Analysis
-
max time kernel
4294182s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20220223-en -
submitted
24-02-2022 11:09
Static task
static1
Behavioral task
behavioral1
Sample
995e26d3c24d06f40dd6771fa55d0127639a50e59249c593cb21ee3ea9401cfa.exe
Resource
win7-20220223-en
Behavioral task
behavioral2
Sample
995e26d3c24d06f40dd6771fa55d0127639a50e59249c593cb21ee3ea9401cfa.exe
Resource
win10-en-20211208
Behavioral task
behavioral3
Sample
995e26d3c24d06f40dd6771fa55d0127639a50e59249c593cb21ee3ea9401cfa.exe
Resource
win10v2004-en-20220113
General
-
Target
995e26d3c24d06f40dd6771fa55d0127639a50e59249c593cb21ee3ea9401cfa.exe
-
Size
4.5MB
-
MD5
ccdb023db49ef98e92bc4e52fd5d7bec
-
SHA1
704fe7f943331a69984527e50d3ab1823e111f4b
-
SHA256
995e26d3c24d06f40dd6771fa55d0127639a50e59249c593cb21ee3ea9401cfa
-
SHA512
4ce111297c6cdff1377d6eaa9069318ffd7845a4e91ec9bb01488cdef70c5ef292dcb7bb40fff76ff081eaff87e32632bdd4227f0f7c853857da0de4b52e1d29
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1528 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2004 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
995e26d3c24d06f40dd6771fa55d0127639a50e59249c593cb21ee3ea9401cfa.exepid process 1692 995e26d3c24d06f40dd6771fa55d0127639a50e59249c593cb21ee3ea9401cfa.exe 1692 995e26d3c24d06f40dd6771fa55d0127639a50e59249c593cb21ee3ea9401cfa.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
995e26d3c24d06f40dd6771fa55d0127639a50e59249c593cb21ee3ea9401cfa.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 995e26d3c24d06f40dd6771fa55d0127639a50e59249c593cb21ee3ea9401cfa.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
995e26d3c24d06f40dd6771fa55d0127639a50e59249c593cb21ee3ea9401cfa.exedescription pid process Token: SeIncBasePriorityPrivilege 1692 995e26d3c24d06f40dd6771fa55d0127639a50e59249c593cb21ee3ea9401cfa.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
995e26d3c24d06f40dd6771fa55d0127639a50e59249c593cb21ee3ea9401cfa.execmd.exedescription pid process target process PID 1692 wrote to memory of 1528 1692 995e26d3c24d06f40dd6771fa55d0127639a50e59249c593cb21ee3ea9401cfa.exe MediaCenter.exe PID 1692 wrote to memory of 1528 1692 995e26d3c24d06f40dd6771fa55d0127639a50e59249c593cb21ee3ea9401cfa.exe MediaCenter.exe PID 1692 wrote to memory of 1528 1692 995e26d3c24d06f40dd6771fa55d0127639a50e59249c593cb21ee3ea9401cfa.exe MediaCenter.exe PID 1692 wrote to memory of 1528 1692 995e26d3c24d06f40dd6771fa55d0127639a50e59249c593cb21ee3ea9401cfa.exe MediaCenter.exe PID 1692 wrote to memory of 2004 1692 995e26d3c24d06f40dd6771fa55d0127639a50e59249c593cb21ee3ea9401cfa.exe cmd.exe PID 1692 wrote to memory of 2004 1692 995e26d3c24d06f40dd6771fa55d0127639a50e59249c593cb21ee3ea9401cfa.exe cmd.exe PID 1692 wrote to memory of 2004 1692 995e26d3c24d06f40dd6771fa55d0127639a50e59249c593cb21ee3ea9401cfa.exe cmd.exe PID 1692 wrote to memory of 2004 1692 995e26d3c24d06f40dd6771fa55d0127639a50e59249c593cb21ee3ea9401cfa.exe cmd.exe PID 2004 wrote to memory of 1280 2004 cmd.exe PING.EXE PID 2004 wrote to memory of 1280 2004 cmd.exe PING.EXE PID 2004 wrote to memory of 1280 2004 cmd.exe PING.EXE PID 2004 wrote to memory of 1280 2004 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\995e26d3c24d06f40dd6771fa55d0127639a50e59249c593cb21ee3ea9401cfa.exe"C:\Users\Admin\AppData\Local\Temp\995e26d3c24d06f40dd6771fa55d0127639a50e59249c593cb21ee3ea9401cfa.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\995e26d3c24d06f40dd6771fa55d0127639a50e59249c593cb21ee3ea9401cfa.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
d47d2dbf6dac4a6e63177740c1997b9e
SHA1d6fdec33c9cc89892c9cc16217471d48a48cb132
SHA25699412832c2597154e7d28d2e71839322d83c400ab4929be2f62284a1860f6e6e
SHA51259528be3bbe877ea67d57567553f0a7b8e769738af4fb4a9ec6b329339e90283a611cec473236de937552570e4a25d8425e090a86f5dd7101276b67b84826fab
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
d47d2dbf6dac4a6e63177740c1997b9e
SHA1d6fdec33c9cc89892c9cc16217471d48a48cb132
SHA25699412832c2597154e7d28d2e71839322d83c400ab4929be2f62284a1860f6e6e
SHA51259528be3bbe877ea67d57567553f0a7b8e769738af4fb4a9ec6b329339e90283a611cec473236de937552570e4a25d8425e090a86f5dd7101276b67b84826fab
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
d47d2dbf6dac4a6e63177740c1997b9e
SHA1d6fdec33c9cc89892c9cc16217471d48a48cb132
SHA25699412832c2597154e7d28d2e71839322d83c400ab4929be2f62284a1860f6e6e
SHA51259528be3bbe877ea67d57567553f0a7b8e769738af4fb4a9ec6b329339e90283a611cec473236de937552570e4a25d8425e090a86f5dd7101276b67b84826fab
-
memory/1692-54-0x0000000076731000-0x0000000076733000-memory.dmpFilesize
8KB