Analysis
-
max time kernel
4294210s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20220223-en -
submitted
24-02-2022 11:08
Static task
static1
Behavioral task
behavioral1
Sample
fb9634f7f285e1b11b44d55c58f0c2e8d14fa5ace58670d8c806b09d6570c629.exe
Resource
win7-20220223-en
Behavioral task
behavioral2
Sample
fb9634f7f285e1b11b44d55c58f0c2e8d14fa5ace58670d8c806b09d6570c629.exe
Resource
win10-en-20211208
Behavioral task
behavioral3
Sample
fb9634f7f285e1b11b44d55c58f0c2e8d14fa5ace58670d8c806b09d6570c629.exe
Resource
win10v2004-en-20220113
General
-
Target
fb9634f7f285e1b11b44d55c58f0c2e8d14fa5ace58670d8c806b09d6570c629.exe
-
Size
216KB
-
MD5
052e970aff7e2e0e3209417a92f4e2c6
-
SHA1
32c0cb93f35e65295a02d362c3bf4fd71fa9365c
-
SHA256
fb9634f7f285e1b11b44d55c58f0c2e8d14fa5ace58670d8c806b09d6570c629
-
SHA512
38d19aea666d07db8c2f2925d3d7af99d03936cfda936fbc994d00ce66b27147647ca28bae684b99fdbbc7e424b34b13c5c5a6d4739d4a46934ae2ba744e8c8d
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral1/memory/956-58-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral1/memory/1576-60-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1576 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 628 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
fb9634f7f285e1b11b44d55c58f0c2e8d14fa5ace58670d8c806b09d6570c629.exepid process 956 fb9634f7f285e1b11b44d55c58f0c2e8d14fa5ace58670d8c806b09d6570c629.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
fb9634f7f285e1b11b44d55c58f0c2e8d14fa5ace58670d8c806b09d6570c629.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" fb9634f7f285e1b11b44d55c58f0c2e8d14fa5ace58670d8c806b09d6570c629.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
fb9634f7f285e1b11b44d55c58f0c2e8d14fa5ace58670d8c806b09d6570c629.exedescription pid process Token: SeIncBasePriorityPrivilege 956 fb9634f7f285e1b11b44d55c58f0c2e8d14fa5ace58670d8c806b09d6570c629.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
fb9634f7f285e1b11b44d55c58f0c2e8d14fa5ace58670d8c806b09d6570c629.execmd.exedescription pid process target process PID 956 wrote to memory of 1576 956 fb9634f7f285e1b11b44d55c58f0c2e8d14fa5ace58670d8c806b09d6570c629.exe MediaCenter.exe PID 956 wrote to memory of 1576 956 fb9634f7f285e1b11b44d55c58f0c2e8d14fa5ace58670d8c806b09d6570c629.exe MediaCenter.exe PID 956 wrote to memory of 1576 956 fb9634f7f285e1b11b44d55c58f0c2e8d14fa5ace58670d8c806b09d6570c629.exe MediaCenter.exe PID 956 wrote to memory of 1576 956 fb9634f7f285e1b11b44d55c58f0c2e8d14fa5ace58670d8c806b09d6570c629.exe MediaCenter.exe PID 956 wrote to memory of 628 956 fb9634f7f285e1b11b44d55c58f0c2e8d14fa5ace58670d8c806b09d6570c629.exe cmd.exe PID 956 wrote to memory of 628 956 fb9634f7f285e1b11b44d55c58f0c2e8d14fa5ace58670d8c806b09d6570c629.exe cmd.exe PID 956 wrote to memory of 628 956 fb9634f7f285e1b11b44d55c58f0c2e8d14fa5ace58670d8c806b09d6570c629.exe cmd.exe PID 956 wrote to memory of 628 956 fb9634f7f285e1b11b44d55c58f0c2e8d14fa5ace58670d8c806b09d6570c629.exe cmd.exe PID 628 wrote to memory of 768 628 cmd.exe PING.EXE PID 628 wrote to memory of 768 628 cmd.exe PING.EXE PID 628 wrote to memory of 768 628 cmd.exe PING.EXE PID 628 wrote to memory of 768 628 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\fb9634f7f285e1b11b44d55c58f0c2e8d14fa5ace58670d8c806b09d6570c629.exe"C:\Users\Admin\AppData\Local\Temp\fb9634f7f285e1b11b44d55c58f0c2e8d14fa5ace58670d8c806b09d6570c629.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\fb9634f7f285e1b11b44d55c58f0c2e8d14fa5ace58670d8c806b09d6570c629.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
18cafd7f58b62c84bad3725b359085d1
SHA14f88b68a1bf8275cf9f4b86bff1730582c061eed
SHA256281e0025c72c26b6e1f1ae8009c5534dd86d0168d0b2f969a27133ca42cad193
SHA512474ec0a809162c4b4ccabb44bd6a92d93e93d32a2690374ad591194c83c00a09fa33b096007e7adf33ed5c875e209ebe15c79acc474d4d5a39554ba26fc1b05a
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
18cafd7f58b62c84bad3725b359085d1
SHA14f88b68a1bf8275cf9f4b86bff1730582c061eed
SHA256281e0025c72c26b6e1f1ae8009c5534dd86d0168d0b2f969a27133ca42cad193
SHA512474ec0a809162c4b4ccabb44bd6a92d93e93d32a2690374ad591194c83c00a09fa33b096007e7adf33ed5c875e209ebe15c79acc474d4d5a39554ba26fc1b05a
-
memory/956-54-0x0000000076891000-0x0000000076893000-memory.dmpFilesize
8KB
-
memory/956-58-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/956-59-0x0000000000230000-0x0000000000250000-memory.dmpFilesize
128KB
-
memory/1576-60-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB