Analysis
-
max time kernel
140s -
max time network
168s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 11:41
Static task
static1
Behavioral task
behavioral1
Sample
03a5b72346e058ea5b72ac23d9c392138371282fd7d4250d685b4fd95ebea23f.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
03a5b72346e058ea5b72ac23d9c392138371282fd7d4250d685b4fd95ebea23f.exe
Resource
win10v2004-en-20220113
General
-
Target
03a5b72346e058ea5b72ac23d9c392138371282fd7d4250d685b4fd95ebea23f.exe
-
Size
79KB
-
MD5
6296a5924edb705bde904f5a90ca1001
-
SHA1
8f3623805d7b283ca1fe2daf07564a35fb6cf4e4
-
SHA256
03a5b72346e058ea5b72ac23d9c392138371282fd7d4250d685b4fd95ebea23f
-
SHA512
afe537f3a7fe6f3a98005d20150c1eae6833b5bd4b492e96315b66384b7e67fb885b2f30aae429f1b7a345a61a94f731c249244cefb22080b3fb56aefc2cf9ce
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1368 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1160 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
03a5b72346e058ea5b72ac23d9c392138371282fd7d4250d685b4fd95ebea23f.exepid process 1728 03a5b72346e058ea5b72ac23d9c392138371282fd7d4250d685b4fd95ebea23f.exe 1728 03a5b72346e058ea5b72ac23d9c392138371282fd7d4250d685b4fd95ebea23f.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
03a5b72346e058ea5b72ac23d9c392138371282fd7d4250d685b4fd95ebea23f.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 03a5b72346e058ea5b72ac23d9c392138371282fd7d4250d685b4fd95ebea23f.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
03a5b72346e058ea5b72ac23d9c392138371282fd7d4250d685b4fd95ebea23f.exedescription pid process Token: SeIncBasePriorityPrivilege 1728 03a5b72346e058ea5b72ac23d9c392138371282fd7d4250d685b4fd95ebea23f.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
03a5b72346e058ea5b72ac23d9c392138371282fd7d4250d685b4fd95ebea23f.execmd.exedescription pid process target process PID 1728 wrote to memory of 1368 1728 03a5b72346e058ea5b72ac23d9c392138371282fd7d4250d685b4fd95ebea23f.exe MediaCenter.exe PID 1728 wrote to memory of 1368 1728 03a5b72346e058ea5b72ac23d9c392138371282fd7d4250d685b4fd95ebea23f.exe MediaCenter.exe PID 1728 wrote to memory of 1368 1728 03a5b72346e058ea5b72ac23d9c392138371282fd7d4250d685b4fd95ebea23f.exe MediaCenter.exe PID 1728 wrote to memory of 1368 1728 03a5b72346e058ea5b72ac23d9c392138371282fd7d4250d685b4fd95ebea23f.exe MediaCenter.exe PID 1728 wrote to memory of 1160 1728 03a5b72346e058ea5b72ac23d9c392138371282fd7d4250d685b4fd95ebea23f.exe cmd.exe PID 1728 wrote to memory of 1160 1728 03a5b72346e058ea5b72ac23d9c392138371282fd7d4250d685b4fd95ebea23f.exe cmd.exe PID 1728 wrote to memory of 1160 1728 03a5b72346e058ea5b72ac23d9c392138371282fd7d4250d685b4fd95ebea23f.exe cmd.exe PID 1728 wrote to memory of 1160 1728 03a5b72346e058ea5b72ac23d9c392138371282fd7d4250d685b4fd95ebea23f.exe cmd.exe PID 1160 wrote to memory of 1248 1160 cmd.exe PING.EXE PID 1160 wrote to memory of 1248 1160 cmd.exe PING.EXE PID 1160 wrote to memory of 1248 1160 cmd.exe PING.EXE PID 1160 wrote to memory of 1248 1160 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\03a5b72346e058ea5b72ac23d9c392138371282fd7d4250d685b4fd95ebea23f.exe"C:\Users\Admin\AppData\Local\Temp\03a5b72346e058ea5b72ac23d9c392138371282fd7d4250d685b4fd95ebea23f.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1368 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\03a5b72346e058ea5b72ac23d9c392138371282fd7d4250d685b4fd95ebea23f.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1160 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1248
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
a69247d4e1bf70d6c34b71168660d138
SHA13a43635e4075b934985f28645da2d6c3c3f00c83
SHA2569fe06263b1e8445a730feddeb0fe61c7be4dc70ea874c257eb65767ca5f1cd93
SHA512d6b860fb9522f1afcd27e3667fdb2c7b66ec15d229973d4053121f6a487e49f5c14591c75f297374f1575ff314e61330ce0b8f06afea0f48d5735c025b6103b2
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
a69247d4e1bf70d6c34b71168660d138
SHA13a43635e4075b934985f28645da2d6c3c3f00c83
SHA2569fe06263b1e8445a730feddeb0fe61c7be4dc70ea874c257eb65767ca5f1cd93
SHA512d6b860fb9522f1afcd27e3667fdb2c7b66ec15d229973d4053121f6a487e49f5c14591c75f297374f1575ff314e61330ce0b8f06afea0f48d5735c025b6103b2
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
a69247d4e1bf70d6c34b71168660d138
SHA13a43635e4075b934985f28645da2d6c3c3f00c83
SHA2569fe06263b1e8445a730feddeb0fe61c7be4dc70ea874c257eb65767ca5f1cd93
SHA512d6b860fb9522f1afcd27e3667fdb2c7b66ec15d229973d4053121f6a487e49f5c14591c75f297374f1575ff314e61330ce0b8f06afea0f48d5735c025b6103b2
-
memory/1728-55-0x0000000076371000-0x0000000076373000-memory.dmpFilesize
8KB