Analysis
-
max time kernel
123s -
max time network
138s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
12-10-2022 16:33
Behavioral task
behavioral1
Sample
82334fde2fa92edf636d8885d542627f98aa326cf50df9b0f124229d8d857b11.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
82334fde2fa92edf636d8885d542627f98aa326cf50df9b0f124229d8d857b11.exe
Resource
win10v2004-20220901-en
General
-
Target
82334fde2fa92edf636d8885d542627f98aa326cf50df9b0f124229d8d857b11.exe
-
Size
89KB
-
MD5
3cae1b420842e5bc4098dffac0dd44fa
-
SHA1
321be89ffb70aa7c4cccfdb80df413b1c76c2230
-
SHA256
82334fde2fa92edf636d8885d542627f98aa326cf50df9b0f124229d8d857b11
-
SHA512
838f25841dc233671dd007b94c871ef0bb42b6efff66ecf4a079e9cd406ecbc228fe4050702f14224d4d46e50905f6fab9a6e02f35c7904bc8f74563c8e2d1c8
-
SSDEEP
1536:voaj1hJL1S9t0MIeboal8bCKxo7h0RP0jwHVz30rtroWuxzug:Q0hpgz6xGhTjwHN30BE3D
Malware Config
Signatures
-
Sakula payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1384 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1336 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
82334fde2fa92edf636d8885d542627f98aa326cf50df9b0f124229d8d857b11.exepid process 1248 82334fde2fa92edf636d8885d542627f98aa326cf50df9b0f124229d8d857b11.exe 1248 82334fde2fa92edf636d8885d542627f98aa326cf50df9b0f124229d8d857b11.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
82334fde2fa92edf636d8885d542627f98aa326cf50df9b0f124229d8d857b11.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 82334fde2fa92edf636d8885d542627f98aa326cf50df9b0f124229d8d857b11.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
82334fde2fa92edf636d8885d542627f98aa326cf50df9b0f124229d8d857b11.exedescription pid process Token: SeIncBasePriorityPrivilege 1248 82334fde2fa92edf636d8885d542627f98aa326cf50df9b0f124229d8d857b11.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
82334fde2fa92edf636d8885d542627f98aa326cf50df9b0f124229d8d857b11.execmd.exedescription pid process target process PID 1248 wrote to memory of 1384 1248 82334fde2fa92edf636d8885d542627f98aa326cf50df9b0f124229d8d857b11.exe MediaCenter.exe PID 1248 wrote to memory of 1384 1248 82334fde2fa92edf636d8885d542627f98aa326cf50df9b0f124229d8d857b11.exe MediaCenter.exe PID 1248 wrote to memory of 1384 1248 82334fde2fa92edf636d8885d542627f98aa326cf50df9b0f124229d8d857b11.exe MediaCenter.exe PID 1248 wrote to memory of 1384 1248 82334fde2fa92edf636d8885d542627f98aa326cf50df9b0f124229d8d857b11.exe MediaCenter.exe PID 1248 wrote to memory of 1336 1248 82334fde2fa92edf636d8885d542627f98aa326cf50df9b0f124229d8d857b11.exe cmd.exe PID 1248 wrote to memory of 1336 1248 82334fde2fa92edf636d8885d542627f98aa326cf50df9b0f124229d8d857b11.exe cmd.exe PID 1248 wrote to memory of 1336 1248 82334fde2fa92edf636d8885d542627f98aa326cf50df9b0f124229d8d857b11.exe cmd.exe PID 1248 wrote to memory of 1336 1248 82334fde2fa92edf636d8885d542627f98aa326cf50df9b0f124229d8d857b11.exe cmd.exe PID 1336 wrote to memory of 776 1336 cmd.exe PING.EXE PID 1336 wrote to memory of 776 1336 cmd.exe PING.EXE PID 1336 wrote to memory of 776 1336 cmd.exe PING.EXE PID 1336 wrote to memory of 776 1336 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\82334fde2fa92edf636d8885d542627f98aa326cf50df9b0f124229d8d857b11.exe"C:\Users\Admin\AppData\Local\Temp\82334fde2fa92edf636d8885d542627f98aa326cf50df9b0f124229d8d857b11.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\82334fde2fa92edf636d8885d542627f98aa326cf50df9b0f124229d8d857b11.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeFilesize
89KB
MD575830ee0a9c362ebc86b098f0ef8107f
SHA1160cc558f627c017ac6e1d08cc7c1fe960b40650
SHA256f1ecfc2558d559c035593e108cd2007778b0c7eec8c4aea81a4d985b9332229f
SHA512d23f770e7a4d64f6818d71529edf4a4a581da739e3bbf3ed52854f74b528c7dd263dba274a10c160998f8b363c1a56fbc407648b623ccfafdedf2cc7a384e76b
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeFilesize
89KB
MD575830ee0a9c362ebc86b098f0ef8107f
SHA1160cc558f627c017ac6e1d08cc7c1fe960b40650
SHA256f1ecfc2558d559c035593e108cd2007778b0c7eec8c4aea81a4d985b9332229f
SHA512d23f770e7a4d64f6818d71529edf4a4a581da739e3bbf3ed52854f74b528c7dd263dba274a10c160998f8b363c1a56fbc407648b623ccfafdedf2cc7a384e76b
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeFilesize
89KB
MD575830ee0a9c362ebc86b098f0ef8107f
SHA1160cc558f627c017ac6e1d08cc7c1fe960b40650
SHA256f1ecfc2558d559c035593e108cd2007778b0c7eec8c4aea81a4d985b9332229f
SHA512d23f770e7a4d64f6818d71529edf4a4a581da739e3bbf3ed52854f74b528c7dd263dba274a10c160998f8b363c1a56fbc407648b623ccfafdedf2cc7a384e76b
-
memory/776-61-0x0000000000000000-mapping.dmp
-
memory/1248-54-0x0000000075351000-0x0000000075353000-memory.dmpFilesize
8KB
-
memory/1336-60-0x0000000000000000-mapping.dmp
-
memory/1384-57-0x0000000000000000-mapping.dmp