Analysis
-
max time kernel
156s -
max time network
187s -
platform
windows7_x64 -
resource
win7-20220331-en -
submitted
27-03-2022 10:35
Static task
static1
Behavioral task
behavioral1
Sample
a1fee89b08c2efed52dc1869e371d19c10813b9d64b9d48d53ab46475f08aa6e.exe
Resource
win7-20220331-en
Behavioral task
behavioral2
Sample
a1fee89b08c2efed52dc1869e371d19c10813b9d64b9d48d53ab46475f08aa6e.exe
Resource
win10v2004-20220331-en
General
-
Target
a1fee89b08c2efed52dc1869e371d19c10813b9d64b9d48d53ab46475f08aa6e.exe
-
Size
150KB
-
MD5
0ba9883b897c6f4508594c9908c6810a
-
SHA1
91fd59bbcff52bcf72034b11d9d982ccd2fc1bac
-
SHA256
a1fee89b08c2efed52dc1869e371d19c10813b9d64b9d48d53ab46475f08aa6e
-
SHA512
bfc4a41e1675dd6602db39fbadfe1d4db79e10ae0396e8caa034e596cdb422247254a5333fbef52a0611668e9dee2664f918a687910c54baf44cf8b737b8b1dd
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1748 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1820 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
a1fee89b08c2efed52dc1869e371d19c10813b9d64b9d48d53ab46475f08aa6e.exepid process 2004 a1fee89b08c2efed52dc1869e371d19c10813b9d64b9d48d53ab46475f08aa6e.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
a1fee89b08c2efed52dc1869e371d19c10813b9d64b9d48d53ab46475f08aa6e.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" a1fee89b08c2efed52dc1869e371d19c10813b9d64b9d48d53ab46475f08aa6e.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
a1fee89b08c2efed52dc1869e371d19c10813b9d64b9d48d53ab46475f08aa6e.exedescription pid process Token: SeIncBasePriorityPrivilege 2004 a1fee89b08c2efed52dc1869e371d19c10813b9d64b9d48d53ab46475f08aa6e.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
a1fee89b08c2efed52dc1869e371d19c10813b9d64b9d48d53ab46475f08aa6e.execmd.exedescription pid process target process PID 2004 wrote to memory of 1748 2004 a1fee89b08c2efed52dc1869e371d19c10813b9d64b9d48d53ab46475f08aa6e.exe MediaCenter.exe PID 2004 wrote to memory of 1748 2004 a1fee89b08c2efed52dc1869e371d19c10813b9d64b9d48d53ab46475f08aa6e.exe MediaCenter.exe PID 2004 wrote to memory of 1748 2004 a1fee89b08c2efed52dc1869e371d19c10813b9d64b9d48d53ab46475f08aa6e.exe MediaCenter.exe PID 2004 wrote to memory of 1748 2004 a1fee89b08c2efed52dc1869e371d19c10813b9d64b9d48d53ab46475f08aa6e.exe MediaCenter.exe PID 2004 wrote to memory of 1820 2004 a1fee89b08c2efed52dc1869e371d19c10813b9d64b9d48d53ab46475f08aa6e.exe cmd.exe PID 2004 wrote to memory of 1820 2004 a1fee89b08c2efed52dc1869e371d19c10813b9d64b9d48d53ab46475f08aa6e.exe cmd.exe PID 2004 wrote to memory of 1820 2004 a1fee89b08c2efed52dc1869e371d19c10813b9d64b9d48d53ab46475f08aa6e.exe cmd.exe PID 2004 wrote to memory of 1820 2004 a1fee89b08c2efed52dc1869e371d19c10813b9d64b9d48d53ab46475f08aa6e.exe cmd.exe PID 1820 wrote to memory of 1644 1820 cmd.exe PING.EXE PID 1820 wrote to memory of 1644 1820 cmd.exe PING.EXE PID 1820 wrote to memory of 1644 1820 cmd.exe PING.EXE PID 1820 wrote to memory of 1644 1820 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\a1fee89b08c2efed52dc1869e371d19c10813b9d64b9d48d53ab46475f08aa6e.exe"C:\Users\Admin\AppData\Local\Temp\a1fee89b08c2efed52dc1869e371d19c10813b9d64b9d48d53ab46475f08aa6e.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\a1fee89b08c2efed52dc1869e371d19c10813b9d64b9d48d53ab46475f08aa6e.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeFilesize
150KB
MD5a99341a7ee9a2d27de5d19238e36500f
SHA1a9fda9f4702d27c92e54acb4c63023b620980eb7
SHA2563f3adabb10ba5dad6a4b1469f01bd52c39411f7073056f839d8bce50c2c56c8c
SHA5127b2e32a8640515f6dc0f83b85e843ab7b36833b76a02aad029d65b855ce74c1735cdc47e3496cfcd7194798176a564f897b3e957aed58db4b5d07894ebbf3d75
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeFilesize
150KB
MD5a99341a7ee9a2d27de5d19238e36500f
SHA1a9fda9f4702d27c92e54acb4c63023b620980eb7
SHA2563f3adabb10ba5dad6a4b1469f01bd52c39411f7073056f839d8bce50c2c56c8c
SHA5127b2e32a8640515f6dc0f83b85e843ab7b36833b76a02aad029d65b855ce74c1735cdc47e3496cfcd7194798176a564f897b3e957aed58db4b5d07894ebbf3d75
-
memory/1644-60-0x0000000000000000-mapping.dmp
-
memory/1748-56-0x0000000000000000-mapping.dmp
-
memory/1820-59-0x0000000000000000-mapping.dmp
-
memory/2004-54-0x00000000755F1000-0x00000000755F3000-memory.dmpFilesize
8KB