Analysis
-
max time kernel
140s -
max time network
157s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 11:45
Static task
static1
Behavioral task
behavioral1
Sample
037e6921c18c00c14dfef26cdf5efe8530c799f8c2c7bf0afa3efa9f68e52c38.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
037e6921c18c00c14dfef26cdf5efe8530c799f8c2c7bf0afa3efa9f68e52c38.exe
Resource
win10v2004-en-20220113
General
-
Target
037e6921c18c00c14dfef26cdf5efe8530c799f8c2c7bf0afa3efa9f68e52c38.exe
-
Size
150KB
-
MD5
10f3307e3157263657f9bb78a86ea735
-
SHA1
a177ab7b478ecf582ddf4fed337a3f1ce1a6f1e4
-
SHA256
037e6921c18c00c14dfef26cdf5efe8530c799f8c2c7bf0afa3efa9f68e52c38
-
SHA512
37a8e51f248227c1eb491fc244483f5b277d1daa1a5b3dadf8a8d17d2811736d194ceebc05a660ffcdaa823ff6c62fe43ef53feabd773df74382a01469fdc5e8
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 964 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 740 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
037e6921c18c00c14dfef26cdf5efe8530c799f8c2c7bf0afa3efa9f68e52c38.exepid process 1536 037e6921c18c00c14dfef26cdf5efe8530c799f8c2c7bf0afa3efa9f68e52c38.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
037e6921c18c00c14dfef26cdf5efe8530c799f8c2c7bf0afa3efa9f68e52c38.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 037e6921c18c00c14dfef26cdf5efe8530c799f8c2c7bf0afa3efa9f68e52c38.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
037e6921c18c00c14dfef26cdf5efe8530c799f8c2c7bf0afa3efa9f68e52c38.exedescription pid process Token: SeIncBasePriorityPrivilege 1536 037e6921c18c00c14dfef26cdf5efe8530c799f8c2c7bf0afa3efa9f68e52c38.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
037e6921c18c00c14dfef26cdf5efe8530c799f8c2c7bf0afa3efa9f68e52c38.execmd.exedescription pid process target process PID 1536 wrote to memory of 964 1536 037e6921c18c00c14dfef26cdf5efe8530c799f8c2c7bf0afa3efa9f68e52c38.exe MediaCenter.exe PID 1536 wrote to memory of 964 1536 037e6921c18c00c14dfef26cdf5efe8530c799f8c2c7bf0afa3efa9f68e52c38.exe MediaCenter.exe PID 1536 wrote to memory of 964 1536 037e6921c18c00c14dfef26cdf5efe8530c799f8c2c7bf0afa3efa9f68e52c38.exe MediaCenter.exe PID 1536 wrote to memory of 964 1536 037e6921c18c00c14dfef26cdf5efe8530c799f8c2c7bf0afa3efa9f68e52c38.exe MediaCenter.exe PID 1536 wrote to memory of 740 1536 037e6921c18c00c14dfef26cdf5efe8530c799f8c2c7bf0afa3efa9f68e52c38.exe cmd.exe PID 1536 wrote to memory of 740 1536 037e6921c18c00c14dfef26cdf5efe8530c799f8c2c7bf0afa3efa9f68e52c38.exe cmd.exe PID 1536 wrote to memory of 740 1536 037e6921c18c00c14dfef26cdf5efe8530c799f8c2c7bf0afa3efa9f68e52c38.exe cmd.exe PID 1536 wrote to memory of 740 1536 037e6921c18c00c14dfef26cdf5efe8530c799f8c2c7bf0afa3efa9f68e52c38.exe cmd.exe PID 740 wrote to memory of 960 740 cmd.exe PING.EXE PID 740 wrote to memory of 960 740 cmd.exe PING.EXE PID 740 wrote to memory of 960 740 cmd.exe PING.EXE PID 740 wrote to memory of 960 740 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\037e6921c18c00c14dfef26cdf5efe8530c799f8c2c7bf0afa3efa9f68e52c38.exe"C:\Users\Admin\AppData\Local\Temp\037e6921c18c00c14dfef26cdf5efe8530c799f8c2c7bf0afa3efa9f68e52c38.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1536 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:964 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\037e6921c18c00c14dfef26cdf5efe8530c799f8c2c7bf0afa3efa9f68e52c38.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:740 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:960
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
002ceb40bd4b0a2c0702edcdc4aeab64
SHA1615e50d127c81906084f221f2f41ca2b3b1d94ca
SHA2564ce7ae761561b45bce30847b1816df7b7a28c3638d27fdbd7aea2d503a56dbca
SHA51220b77b3078868d7a1390921ec48adf7e9998c34d279f94854ef5413791cdc73d4d9f255d8a2948ec4f4d738c09d72e1f5c3c7d5f4523153eeab096ec7e4aaa63
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
002ceb40bd4b0a2c0702edcdc4aeab64
SHA1615e50d127c81906084f221f2f41ca2b3b1d94ca
SHA2564ce7ae761561b45bce30847b1816df7b7a28c3638d27fdbd7aea2d503a56dbca
SHA51220b77b3078868d7a1390921ec48adf7e9998c34d279f94854ef5413791cdc73d4d9f255d8a2948ec4f4d738c09d72e1f5c3c7d5f4523153eeab096ec7e4aaa63
-
memory/1536-54-0x0000000076C91000-0x0000000076C93000-memory.dmpFilesize
8KB