Analysis
-
max time kernel
139s -
max time network
166s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 11:34
Static task
static1
Behavioral task
behavioral1
Sample
0405f04b30e8ec96a49c8bb2a765a72e41ef7f02eb91ce68a26d366042fa4c53.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0405f04b30e8ec96a49c8bb2a765a72e41ef7f02eb91ce68a26d366042fa4c53.exe
Resource
win10v2004-en-20220113
General
-
Target
0405f04b30e8ec96a49c8bb2a765a72e41ef7f02eb91ce68a26d366042fa4c53.exe
-
Size
99KB
-
MD5
8e4581732d77198ec1683f1b63be7f0c
-
SHA1
aa63ff94108f3c157327a1df4d56b17bab2f1910
-
SHA256
0405f04b30e8ec96a49c8bb2a765a72e41ef7f02eb91ce68a26d366042fa4c53
-
SHA512
0a3e454ac913d9dc5a30c4151d06a71438a76175aa420b960c6e807b140eba4ba0b55d59553e56fd5af5c6f189c8381205e9699440ae1ef8f5c1d8fa19ec998a
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1588 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1804 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0405f04b30e8ec96a49c8bb2a765a72e41ef7f02eb91ce68a26d366042fa4c53.exepid process 1292 0405f04b30e8ec96a49c8bb2a765a72e41ef7f02eb91ce68a26d366042fa4c53.exe 1292 0405f04b30e8ec96a49c8bb2a765a72e41ef7f02eb91ce68a26d366042fa4c53.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0405f04b30e8ec96a49c8bb2a765a72e41ef7f02eb91ce68a26d366042fa4c53.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0405f04b30e8ec96a49c8bb2a765a72e41ef7f02eb91ce68a26d366042fa4c53.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0405f04b30e8ec96a49c8bb2a765a72e41ef7f02eb91ce68a26d366042fa4c53.exedescription pid process Token: SeIncBasePriorityPrivilege 1292 0405f04b30e8ec96a49c8bb2a765a72e41ef7f02eb91ce68a26d366042fa4c53.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0405f04b30e8ec96a49c8bb2a765a72e41ef7f02eb91ce68a26d366042fa4c53.execmd.exedescription pid process target process PID 1292 wrote to memory of 1588 1292 0405f04b30e8ec96a49c8bb2a765a72e41ef7f02eb91ce68a26d366042fa4c53.exe MediaCenter.exe PID 1292 wrote to memory of 1588 1292 0405f04b30e8ec96a49c8bb2a765a72e41ef7f02eb91ce68a26d366042fa4c53.exe MediaCenter.exe PID 1292 wrote to memory of 1588 1292 0405f04b30e8ec96a49c8bb2a765a72e41ef7f02eb91ce68a26d366042fa4c53.exe MediaCenter.exe PID 1292 wrote to memory of 1588 1292 0405f04b30e8ec96a49c8bb2a765a72e41ef7f02eb91ce68a26d366042fa4c53.exe MediaCenter.exe PID 1292 wrote to memory of 1804 1292 0405f04b30e8ec96a49c8bb2a765a72e41ef7f02eb91ce68a26d366042fa4c53.exe cmd.exe PID 1292 wrote to memory of 1804 1292 0405f04b30e8ec96a49c8bb2a765a72e41ef7f02eb91ce68a26d366042fa4c53.exe cmd.exe PID 1292 wrote to memory of 1804 1292 0405f04b30e8ec96a49c8bb2a765a72e41ef7f02eb91ce68a26d366042fa4c53.exe cmd.exe PID 1292 wrote to memory of 1804 1292 0405f04b30e8ec96a49c8bb2a765a72e41ef7f02eb91ce68a26d366042fa4c53.exe cmd.exe PID 1804 wrote to memory of 1876 1804 cmd.exe PING.EXE PID 1804 wrote to memory of 1876 1804 cmd.exe PING.EXE PID 1804 wrote to memory of 1876 1804 cmd.exe PING.EXE PID 1804 wrote to memory of 1876 1804 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0405f04b30e8ec96a49c8bb2a765a72e41ef7f02eb91ce68a26d366042fa4c53.exe"C:\Users\Admin\AppData\Local\Temp\0405f04b30e8ec96a49c8bb2a765a72e41ef7f02eb91ce68a26d366042fa4c53.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1292 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1588 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0405f04b30e8ec96a49c8bb2a765a72e41ef7f02eb91ce68a26d366042fa4c53.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1804 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1876
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
0a53e000d27ff61ca2817e58f6f6c54c
SHA1959e751b82b29e287d0278b52a67460932d525c3
SHA2564c765ea2e8432a5c548f0a86be96508e3584f95cb1cf66f7db907b25302b6026
SHA512b4d66e1b70c583c07e7e50a17556e5b9a3b2484aafe9ee63249827d79a492a6b91c3a4bac7e440383a05e70a5a76f603b6e184e1bbec79adb4975e1041b120aa
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
0a53e000d27ff61ca2817e58f6f6c54c
SHA1959e751b82b29e287d0278b52a67460932d525c3
SHA2564c765ea2e8432a5c548f0a86be96508e3584f95cb1cf66f7db907b25302b6026
SHA512b4d66e1b70c583c07e7e50a17556e5b9a3b2484aafe9ee63249827d79a492a6b91c3a4bac7e440383a05e70a5a76f603b6e184e1bbec79adb4975e1041b120aa
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
0a53e000d27ff61ca2817e58f6f6c54c
SHA1959e751b82b29e287d0278b52a67460932d525c3
SHA2564c765ea2e8432a5c548f0a86be96508e3584f95cb1cf66f7db907b25302b6026
SHA512b4d66e1b70c583c07e7e50a17556e5b9a3b2484aafe9ee63249827d79a492a6b91c3a4bac7e440383a05e70a5a76f603b6e184e1bbec79adb4975e1041b120aa
-
memory/1292-54-0x0000000076151000-0x0000000076153000-memory.dmpFilesize
8KB