Analysis
-
max time kernel
147s -
max time network
158s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 11:41
Static task
static1
Behavioral task
behavioral1
Sample
03b1e593040baea3ca8f74b497277678d9c4b64c4083b57de54241ca51d5c611.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
03b1e593040baea3ca8f74b497277678d9c4b64c4083b57de54241ca51d5c611.exe
Resource
win10v2004-en-20220113
General
-
Target
03b1e593040baea3ca8f74b497277678d9c4b64c4083b57de54241ca51d5c611.exe
-
Size
92KB
-
MD5
8e11f41c53c28c2086a992478e165ae1
-
SHA1
d5d3c55b775b71a2bcc22234450aadbaa06cba0c
-
SHA256
03b1e593040baea3ca8f74b497277678d9c4b64c4083b57de54241ca51d5c611
-
SHA512
f67e55bd403b91bdd68fdb9a9010d253d630261267613d4cf0dc9abc827d81fb17e03ea049db0395a90562fbd53eb763048fcc30454dbdb1a8c83eed1d67e3f5
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1720 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 276 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
03b1e593040baea3ca8f74b497277678d9c4b64c4083b57de54241ca51d5c611.exepid process 1204 03b1e593040baea3ca8f74b497277678d9c4b64c4083b57de54241ca51d5c611.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
03b1e593040baea3ca8f74b497277678d9c4b64c4083b57de54241ca51d5c611.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 03b1e593040baea3ca8f74b497277678d9c4b64c4083b57de54241ca51d5c611.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
03b1e593040baea3ca8f74b497277678d9c4b64c4083b57de54241ca51d5c611.exedescription pid process Token: SeIncBasePriorityPrivilege 1204 03b1e593040baea3ca8f74b497277678d9c4b64c4083b57de54241ca51d5c611.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
03b1e593040baea3ca8f74b497277678d9c4b64c4083b57de54241ca51d5c611.execmd.exedescription pid process target process PID 1204 wrote to memory of 1720 1204 03b1e593040baea3ca8f74b497277678d9c4b64c4083b57de54241ca51d5c611.exe MediaCenter.exe PID 1204 wrote to memory of 1720 1204 03b1e593040baea3ca8f74b497277678d9c4b64c4083b57de54241ca51d5c611.exe MediaCenter.exe PID 1204 wrote to memory of 1720 1204 03b1e593040baea3ca8f74b497277678d9c4b64c4083b57de54241ca51d5c611.exe MediaCenter.exe PID 1204 wrote to memory of 1720 1204 03b1e593040baea3ca8f74b497277678d9c4b64c4083b57de54241ca51d5c611.exe MediaCenter.exe PID 1204 wrote to memory of 276 1204 03b1e593040baea3ca8f74b497277678d9c4b64c4083b57de54241ca51d5c611.exe cmd.exe PID 1204 wrote to memory of 276 1204 03b1e593040baea3ca8f74b497277678d9c4b64c4083b57de54241ca51d5c611.exe cmd.exe PID 1204 wrote to memory of 276 1204 03b1e593040baea3ca8f74b497277678d9c4b64c4083b57de54241ca51d5c611.exe cmd.exe PID 1204 wrote to memory of 276 1204 03b1e593040baea3ca8f74b497277678d9c4b64c4083b57de54241ca51d5c611.exe cmd.exe PID 276 wrote to memory of 296 276 cmd.exe PING.EXE PID 276 wrote to memory of 296 276 cmd.exe PING.EXE PID 276 wrote to memory of 296 276 cmd.exe PING.EXE PID 276 wrote to memory of 296 276 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\03b1e593040baea3ca8f74b497277678d9c4b64c4083b57de54241ca51d5c611.exe"C:\Users\Admin\AppData\Local\Temp\03b1e593040baea3ca8f74b497277678d9c4b64c4083b57de54241ca51d5c611.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1204 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1720 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\03b1e593040baea3ca8f74b497277678d9c4b64c4083b57de54241ca51d5c611.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:276 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:296
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
d32aecb6ee9e71a830217e2d43de8add
SHA10c107a3817467db1a4342e3a3d355c1e4242d1eb
SHA256a6adb5a771d03c7310ce965f2acfdcd73ae5ae15fac5b6f6256e869f83703e30
SHA512c5048d3bebeb443c8daea1c1740a92b8dcaeb0065df1d10468884a7b114156c911ca9d4d88630497785579fde9e1cfca6953d472dc86c87a688850300239c590
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
d32aecb6ee9e71a830217e2d43de8add
SHA10c107a3817467db1a4342e3a3d355c1e4242d1eb
SHA256a6adb5a771d03c7310ce965f2acfdcd73ae5ae15fac5b6f6256e869f83703e30
SHA512c5048d3bebeb443c8daea1c1740a92b8dcaeb0065df1d10468884a7b114156c911ca9d4d88630497785579fde9e1cfca6953d472dc86c87a688850300239c590
-
memory/1204-55-0x0000000075831000-0x0000000075833000-memory.dmpFilesize
8KB