Analysis
-
max time kernel
4294196s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20220310-en -
submitted
23-03-2022 09:33
Static task
static1
Behavioral task
behavioral1
Sample
9e975ba0e67a3a13556a92152af9d9d7b1443aebde4332c54b63bb8e05ae3a0e.exe
Resource
win7-20220310-en
Behavioral task
behavioral2
Sample
9e975ba0e67a3a13556a92152af9d9d7b1443aebde4332c54b63bb8e05ae3a0e.exe
Resource
win10v2004-20220310-en
General
-
Target
9e975ba0e67a3a13556a92152af9d9d7b1443aebde4332c54b63bb8e05ae3a0e.exe
-
Size
104KB
-
MD5
49462ddd5d404f016ff2f73e163ac899
-
SHA1
c1b974717bcab23cbc45ede0dca54ba2022afa00
-
SHA256
9e975ba0e67a3a13556a92152af9d9d7b1443aebde4332c54b63bb8e05ae3a0e
-
SHA512
357a65dfbc834c6ef24bf6625573652b7496cdb7779086727401297b481f18a33f27efa6b76ecbe1cb5cca3e536fae847501c85eb50d208a52faf10574ddc071
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1960 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1548 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
9e975ba0e67a3a13556a92152af9d9d7b1443aebde4332c54b63bb8e05ae3a0e.exepid process 856 9e975ba0e67a3a13556a92152af9d9d7b1443aebde4332c54b63bb8e05ae3a0e.exe 856 9e975ba0e67a3a13556a92152af9d9d7b1443aebde4332c54b63bb8e05ae3a0e.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
9e975ba0e67a3a13556a92152af9d9d7b1443aebde4332c54b63bb8e05ae3a0e.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 9e975ba0e67a3a13556a92152af9d9d7b1443aebde4332c54b63bb8e05ae3a0e.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
9e975ba0e67a3a13556a92152af9d9d7b1443aebde4332c54b63bb8e05ae3a0e.exedescription pid process Token: SeIncBasePriorityPrivilege 856 9e975ba0e67a3a13556a92152af9d9d7b1443aebde4332c54b63bb8e05ae3a0e.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
9e975ba0e67a3a13556a92152af9d9d7b1443aebde4332c54b63bb8e05ae3a0e.execmd.exedescription pid process target process PID 856 wrote to memory of 1960 856 9e975ba0e67a3a13556a92152af9d9d7b1443aebde4332c54b63bb8e05ae3a0e.exe MediaCenter.exe PID 856 wrote to memory of 1960 856 9e975ba0e67a3a13556a92152af9d9d7b1443aebde4332c54b63bb8e05ae3a0e.exe MediaCenter.exe PID 856 wrote to memory of 1960 856 9e975ba0e67a3a13556a92152af9d9d7b1443aebde4332c54b63bb8e05ae3a0e.exe MediaCenter.exe PID 856 wrote to memory of 1960 856 9e975ba0e67a3a13556a92152af9d9d7b1443aebde4332c54b63bb8e05ae3a0e.exe MediaCenter.exe PID 856 wrote to memory of 1548 856 9e975ba0e67a3a13556a92152af9d9d7b1443aebde4332c54b63bb8e05ae3a0e.exe cmd.exe PID 856 wrote to memory of 1548 856 9e975ba0e67a3a13556a92152af9d9d7b1443aebde4332c54b63bb8e05ae3a0e.exe cmd.exe PID 856 wrote to memory of 1548 856 9e975ba0e67a3a13556a92152af9d9d7b1443aebde4332c54b63bb8e05ae3a0e.exe cmd.exe PID 856 wrote to memory of 1548 856 9e975ba0e67a3a13556a92152af9d9d7b1443aebde4332c54b63bb8e05ae3a0e.exe cmd.exe PID 1548 wrote to memory of 556 1548 cmd.exe PING.EXE PID 1548 wrote to memory of 556 1548 cmd.exe PING.EXE PID 1548 wrote to memory of 556 1548 cmd.exe PING.EXE PID 1548 wrote to memory of 556 1548 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\9e975ba0e67a3a13556a92152af9d9d7b1443aebde4332c54b63bb8e05ae3a0e.exe"C:\Users\Admin\AppData\Local\Temp\9e975ba0e67a3a13556a92152af9d9d7b1443aebde4332c54b63bb8e05ae3a0e.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\9e975ba0e67a3a13556a92152af9d9d7b1443aebde4332c54b63bb8e05ae3a0e.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
56d8cbefa3586bf8475a689dd4b1cd0f
SHA1303d63e77cc792cf602f21f403e97823bbc7669d
SHA2567372099220b2d6e9b6735fbfe14a03716616dd5c76111e3762bcbf9713104569
SHA512367d543c43165471e18a3afde4b1e4d69867f548e83fe795271995379e147a587ee11d7f4002dcfb8f6299f9d305e89b21ee37fe0be50a31f8893982316472a5
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
56d8cbefa3586bf8475a689dd4b1cd0f
SHA1303d63e77cc792cf602f21f403e97823bbc7669d
SHA2567372099220b2d6e9b6735fbfe14a03716616dd5c76111e3762bcbf9713104569
SHA512367d543c43165471e18a3afde4b1e4d69867f548e83fe795271995379e147a587ee11d7f4002dcfb8f6299f9d305e89b21ee37fe0be50a31f8893982316472a5
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
56d8cbefa3586bf8475a689dd4b1cd0f
SHA1303d63e77cc792cf602f21f403e97823bbc7669d
SHA2567372099220b2d6e9b6735fbfe14a03716616dd5c76111e3762bcbf9713104569
SHA512367d543c43165471e18a3afde4b1e4d69867f548e83fe795271995379e147a587ee11d7f4002dcfb8f6299f9d305e89b21ee37fe0be50a31f8893982316472a5
-
memory/556-61-0x0000000000000000-mapping.dmp
-
memory/856-54-0x0000000075CA1000-0x0000000075CA3000-memory.dmpFilesize
8KB
-
memory/1548-60-0x0000000000000000-mapping.dmp
-
memory/1960-57-0x0000000000000000-mapping.dmp