Analysis
-
max time kernel
4294206s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20220223-en -
submitted
24-02-2022 11:09
Static task
static1
Behavioral task
behavioral1
Sample
932249c923c8f7977c12785238e68d4b2030471fc9edbda0ec326ced3bab755f.exe
Resource
win7-20220223-en
Behavioral task
behavioral2
Sample
932249c923c8f7977c12785238e68d4b2030471fc9edbda0ec326ced3bab755f.exe
Resource
win10-20220223-en
Behavioral task
behavioral3
Sample
932249c923c8f7977c12785238e68d4b2030471fc9edbda0ec326ced3bab755f.exe
Resource
win10v2004-en-20220112
General
-
Target
932249c923c8f7977c12785238e68d4b2030471fc9edbda0ec326ced3bab755f.exe
-
Size
3.6MB
-
MD5
4e7155bd7afbb888e41128b78413855b
-
SHA1
8387ad1ee24852185eb9dd265987ae39fa0254d0
-
SHA256
932249c923c8f7977c12785238e68d4b2030471fc9edbda0ec326ced3bab755f
-
SHA512
5ea1e3074525018d672ef91a39cdcf949c5a54dd1957a7aca0a7f547418640e93cb4628345fd4cbc373943fc3c708d91c8943f3c505271059c69de80fe6a6a8c
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 2024 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1216 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
932249c923c8f7977c12785238e68d4b2030471fc9edbda0ec326ced3bab755f.exepid process 1808 932249c923c8f7977c12785238e68d4b2030471fc9edbda0ec326ced3bab755f.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
932249c923c8f7977c12785238e68d4b2030471fc9edbda0ec326ced3bab755f.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 932249c923c8f7977c12785238e68d4b2030471fc9edbda0ec326ced3bab755f.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
932249c923c8f7977c12785238e68d4b2030471fc9edbda0ec326ced3bab755f.exedescription pid process Token: SeIncBasePriorityPrivilege 1808 932249c923c8f7977c12785238e68d4b2030471fc9edbda0ec326ced3bab755f.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
932249c923c8f7977c12785238e68d4b2030471fc9edbda0ec326ced3bab755f.execmd.exedescription pid process target process PID 1808 wrote to memory of 2024 1808 932249c923c8f7977c12785238e68d4b2030471fc9edbda0ec326ced3bab755f.exe MediaCenter.exe PID 1808 wrote to memory of 2024 1808 932249c923c8f7977c12785238e68d4b2030471fc9edbda0ec326ced3bab755f.exe MediaCenter.exe PID 1808 wrote to memory of 2024 1808 932249c923c8f7977c12785238e68d4b2030471fc9edbda0ec326ced3bab755f.exe MediaCenter.exe PID 1808 wrote to memory of 2024 1808 932249c923c8f7977c12785238e68d4b2030471fc9edbda0ec326ced3bab755f.exe MediaCenter.exe PID 1808 wrote to memory of 1216 1808 932249c923c8f7977c12785238e68d4b2030471fc9edbda0ec326ced3bab755f.exe cmd.exe PID 1808 wrote to memory of 1216 1808 932249c923c8f7977c12785238e68d4b2030471fc9edbda0ec326ced3bab755f.exe cmd.exe PID 1808 wrote to memory of 1216 1808 932249c923c8f7977c12785238e68d4b2030471fc9edbda0ec326ced3bab755f.exe cmd.exe PID 1808 wrote to memory of 1216 1808 932249c923c8f7977c12785238e68d4b2030471fc9edbda0ec326ced3bab755f.exe cmd.exe PID 1216 wrote to memory of 696 1216 cmd.exe PING.EXE PID 1216 wrote to memory of 696 1216 cmd.exe PING.EXE PID 1216 wrote to memory of 696 1216 cmd.exe PING.EXE PID 1216 wrote to memory of 696 1216 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\932249c923c8f7977c12785238e68d4b2030471fc9edbda0ec326ced3bab755f.exe"C:\Users\Admin\AppData\Local\Temp\932249c923c8f7977c12785238e68d4b2030471fc9edbda0ec326ced3bab755f.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\932249c923c8f7977c12785238e68d4b2030471fc9edbda0ec326ced3bab755f.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
98da0e8ab25903c5ae4ddffbfb3b6c79
SHA1583cc6900179de0b282c0c10d28d617c56b2920c
SHA2566f2babb486fd8f38733e33d4070dd3435c6f7ab9d953d784d8f456fabb1bf5c7
SHA5122e20b708b38055b8f58d794cb5731fcb35b542a83cbdd5887e9ea8397646dd24bb609db81af1ac29776485e198950627ea2bc06c9770f5586714469cfd9a79a8
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
98da0e8ab25903c5ae4ddffbfb3b6c79
SHA1583cc6900179de0b282c0c10d28d617c56b2920c
SHA2566f2babb486fd8f38733e33d4070dd3435c6f7ab9d953d784d8f456fabb1bf5c7
SHA5122e20b708b38055b8f58d794cb5731fcb35b542a83cbdd5887e9ea8397646dd24bb609db81af1ac29776485e198950627ea2bc06c9770f5586714469cfd9a79a8
-
memory/1808-54-0x0000000075751000-0x0000000075753000-memory.dmpFilesize
8KB