Analysis
-
max time kernel
126s -
max time network
143s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
12-10-2022 16:32
Behavioral task
behavioral1
Sample
7f2039c641810dc1bc2b9b2786759a2c382f0e0c34dc0b799d7167fde40cb566.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
7f2039c641810dc1bc2b9b2786759a2c382f0e0c34dc0b799d7167fde40cb566.exe
Resource
win10v2004-20220901-en
General
-
Target
7f2039c641810dc1bc2b9b2786759a2c382f0e0c34dc0b799d7167fde40cb566.exe
-
Size
88KB
-
MD5
72bec5d48d53b44c2fca686dd0ed2709
-
SHA1
54e7b076891ab25f59e4950dc7420fa1c8aae9f7
-
SHA256
7f2039c641810dc1bc2b9b2786759a2c382f0e0c34dc0b799d7167fde40cb566
-
SHA512
301bed29246734d7ee05b591d74c9e545dc3d2b592dbec0f1cb9c405264f6bb2a2722584e0b10aed58c63ef8b508340944d538bf11e657a7706573311a9e3f2e
-
SSDEEP
1536:Boaj1hJL1S9t0MIeboal8bCKxo7h0RP0jwHVz30rtroyPTEzS:y0hpgz6xGhTjwHN30BEybEO
Malware Config
Signatures
-
Sakula payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1360 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 592 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
7f2039c641810dc1bc2b9b2786759a2c382f0e0c34dc0b799d7167fde40cb566.exepid process 1972 7f2039c641810dc1bc2b9b2786759a2c382f0e0c34dc0b799d7167fde40cb566.exe 1972 7f2039c641810dc1bc2b9b2786759a2c382f0e0c34dc0b799d7167fde40cb566.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
7f2039c641810dc1bc2b9b2786759a2c382f0e0c34dc0b799d7167fde40cb566.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 7f2039c641810dc1bc2b9b2786759a2c382f0e0c34dc0b799d7167fde40cb566.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
7f2039c641810dc1bc2b9b2786759a2c382f0e0c34dc0b799d7167fde40cb566.exedescription pid process Token: SeIncBasePriorityPrivilege 1972 7f2039c641810dc1bc2b9b2786759a2c382f0e0c34dc0b799d7167fde40cb566.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
7f2039c641810dc1bc2b9b2786759a2c382f0e0c34dc0b799d7167fde40cb566.execmd.exedescription pid process target process PID 1972 wrote to memory of 1360 1972 7f2039c641810dc1bc2b9b2786759a2c382f0e0c34dc0b799d7167fde40cb566.exe MediaCenter.exe PID 1972 wrote to memory of 1360 1972 7f2039c641810dc1bc2b9b2786759a2c382f0e0c34dc0b799d7167fde40cb566.exe MediaCenter.exe PID 1972 wrote to memory of 1360 1972 7f2039c641810dc1bc2b9b2786759a2c382f0e0c34dc0b799d7167fde40cb566.exe MediaCenter.exe PID 1972 wrote to memory of 1360 1972 7f2039c641810dc1bc2b9b2786759a2c382f0e0c34dc0b799d7167fde40cb566.exe MediaCenter.exe PID 1972 wrote to memory of 592 1972 7f2039c641810dc1bc2b9b2786759a2c382f0e0c34dc0b799d7167fde40cb566.exe cmd.exe PID 1972 wrote to memory of 592 1972 7f2039c641810dc1bc2b9b2786759a2c382f0e0c34dc0b799d7167fde40cb566.exe cmd.exe PID 1972 wrote to memory of 592 1972 7f2039c641810dc1bc2b9b2786759a2c382f0e0c34dc0b799d7167fde40cb566.exe cmd.exe PID 1972 wrote to memory of 592 1972 7f2039c641810dc1bc2b9b2786759a2c382f0e0c34dc0b799d7167fde40cb566.exe cmd.exe PID 592 wrote to memory of 1664 592 cmd.exe PING.EXE PID 592 wrote to memory of 1664 592 cmd.exe PING.EXE PID 592 wrote to memory of 1664 592 cmd.exe PING.EXE PID 592 wrote to memory of 1664 592 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\7f2039c641810dc1bc2b9b2786759a2c382f0e0c34dc0b799d7167fde40cb566.exe"C:\Users\Admin\AppData\Local\Temp\7f2039c641810dc1bc2b9b2786759a2c382f0e0c34dc0b799d7167fde40cb566.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\7f2039c641810dc1bc2b9b2786759a2c382f0e0c34dc0b799d7167fde40cb566.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeFilesize
88KB
MD55c2025af2118c2c19c84d019156fad68
SHA15962557fcfb0c503fe7d9dc88c1272e72c64d72b
SHA256d7f1d6e34d831562dc8dd4b9235f83e2fe65e5354e4fce28cc5885454bd3f44e
SHA5125347f50cb5faf87aa0534fef5088edcbc545a2a8f2ff1801eea00a5a9e32ee7f869f10845979ec23c4d8023697e39a752fb9b87dbbacc3b2551cea504f5775f5
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeFilesize
88KB
MD55c2025af2118c2c19c84d019156fad68
SHA15962557fcfb0c503fe7d9dc88c1272e72c64d72b
SHA256d7f1d6e34d831562dc8dd4b9235f83e2fe65e5354e4fce28cc5885454bd3f44e
SHA5125347f50cb5faf87aa0534fef5088edcbc545a2a8f2ff1801eea00a5a9e32ee7f869f10845979ec23c4d8023697e39a752fb9b87dbbacc3b2551cea504f5775f5
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeFilesize
88KB
MD55c2025af2118c2c19c84d019156fad68
SHA15962557fcfb0c503fe7d9dc88c1272e72c64d72b
SHA256d7f1d6e34d831562dc8dd4b9235f83e2fe65e5354e4fce28cc5885454bd3f44e
SHA5125347f50cb5faf87aa0534fef5088edcbc545a2a8f2ff1801eea00a5a9e32ee7f869f10845979ec23c4d8023697e39a752fb9b87dbbacc3b2551cea504f5775f5
-
memory/592-60-0x0000000000000000-mapping.dmp
-
memory/1360-57-0x0000000000000000-mapping.dmp
-
memory/1664-61-0x0000000000000000-mapping.dmp
-
memory/1972-54-0x00000000751A1000-0x00000000751A3000-memory.dmpFilesize
8KB