Analysis
-
max time kernel
147s -
max time network
155s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
20-06-2022 03:12
Static task
static1
Behavioral task
behavioral1
Sample
333e9cd3de0e15700879a56cab8582edc58415a6b6e1d99fbeb25a4eb2035634.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
333e9cd3de0e15700879a56cab8582edc58415a6b6e1d99fbeb25a4eb2035634.exe
Resource
win10v2004-20220414-en
General
-
Target
333e9cd3de0e15700879a56cab8582edc58415a6b6e1d99fbeb25a4eb2035634.exe
-
Size
320KB
-
MD5
a5dd0f6c8c2ea5f149ed3acc9007ac90
-
SHA1
ed33315e87f92ac2bce194483c51caa877cb70d6
-
SHA256
333e9cd3de0e15700879a56cab8582edc58415a6b6e1d99fbeb25a4eb2035634
-
SHA512
cef10548622a0a47e88fce859e4cd55e01c59d8c3ac490fe8eb59980615ad994f308d15235bfdd8a64af146bef06325cf7bb0128bc7d736e6efa2bdd92fbd879
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 972 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1168 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
333e9cd3de0e15700879a56cab8582edc58415a6b6e1d99fbeb25a4eb2035634.exepid process 1756 333e9cd3de0e15700879a56cab8582edc58415a6b6e1d99fbeb25a4eb2035634.exe 1756 333e9cd3de0e15700879a56cab8582edc58415a6b6e1d99fbeb25a4eb2035634.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
333e9cd3de0e15700879a56cab8582edc58415a6b6e1d99fbeb25a4eb2035634.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 333e9cd3de0e15700879a56cab8582edc58415a6b6e1d99fbeb25a4eb2035634.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
333e9cd3de0e15700879a56cab8582edc58415a6b6e1d99fbeb25a4eb2035634.exedescription pid process Token: SeIncBasePriorityPrivilege 1756 333e9cd3de0e15700879a56cab8582edc58415a6b6e1d99fbeb25a4eb2035634.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
333e9cd3de0e15700879a56cab8582edc58415a6b6e1d99fbeb25a4eb2035634.execmd.exedescription pid process target process PID 1756 wrote to memory of 972 1756 333e9cd3de0e15700879a56cab8582edc58415a6b6e1d99fbeb25a4eb2035634.exe MediaCenter.exe PID 1756 wrote to memory of 972 1756 333e9cd3de0e15700879a56cab8582edc58415a6b6e1d99fbeb25a4eb2035634.exe MediaCenter.exe PID 1756 wrote to memory of 972 1756 333e9cd3de0e15700879a56cab8582edc58415a6b6e1d99fbeb25a4eb2035634.exe MediaCenter.exe PID 1756 wrote to memory of 972 1756 333e9cd3de0e15700879a56cab8582edc58415a6b6e1d99fbeb25a4eb2035634.exe MediaCenter.exe PID 1756 wrote to memory of 1168 1756 333e9cd3de0e15700879a56cab8582edc58415a6b6e1d99fbeb25a4eb2035634.exe cmd.exe PID 1756 wrote to memory of 1168 1756 333e9cd3de0e15700879a56cab8582edc58415a6b6e1d99fbeb25a4eb2035634.exe cmd.exe PID 1756 wrote to memory of 1168 1756 333e9cd3de0e15700879a56cab8582edc58415a6b6e1d99fbeb25a4eb2035634.exe cmd.exe PID 1756 wrote to memory of 1168 1756 333e9cd3de0e15700879a56cab8582edc58415a6b6e1d99fbeb25a4eb2035634.exe cmd.exe PID 1168 wrote to memory of 1344 1168 cmd.exe PING.EXE PID 1168 wrote to memory of 1344 1168 cmd.exe PING.EXE PID 1168 wrote to memory of 1344 1168 cmd.exe PING.EXE PID 1168 wrote to memory of 1344 1168 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\333e9cd3de0e15700879a56cab8582edc58415a6b6e1d99fbeb25a4eb2035634.exe"C:\Users\Admin\AppData\Local\Temp\333e9cd3de0e15700879a56cab8582edc58415a6b6e1d99fbeb25a4eb2035634.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\333e9cd3de0e15700879a56cab8582edc58415a6b6e1d99fbeb25a4eb2035634.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeFilesize
320KB
MD569f69e574bafab12b2025cbd539c93a7
SHA1b85c384dd9796f31a2c3ec1895d47be22f172e50
SHA256fd50af603044fb68a52359ce538052c300b912693556b181274b6df313788483
SHA5127eea31580403e8251d51cdcb09172a5950ce14a4594c533fedcef5f245b31f08568e030d60b0ebe52d94fb651863d1e4d98bf95787aa32fc3ba8c49fc825c23e
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeFilesize
320KB
MD569f69e574bafab12b2025cbd539c93a7
SHA1b85c384dd9796f31a2c3ec1895d47be22f172e50
SHA256fd50af603044fb68a52359ce538052c300b912693556b181274b6df313788483
SHA5127eea31580403e8251d51cdcb09172a5950ce14a4594c533fedcef5f245b31f08568e030d60b0ebe52d94fb651863d1e4d98bf95787aa32fc3ba8c49fc825c23e
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeFilesize
320KB
MD569f69e574bafab12b2025cbd539c93a7
SHA1b85c384dd9796f31a2c3ec1895d47be22f172e50
SHA256fd50af603044fb68a52359ce538052c300b912693556b181274b6df313788483
SHA5127eea31580403e8251d51cdcb09172a5950ce14a4594c533fedcef5f245b31f08568e030d60b0ebe52d94fb651863d1e4d98bf95787aa32fc3ba8c49fc825c23e
-
memory/972-57-0x0000000000000000-mapping.dmp
-
memory/1168-60-0x0000000000000000-mapping.dmp
-
memory/1344-61-0x0000000000000000-mapping.dmp
-
memory/1756-54-0x00000000753B1000-0x00000000753B3000-memory.dmpFilesize
8KB