Analysis
-
max time kernel
131s -
max time network
132s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
18-10-2022 00:40
Behavioral task
behavioral1
Sample
2ef07ce90f51ca389de09aad08048225b28c74c09cbaf3aceccddd3e6b003672.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
2ef07ce90f51ca389de09aad08048225b28c74c09cbaf3aceccddd3e6b003672.exe
Resource
win10v2004-20220901-en
General
-
Target
2ef07ce90f51ca389de09aad08048225b28c74c09cbaf3aceccddd3e6b003672.exe
-
Size
220KB
-
MD5
c2ae8bc15021ce07686a8ef83f0287fc
-
SHA1
8d91e452bc71470d1ce05d02169f256a68d1e876
-
SHA256
2ef07ce90f51ca389de09aad08048225b28c74c09cbaf3aceccddd3e6b003672
-
SHA512
9475ae6c840f7f12eacd81333b5f87b0fc5fdaf40f54dd9a968c6f08d7e5409f7f1fe174c92fbbba94e48e3d939a6df9ec1f134f0d5fc019d587fcde527edf83
-
SSDEEP
3072:a29DkEGRQixVSjLaes5G30B6SHrMPK82S5EVVEdZHMoGo8uA0I6pVMybCFbRZ:a29qRfVSnfj30B+2S6ydMI8QVMgCFbRZ
Malware Config
Signatures
-
Sakula payload 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1372 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1772 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
2ef07ce90f51ca389de09aad08048225b28c74c09cbaf3aceccddd3e6b003672.exepid process 1408 2ef07ce90f51ca389de09aad08048225b28c74c09cbaf3aceccddd3e6b003672.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
2ef07ce90f51ca389de09aad08048225b28c74c09cbaf3aceccddd3e6b003672.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 2ef07ce90f51ca389de09aad08048225b28c74c09cbaf3aceccddd3e6b003672.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
2ef07ce90f51ca389de09aad08048225b28c74c09cbaf3aceccddd3e6b003672.exedescription pid process Token: SeIncBasePriorityPrivilege 1408 2ef07ce90f51ca389de09aad08048225b28c74c09cbaf3aceccddd3e6b003672.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
2ef07ce90f51ca389de09aad08048225b28c74c09cbaf3aceccddd3e6b003672.execmd.exedescription pid process target process PID 1408 wrote to memory of 1372 1408 2ef07ce90f51ca389de09aad08048225b28c74c09cbaf3aceccddd3e6b003672.exe MediaCenter.exe PID 1408 wrote to memory of 1372 1408 2ef07ce90f51ca389de09aad08048225b28c74c09cbaf3aceccddd3e6b003672.exe MediaCenter.exe PID 1408 wrote to memory of 1372 1408 2ef07ce90f51ca389de09aad08048225b28c74c09cbaf3aceccddd3e6b003672.exe MediaCenter.exe PID 1408 wrote to memory of 1372 1408 2ef07ce90f51ca389de09aad08048225b28c74c09cbaf3aceccddd3e6b003672.exe MediaCenter.exe PID 1408 wrote to memory of 1772 1408 2ef07ce90f51ca389de09aad08048225b28c74c09cbaf3aceccddd3e6b003672.exe cmd.exe PID 1408 wrote to memory of 1772 1408 2ef07ce90f51ca389de09aad08048225b28c74c09cbaf3aceccddd3e6b003672.exe cmd.exe PID 1408 wrote to memory of 1772 1408 2ef07ce90f51ca389de09aad08048225b28c74c09cbaf3aceccddd3e6b003672.exe cmd.exe PID 1408 wrote to memory of 1772 1408 2ef07ce90f51ca389de09aad08048225b28c74c09cbaf3aceccddd3e6b003672.exe cmd.exe PID 1772 wrote to memory of 1620 1772 cmd.exe PING.EXE PID 1772 wrote to memory of 1620 1772 cmd.exe PING.EXE PID 1772 wrote to memory of 1620 1772 cmd.exe PING.EXE PID 1772 wrote to memory of 1620 1772 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\2ef07ce90f51ca389de09aad08048225b28c74c09cbaf3aceccddd3e6b003672.exe"C:\Users\Admin\AppData\Local\Temp\2ef07ce90f51ca389de09aad08048225b28c74c09cbaf3aceccddd3e6b003672.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1408 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1372 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\2ef07ce90f51ca389de09aad08048225b28c74c09cbaf3aceccddd3e6b003672.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1772 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1620
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeFilesize
220KB
MD52df33638bf15a52dfbf851286d987128
SHA1eb2d49a70b751a2ed6382a021431224911e1252b
SHA256abd13f8e2c10bc7127d98d513e0578b74c2cd02137ba48f777552e1b101a7990
SHA5128660685112cd7743d59dd3c42dc588d7b9f1fe0fc42ae7156de8b7212f1e596f04f107b57a10a07281de4757c6a96a0fbd2df1329ff74f624ea9dc8fa6b48f7f
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeFilesize
220KB
MD52df33638bf15a52dfbf851286d987128
SHA1eb2d49a70b751a2ed6382a021431224911e1252b
SHA256abd13f8e2c10bc7127d98d513e0578b74c2cd02137ba48f777552e1b101a7990
SHA5128660685112cd7743d59dd3c42dc588d7b9f1fe0fc42ae7156de8b7212f1e596f04f107b57a10a07281de4757c6a96a0fbd2df1329ff74f624ea9dc8fa6b48f7f
-
memory/1372-56-0x0000000000000000-mapping.dmp
-
memory/1408-54-0x00000000750A1000-0x00000000750A3000-memory.dmpFilesize
8KB
-
memory/1620-60-0x0000000000000000-mapping.dmp
-
memory/1772-59-0x0000000000000000-mapping.dmp