Analysis
-
max time kernel
137s -
max time network
104s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
18-10-2022 08:30
Behavioral task
behavioral1
Sample
e8cbc695da0a4e41d0a99ac2a65351e0c89848ec5a7eaa66203e2ba44928b4f3.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
e8cbc695da0a4e41d0a99ac2a65351e0c89848ec5a7eaa66203e2ba44928b4f3.exe
Resource
win10v2004-20220812-en
General
-
Target
e8cbc695da0a4e41d0a99ac2a65351e0c89848ec5a7eaa66203e2ba44928b4f3.exe
-
Size
98KB
-
MD5
61904881703150762d61354d40bc6d03
-
SHA1
8c05ffcb409a54ec20994e681cb426e2b676cfe5
-
SHA256
e8cbc695da0a4e41d0a99ac2a65351e0c89848ec5a7eaa66203e2ba44928b4f3
-
SHA512
2b7dca253883b8dca8ae86d80ee7a2b67ba5a4e5b121aa5e684cc914d43cb85b7cda05d975bc7a6ef1cce52aad0c09417b22c442fe91a75de0868b37b15c5e3e
-
SSDEEP
1536:XQFl29mEkE0L1rDEKrxZKF2zf9g2Pl7W/MwbxMX+ees52z30rtrBuxzuA:429DkEGRQixVSjLaes5G30B6r
Malware Config
Signatures
-
Sakula payload 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1888 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1836 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
e8cbc695da0a4e41d0a99ac2a65351e0c89848ec5a7eaa66203e2ba44928b4f3.exepid process 992 e8cbc695da0a4e41d0a99ac2a65351e0c89848ec5a7eaa66203e2ba44928b4f3.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
e8cbc695da0a4e41d0a99ac2a65351e0c89848ec5a7eaa66203e2ba44928b4f3.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" e8cbc695da0a4e41d0a99ac2a65351e0c89848ec5a7eaa66203e2ba44928b4f3.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
e8cbc695da0a4e41d0a99ac2a65351e0c89848ec5a7eaa66203e2ba44928b4f3.exedescription pid process Token: SeIncBasePriorityPrivilege 992 e8cbc695da0a4e41d0a99ac2a65351e0c89848ec5a7eaa66203e2ba44928b4f3.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
e8cbc695da0a4e41d0a99ac2a65351e0c89848ec5a7eaa66203e2ba44928b4f3.execmd.exedescription pid process target process PID 992 wrote to memory of 1888 992 e8cbc695da0a4e41d0a99ac2a65351e0c89848ec5a7eaa66203e2ba44928b4f3.exe MediaCenter.exe PID 992 wrote to memory of 1888 992 e8cbc695da0a4e41d0a99ac2a65351e0c89848ec5a7eaa66203e2ba44928b4f3.exe MediaCenter.exe PID 992 wrote to memory of 1888 992 e8cbc695da0a4e41d0a99ac2a65351e0c89848ec5a7eaa66203e2ba44928b4f3.exe MediaCenter.exe PID 992 wrote to memory of 1888 992 e8cbc695da0a4e41d0a99ac2a65351e0c89848ec5a7eaa66203e2ba44928b4f3.exe MediaCenter.exe PID 992 wrote to memory of 1836 992 e8cbc695da0a4e41d0a99ac2a65351e0c89848ec5a7eaa66203e2ba44928b4f3.exe cmd.exe PID 992 wrote to memory of 1836 992 e8cbc695da0a4e41d0a99ac2a65351e0c89848ec5a7eaa66203e2ba44928b4f3.exe cmd.exe PID 992 wrote to memory of 1836 992 e8cbc695da0a4e41d0a99ac2a65351e0c89848ec5a7eaa66203e2ba44928b4f3.exe cmd.exe PID 992 wrote to memory of 1836 992 e8cbc695da0a4e41d0a99ac2a65351e0c89848ec5a7eaa66203e2ba44928b4f3.exe cmd.exe PID 1836 wrote to memory of 912 1836 cmd.exe PING.EXE PID 1836 wrote to memory of 912 1836 cmd.exe PING.EXE PID 1836 wrote to memory of 912 1836 cmd.exe PING.EXE PID 1836 wrote to memory of 912 1836 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\e8cbc695da0a4e41d0a99ac2a65351e0c89848ec5a7eaa66203e2ba44928b4f3.exe"C:\Users\Admin\AppData\Local\Temp\e8cbc695da0a4e41d0a99ac2a65351e0c89848ec5a7eaa66203e2ba44928b4f3.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\e8cbc695da0a4e41d0a99ac2a65351e0c89848ec5a7eaa66203e2ba44928b4f3.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeFilesize
98KB
MD54b40f7d27c41fa70702064eb85b1b089
SHA19760d884f0bf0b3bcb7a5ef38b8f31a810fd8a1e
SHA2561bf4bbc46154d4758f220cdbdbc9230c6355417937b8d728bcd3b904ab056d17
SHA5128e772a69761759b726bf7741f22284b824a5acb25eff65b53138d196aed3fc6337fa98443004d7b828e93aeb7d7dc2986f06043360c7b96f48143e86b879e601
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeFilesize
98KB
MD54b40f7d27c41fa70702064eb85b1b089
SHA19760d884f0bf0b3bcb7a5ef38b8f31a810fd8a1e
SHA2561bf4bbc46154d4758f220cdbdbc9230c6355417937b8d728bcd3b904ab056d17
SHA5128e772a69761759b726bf7741f22284b824a5acb25eff65b53138d196aed3fc6337fa98443004d7b828e93aeb7d7dc2986f06043360c7b96f48143e86b879e601
-
memory/912-60-0x0000000000000000-mapping.dmp
-
memory/992-54-0x0000000076561000-0x0000000076563000-memory.dmpFilesize
8KB
-
memory/1836-59-0x0000000000000000-mapping.dmp
-
memory/1888-56-0x0000000000000000-mapping.dmp