Analysis
-
max time kernel
135s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
17-10-2022 08:34
Behavioral task
behavioral1
Sample
d496522fd93ca1cb2bca9979b7868a39cbfb534ba328136a1d674dd8e88cd497.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
d496522fd93ca1cb2bca9979b7868a39cbfb534ba328136a1d674dd8e88cd497.exe
Resource
win10v2004-20220812-en
General
-
Target
d496522fd93ca1cb2bca9979b7868a39cbfb534ba328136a1d674dd8e88cd497.exe
-
Size
222KB
-
MD5
a999566216b6111e7e3a79cc38ea7275
-
SHA1
e7128d2bf65d01607ce1f636b99c8efeb08828f0
-
SHA256
d496522fd93ca1cb2bca9979b7868a39cbfb534ba328136a1d674dd8e88cd497
-
SHA512
445ca5235b0abe97b495cea68e5c5f805b096c8224a9622770ff5d289321a669a9ab90c90f22c56d9f145853eacac4be21d6391b46ee12ae061c8b639c877d2e
-
SSDEEP
6144:n29qRfVSnfj30BmhqC8WSr24AyqaLjLj64fm:zRfQniC8WSa4C6L2wm
Malware Config
Signatures
-
Sakula payload 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 820 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1464 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
d496522fd93ca1cb2bca9979b7868a39cbfb534ba328136a1d674dd8e88cd497.exepid process 1256 d496522fd93ca1cb2bca9979b7868a39cbfb534ba328136a1d674dd8e88cd497.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
d496522fd93ca1cb2bca9979b7868a39cbfb534ba328136a1d674dd8e88cd497.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" d496522fd93ca1cb2bca9979b7868a39cbfb534ba328136a1d674dd8e88cd497.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
d496522fd93ca1cb2bca9979b7868a39cbfb534ba328136a1d674dd8e88cd497.exedescription pid process Token: SeIncBasePriorityPrivilege 1256 d496522fd93ca1cb2bca9979b7868a39cbfb534ba328136a1d674dd8e88cd497.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
d496522fd93ca1cb2bca9979b7868a39cbfb534ba328136a1d674dd8e88cd497.execmd.exedescription pid process target process PID 1256 wrote to memory of 820 1256 d496522fd93ca1cb2bca9979b7868a39cbfb534ba328136a1d674dd8e88cd497.exe MediaCenter.exe PID 1256 wrote to memory of 820 1256 d496522fd93ca1cb2bca9979b7868a39cbfb534ba328136a1d674dd8e88cd497.exe MediaCenter.exe PID 1256 wrote to memory of 820 1256 d496522fd93ca1cb2bca9979b7868a39cbfb534ba328136a1d674dd8e88cd497.exe MediaCenter.exe PID 1256 wrote to memory of 820 1256 d496522fd93ca1cb2bca9979b7868a39cbfb534ba328136a1d674dd8e88cd497.exe MediaCenter.exe PID 1256 wrote to memory of 1464 1256 d496522fd93ca1cb2bca9979b7868a39cbfb534ba328136a1d674dd8e88cd497.exe cmd.exe PID 1256 wrote to memory of 1464 1256 d496522fd93ca1cb2bca9979b7868a39cbfb534ba328136a1d674dd8e88cd497.exe cmd.exe PID 1256 wrote to memory of 1464 1256 d496522fd93ca1cb2bca9979b7868a39cbfb534ba328136a1d674dd8e88cd497.exe cmd.exe PID 1256 wrote to memory of 1464 1256 d496522fd93ca1cb2bca9979b7868a39cbfb534ba328136a1d674dd8e88cd497.exe cmd.exe PID 1464 wrote to memory of 1568 1464 cmd.exe PING.EXE PID 1464 wrote to memory of 1568 1464 cmd.exe PING.EXE PID 1464 wrote to memory of 1568 1464 cmd.exe PING.EXE PID 1464 wrote to memory of 1568 1464 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\d496522fd93ca1cb2bca9979b7868a39cbfb534ba328136a1d674dd8e88cd497.exe"C:\Users\Admin\AppData\Local\Temp\d496522fd93ca1cb2bca9979b7868a39cbfb534ba328136a1d674dd8e88cd497.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\d496522fd93ca1cb2bca9979b7868a39cbfb534ba328136a1d674dd8e88cd497.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeFilesize
222KB
MD5fbc31b2e7c1b2c659120e726a2ba58b0
SHA11b099e9880ef13d1681c5fecb678bf149f00acca
SHA2561cd6179e80a17bf855525e63e2611086c0111c80c6c38e4ca5eaa9992ab425bd
SHA512cbeded5b8c452b7bef8b0f80d8afa101e0b7a3e923e6333616c6b5603317ac311630e82371e888443ac747e6f703508ba00ad3737cd07634334a06d76dca280e
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeFilesize
222KB
MD5fbc31b2e7c1b2c659120e726a2ba58b0
SHA11b099e9880ef13d1681c5fecb678bf149f00acca
SHA2561cd6179e80a17bf855525e63e2611086c0111c80c6c38e4ca5eaa9992ab425bd
SHA512cbeded5b8c452b7bef8b0f80d8afa101e0b7a3e923e6333616c6b5603317ac311630e82371e888443ac747e6f703508ba00ad3737cd07634334a06d76dca280e
-
memory/820-56-0x0000000000000000-mapping.dmp
-
memory/1256-54-0x0000000075091000-0x0000000075093000-memory.dmpFilesize
8KB
-
memory/1464-59-0x0000000000000000-mapping.dmp
-
memory/1568-60-0x0000000000000000-mapping.dmp