Analysis
-
max time kernel
135s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
12-10-2022 15:58
Behavioral task
behavioral1
Sample
2c43bc2636af763584c23e31fd1a374b162933b11ed22d6773593896094c1d9c.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
2c43bc2636af763584c23e31fd1a374b162933b11ed22d6773593896094c1d9c.exe
Resource
win10v2004-20220812-en
General
-
Target
2c43bc2636af763584c23e31fd1a374b162933b11ed22d6773593896094c1d9c.exe
-
Size
88KB
-
MD5
948460a9dc9709045e0e325af9753d44
-
SHA1
b7fc8420a98ca85b91a0f08ba99bbe835fd8b940
-
SHA256
2c43bc2636af763584c23e31fd1a374b162933b11ed22d6773593896094c1d9c
-
SHA512
b6d9a6c8617b574f2ae7dea590b08c6653b5bf38998c0614da86aef81da08cb7e5bc5318be8424cf91c6063db24fed2145af5af399af0bab395f198f5f5e4be5
-
SSDEEP
1536:Boaj1hJL1S9t0MIeboal8bCKxo7h0RP0jwHVz30rtro1PTEzj:y0hpgz6xGhTjwHN30BE1bE3
Malware Config
Signatures
-
Sakula payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1688 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 856 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
2c43bc2636af763584c23e31fd1a374b162933b11ed22d6773593896094c1d9c.exepid process 1920 2c43bc2636af763584c23e31fd1a374b162933b11ed22d6773593896094c1d9c.exe 1920 2c43bc2636af763584c23e31fd1a374b162933b11ed22d6773593896094c1d9c.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
2c43bc2636af763584c23e31fd1a374b162933b11ed22d6773593896094c1d9c.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 2c43bc2636af763584c23e31fd1a374b162933b11ed22d6773593896094c1d9c.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
2c43bc2636af763584c23e31fd1a374b162933b11ed22d6773593896094c1d9c.exedescription pid process Token: SeIncBasePriorityPrivilege 1920 2c43bc2636af763584c23e31fd1a374b162933b11ed22d6773593896094c1d9c.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
2c43bc2636af763584c23e31fd1a374b162933b11ed22d6773593896094c1d9c.execmd.exedescription pid process target process PID 1920 wrote to memory of 1688 1920 2c43bc2636af763584c23e31fd1a374b162933b11ed22d6773593896094c1d9c.exe MediaCenter.exe PID 1920 wrote to memory of 1688 1920 2c43bc2636af763584c23e31fd1a374b162933b11ed22d6773593896094c1d9c.exe MediaCenter.exe PID 1920 wrote to memory of 1688 1920 2c43bc2636af763584c23e31fd1a374b162933b11ed22d6773593896094c1d9c.exe MediaCenter.exe PID 1920 wrote to memory of 1688 1920 2c43bc2636af763584c23e31fd1a374b162933b11ed22d6773593896094c1d9c.exe MediaCenter.exe PID 1920 wrote to memory of 856 1920 2c43bc2636af763584c23e31fd1a374b162933b11ed22d6773593896094c1d9c.exe cmd.exe PID 1920 wrote to memory of 856 1920 2c43bc2636af763584c23e31fd1a374b162933b11ed22d6773593896094c1d9c.exe cmd.exe PID 1920 wrote to memory of 856 1920 2c43bc2636af763584c23e31fd1a374b162933b11ed22d6773593896094c1d9c.exe cmd.exe PID 1920 wrote to memory of 856 1920 2c43bc2636af763584c23e31fd1a374b162933b11ed22d6773593896094c1d9c.exe cmd.exe PID 856 wrote to memory of 1564 856 cmd.exe PING.EXE PID 856 wrote to memory of 1564 856 cmd.exe PING.EXE PID 856 wrote to memory of 1564 856 cmd.exe PING.EXE PID 856 wrote to memory of 1564 856 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\2c43bc2636af763584c23e31fd1a374b162933b11ed22d6773593896094c1d9c.exe"C:\Users\Admin\AppData\Local\Temp\2c43bc2636af763584c23e31fd1a374b162933b11ed22d6773593896094c1d9c.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1920 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1688 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\2c43bc2636af763584c23e31fd1a374b162933b11ed22d6773593896094c1d9c.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:856 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1564
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeFilesize
88KB
MD594e8c427e1f049a255948eae1568ca3e
SHA10cebcb0d6da27ed46f912a443fa88502566a8e96
SHA256c4e5631dc7f5b92fc677d1684dce3ed494ca3169691ceb3315ff6656c35052df
SHA5127a384b87369cf96671e56528784aa5912d75a525dbf9dcb3a26f34bc6095eafc23bbaf4f4cb0b27eb14697ca031801aa4eccb5f1d02c614874a7095b0dae57bc
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeFilesize
88KB
MD594e8c427e1f049a255948eae1568ca3e
SHA10cebcb0d6da27ed46f912a443fa88502566a8e96
SHA256c4e5631dc7f5b92fc677d1684dce3ed494ca3169691ceb3315ff6656c35052df
SHA5127a384b87369cf96671e56528784aa5912d75a525dbf9dcb3a26f34bc6095eafc23bbaf4f4cb0b27eb14697ca031801aa4eccb5f1d02c614874a7095b0dae57bc
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeFilesize
88KB
MD594e8c427e1f049a255948eae1568ca3e
SHA10cebcb0d6da27ed46f912a443fa88502566a8e96
SHA256c4e5631dc7f5b92fc677d1684dce3ed494ca3169691ceb3315ff6656c35052df
SHA5127a384b87369cf96671e56528784aa5912d75a525dbf9dcb3a26f34bc6095eafc23bbaf4f4cb0b27eb14697ca031801aa4eccb5f1d02c614874a7095b0dae57bc
-
memory/856-60-0x0000000000000000-mapping.dmp
-
memory/1564-61-0x0000000000000000-mapping.dmp
-
memory/1688-57-0x0000000000000000-mapping.dmp
-
memory/1920-54-0x00000000763F1000-0x00000000763F3000-memory.dmpFilesize
8KB