
37ea21414ccbaf15397aab6ba062ca551ce385b7
-
SHA256
03ff52b884aa1e75e34dee63355e43964395134c8b86c55a459370541c9e1dec
-
SHA512
4ea9f1c144b015c69e7ff65e7eed286bb26429577a53364f0e860f9d19d3068fbfcf29bd5f43072cdc0fdeb4df8e0c9e0f87d02dac7741752545c2ee3b0e8daf
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 804 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1108 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
03ff52b884aa1e75e34dee63355e43964395134c8b86c55a459370541c9e1dec.exepid process 964 03ff52b884aa1e75e34dee63355e43964395134c8b86c55a459370541c9e1dec.exe 964 03ff52b884aa1e75e34dee63355e43964395134c8b86c55a459370541c9e1dec.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
03ff52b884aa1e75e34dee63355e43964395134c8b86c55a459370541c9e1dec.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 03ff52b884aa1e75e34dee63355e43964395134c8b86c55a459370541c9e1dec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
03ff52b884aa1e75e34dee63355e43964395134c8b86c55a459370541c9e1dec.exedescription pid process Token: SeIncBasePriorityPrivilege 964 03ff52b884aa1e75e34dee63355e43964395134c8b86c55a459370541c9e1dec.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
03ff52b884aa1e75e34dee63355e43964395134c8b86c55a459370541c9e1dec.execmd.exedescription pid process target process PID 964 wrote to memory of 804 964 03ff52b884aa1e75e34dee63355e43964395134c8b86c55a459370541c9e1dec.exe MediaCenter.exe PID 964 wrote to memory of 804 964 03ff52b884aa1e75e34dee63355e43964395134c8b86c55a459370541c9e1dec.exe MediaCenter.exe PID 964 wrote to memory of 804 964 03ff52b884aa1e75e34dee63355e43964395134c8b86c55a459370541c9e1dec.exe MediaCenter.exe PID 964 wrote to memory of 804 964 03ff52b884aa1e75e34dee63355e43964395134c8b86c55a459370541c9e1dec.exe MediaCenter.exe PID 964 wrote to memory of 1108 964 03ff52b884aa1e75e34dee63355e43964395134c8b86c55a459370541c9e1dec.exe cmd.exe PID 964 wrote to memory of 1108 964 03ff52b884aa1e75e34dee63355e43964395134c8b86c55a459370541c9e1dec.exe cmd.exe PID 964 wrote to memory of 1108 964 03ff52b884aa1e75e34dee63355e43964395134c8b86c55a459370541c9e1dec.exe cmd.exe PID 964 wrote to memory of 1108 964 03ff52b884aa1e75e34dee63355e43964395134c8b86c55a459370541c9e1dec.exe cmd.exe PID 1108 wrote to memory of 1828 1108 cmd.exe PING.EXE PID 1108 wrote to memory of 1828 1108 cmd.exe PING.EXE PID 1108 wrote to memory of 1828 1108 cmd.exe PING.EXE PID 1108 wrote to memory of 1828 1108 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\03ff52b884aa1e75e34dee63355e43964395134c8b86c55a459370541c9e1dec.exe"C:\Users\Admin\AppData\Local\Temp\03ff52b884aa1e75e34dee63355e43964395134c8b86c55a459370541c9e1dec.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:964 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:804 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\03ff52b884aa1e75e34dee63355e43964395134c8b86c55a459370541c9e1dec.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1108 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1828
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
935f9171b038bfdcb0e2dee5bc304365
SHA1156d398524fae040f0956b9e75b9018bf4ca088b
SHA256991616c740d5d5481a3dcab496b4a0c5967883164081cffde327c46e9019f953
SHA512391462b92d21b87d416a38a9d7ec44d4f3352c302db5429bd135a096b4ba489d84b043e3a72a05cfb133cdff49ca95f8bdf39e0706a627d914ece3d885f2536a
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
935f9171b038bfdcb0e2dee5bc304365
SHA1156d398524fae040f0956b9e75b9018bf4ca088b
SHA256991616c740d5d5481a3dcab496b4a0c5967883164081cffde327c46e9019f953
SHA512391462b92d21b87d416a38a9d7ec44d4f3352c302db5429bd135a096b4ba489d84b043e3a72a05cfb133cdff49ca95f8bdf39e0706a627d914ece3d885f2536a
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
935f9171b038bfdcb0e2dee5bc304365
SHA1156d398524fae040f0956b9e75b9018bf4ca088b
SHA256991616c740d5d5481a3dcab496b4a0c5967883164081cffde327c46e9019f953
SHA512391462b92d21b87d416a38a9d7ec44d4f3352c302db5429bd135a096b4ba489d84b043e3a72a05cfb133cdff49ca95f8bdf39e0706a627d914ece3d885f2536a
-
memory/964-54-0x0000000075341000-0x0000000075343000-memory.dmpFilesize
8KB