Analysis
-
max time kernel
132s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
12-10-2022 15:57
Behavioral task
behavioral1
Sample
1f6999433b7ac1b5e41d71c0922e6472cce3b19665da1da5c9c76c64fbda97fb.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
1f6999433b7ac1b5e41d71c0922e6472cce3b19665da1da5c9c76c64fbda97fb.exe
Resource
win10v2004-20220812-en
General
-
Target
1f6999433b7ac1b5e41d71c0922e6472cce3b19665da1da5c9c76c64fbda97fb.exe
-
Size
88KB
-
MD5
2891e37bed6d36ec6c9b3bcc5835e313
-
SHA1
5cf55d05e3d6499f5cfd2ff460886029eb507cfd
-
SHA256
1f6999433b7ac1b5e41d71c0922e6472cce3b19665da1da5c9c76c64fbda97fb
-
SHA512
de98b2f8ebdfac9bd04680b3d69230d6dc8428b1df6237651c93e06e4664cd795e5d059fc28fd38df5d4e78f981ac3557f321b2886acda0581371999d185b07d
-
SSDEEP
1536:Boaj1hJL1S9t0MIeboal8bCKxo7h0RP0jwHVz30rtro1PTEzh:y0hpgz6xGhTjwHN30BE1bEl
Malware Config
Signatures
-
Sakula payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1968 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1372 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
1f6999433b7ac1b5e41d71c0922e6472cce3b19665da1da5c9c76c64fbda97fb.exepid process 1960 1f6999433b7ac1b5e41d71c0922e6472cce3b19665da1da5c9c76c64fbda97fb.exe 1960 1f6999433b7ac1b5e41d71c0922e6472cce3b19665da1da5c9c76c64fbda97fb.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
1f6999433b7ac1b5e41d71c0922e6472cce3b19665da1da5c9c76c64fbda97fb.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 1f6999433b7ac1b5e41d71c0922e6472cce3b19665da1da5c9c76c64fbda97fb.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
1f6999433b7ac1b5e41d71c0922e6472cce3b19665da1da5c9c76c64fbda97fb.exedescription pid process Token: SeIncBasePriorityPrivilege 1960 1f6999433b7ac1b5e41d71c0922e6472cce3b19665da1da5c9c76c64fbda97fb.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
1f6999433b7ac1b5e41d71c0922e6472cce3b19665da1da5c9c76c64fbda97fb.execmd.exedescription pid process target process PID 1960 wrote to memory of 1968 1960 1f6999433b7ac1b5e41d71c0922e6472cce3b19665da1da5c9c76c64fbda97fb.exe MediaCenter.exe PID 1960 wrote to memory of 1968 1960 1f6999433b7ac1b5e41d71c0922e6472cce3b19665da1da5c9c76c64fbda97fb.exe MediaCenter.exe PID 1960 wrote to memory of 1968 1960 1f6999433b7ac1b5e41d71c0922e6472cce3b19665da1da5c9c76c64fbda97fb.exe MediaCenter.exe PID 1960 wrote to memory of 1968 1960 1f6999433b7ac1b5e41d71c0922e6472cce3b19665da1da5c9c76c64fbda97fb.exe MediaCenter.exe PID 1960 wrote to memory of 1372 1960 1f6999433b7ac1b5e41d71c0922e6472cce3b19665da1da5c9c76c64fbda97fb.exe cmd.exe PID 1960 wrote to memory of 1372 1960 1f6999433b7ac1b5e41d71c0922e6472cce3b19665da1da5c9c76c64fbda97fb.exe cmd.exe PID 1960 wrote to memory of 1372 1960 1f6999433b7ac1b5e41d71c0922e6472cce3b19665da1da5c9c76c64fbda97fb.exe cmd.exe PID 1960 wrote to memory of 1372 1960 1f6999433b7ac1b5e41d71c0922e6472cce3b19665da1da5c9c76c64fbda97fb.exe cmd.exe PID 1372 wrote to memory of 824 1372 cmd.exe PING.EXE PID 1372 wrote to memory of 824 1372 cmd.exe PING.EXE PID 1372 wrote to memory of 824 1372 cmd.exe PING.EXE PID 1372 wrote to memory of 824 1372 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\1f6999433b7ac1b5e41d71c0922e6472cce3b19665da1da5c9c76c64fbda97fb.exe"C:\Users\Admin\AppData\Local\Temp\1f6999433b7ac1b5e41d71c0922e6472cce3b19665da1da5c9c76c64fbda97fb.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\1f6999433b7ac1b5e41d71c0922e6472cce3b19665da1da5c9c76c64fbda97fb.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeFilesize
88KB
MD5ba6fc00322778c481af31c52e6a5ab2b
SHA13485b93912fc95572eb8cae5ef4032ddc0825972
SHA25643505be548c9fd576f8638bd98fea0c01e939b7512152fefab150c26a09f61c2
SHA5127a439dd632cbbf41406a7574a098ed8346241ca6d04e271ba608b9c1ca5ccbc941a900dd8ba66808b562eaa3c89d17e1d075fb52782c631b3907c1e739051f81
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeFilesize
88KB
MD5ba6fc00322778c481af31c52e6a5ab2b
SHA13485b93912fc95572eb8cae5ef4032ddc0825972
SHA25643505be548c9fd576f8638bd98fea0c01e939b7512152fefab150c26a09f61c2
SHA5127a439dd632cbbf41406a7574a098ed8346241ca6d04e271ba608b9c1ca5ccbc941a900dd8ba66808b562eaa3c89d17e1d075fb52782c631b3907c1e739051f81
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeFilesize
88KB
MD5ba6fc00322778c481af31c52e6a5ab2b
SHA13485b93912fc95572eb8cae5ef4032ddc0825972
SHA25643505be548c9fd576f8638bd98fea0c01e939b7512152fefab150c26a09f61c2
SHA5127a439dd632cbbf41406a7574a098ed8346241ca6d04e271ba608b9c1ca5ccbc941a900dd8ba66808b562eaa3c89d17e1d075fb52782c631b3907c1e739051f81
-
memory/824-61-0x0000000000000000-mapping.dmp
-
memory/1372-60-0x0000000000000000-mapping.dmp
-
memory/1960-54-0x0000000074AB1000-0x0000000074AB3000-memory.dmpFilesize
8KB
-
memory/1968-57-0x0000000000000000-mapping.dmp