Analysis
-
max time kernel
146s -
max time network
158s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 11:36
Static task
static1
Behavioral task
behavioral1
Sample
03f39cf3684a24629dd1904969b5df59718670652434a3302ed45fa1f24607b2.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
03f39cf3684a24629dd1904969b5df59718670652434a3302ed45fa1f24607b2.exe
Resource
win10v2004-en-20220112
General
-
Target
03f39cf3684a24629dd1904969b5df59718670652434a3302ed45fa1f24607b2.exe
-
Size
216KB
-
MD5
59c4591933f09104e7045cdc133664a1
-
SHA1
7c094cb0c08b6759cf97f74dbfa611ebf3435ec6
-
SHA256
03f39cf3684a24629dd1904969b5df59718670652434a3302ed45fa1f24607b2
-
SHA512
b27f8146819f92136ed37596b04f0d9e7445d6397e3c742cd91ed21496655e9c5bca2f57aa66fca833641e37b240cb0dcd6da53d6317024f6cb31467901d7db2
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral1/memory/1628-59-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral1/memory/1632-60-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1632 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 960 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
03f39cf3684a24629dd1904969b5df59718670652434a3302ed45fa1f24607b2.exepid process 1628 03f39cf3684a24629dd1904969b5df59718670652434a3302ed45fa1f24607b2.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
03f39cf3684a24629dd1904969b5df59718670652434a3302ed45fa1f24607b2.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 03f39cf3684a24629dd1904969b5df59718670652434a3302ed45fa1f24607b2.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
03f39cf3684a24629dd1904969b5df59718670652434a3302ed45fa1f24607b2.exedescription pid process Token: SeIncBasePriorityPrivilege 1628 03f39cf3684a24629dd1904969b5df59718670652434a3302ed45fa1f24607b2.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
03f39cf3684a24629dd1904969b5df59718670652434a3302ed45fa1f24607b2.execmd.exedescription pid process target process PID 1628 wrote to memory of 1632 1628 03f39cf3684a24629dd1904969b5df59718670652434a3302ed45fa1f24607b2.exe MediaCenter.exe PID 1628 wrote to memory of 1632 1628 03f39cf3684a24629dd1904969b5df59718670652434a3302ed45fa1f24607b2.exe MediaCenter.exe PID 1628 wrote to memory of 1632 1628 03f39cf3684a24629dd1904969b5df59718670652434a3302ed45fa1f24607b2.exe MediaCenter.exe PID 1628 wrote to memory of 1632 1628 03f39cf3684a24629dd1904969b5df59718670652434a3302ed45fa1f24607b2.exe MediaCenter.exe PID 1628 wrote to memory of 960 1628 03f39cf3684a24629dd1904969b5df59718670652434a3302ed45fa1f24607b2.exe cmd.exe PID 1628 wrote to memory of 960 1628 03f39cf3684a24629dd1904969b5df59718670652434a3302ed45fa1f24607b2.exe cmd.exe PID 1628 wrote to memory of 960 1628 03f39cf3684a24629dd1904969b5df59718670652434a3302ed45fa1f24607b2.exe cmd.exe PID 1628 wrote to memory of 960 1628 03f39cf3684a24629dd1904969b5df59718670652434a3302ed45fa1f24607b2.exe cmd.exe PID 960 wrote to memory of 1748 960 cmd.exe PING.EXE PID 960 wrote to memory of 1748 960 cmd.exe PING.EXE PID 960 wrote to memory of 1748 960 cmd.exe PING.EXE PID 960 wrote to memory of 1748 960 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\03f39cf3684a24629dd1904969b5df59718670652434a3302ed45fa1f24607b2.exe"C:\Users\Admin\AppData\Local\Temp\03f39cf3684a24629dd1904969b5df59718670652434a3302ed45fa1f24607b2.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1628 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1632 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\03f39cf3684a24629dd1904969b5df59718670652434a3302ed45fa1f24607b2.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:960 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1748
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
37417dc61307772ebe965813dde3376d
SHA1a54c05bda22bc7031f617f55b72722c68de4575f
SHA256377548eb6b43bef1a1ecd42ea8cdcdb5e4819c964967d6397a4088d68d15c65c
SHA5126b9fb0408413794c8e70fd84d18f40ff32b74072e80631a21519326da66614857a82711d48bd1b4ab883a5191295960fcb65dc85d419eb8238045b3fabde3e1d
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
37417dc61307772ebe965813dde3376d
SHA1a54c05bda22bc7031f617f55b72722c68de4575f
SHA256377548eb6b43bef1a1ecd42ea8cdcdb5e4819c964967d6397a4088d68d15c65c
SHA5126b9fb0408413794c8e70fd84d18f40ff32b74072e80631a21519326da66614857a82711d48bd1b4ab883a5191295960fcb65dc85d419eb8238045b3fabde3e1d
-
memory/1628-55-0x0000000075021000-0x0000000075023000-memory.dmpFilesize
8KB
-
memory/1628-59-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1632-60-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB