Analysis
-
max time kernel
137s -
max time network
139s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
18-10-2022 10:10
Behavioral task
behavioral1
Sample
5e8784b2d25a38864bc27d592df9bf0c373bba2931a25872bac3043a5d170f60.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
5e8784b2d25a38864bc27d592df9bf0c373bba2931a25872bac3043a5d170f60.exe
Resource
win10v2004-20220812-en
General
-
Target
5e8784b2d25a38864bc27d592df9bf0c373bba2931a25872bac3043a5d170f60.exe
-
Size
222KB
-
MD5
52a2c8ddeff2869bd8aa8bb4a860b5ee
-
SHA1
c67e56e0a61a738f8798db99d111ac079be25dba
-
SHA256
5e8784b2d25a38864bc27d592df9bf0c373bba2931a25872bac3043a5d170f60
-
SHA512
26e40ab2b65b6b6e0e06177d65e358f6dd5a202d74d6b804a1abe74a8c9bbe41f962eecbb354addb6386b5085a2eb5e6f5226e6bda3ccb64e34cad627210fa27
-
SSDEEP
6144:n29qRfVSnfj30BmhqC8WSr24AyqaLjLj64fv:zRfQniC8WSa4C6L2wv
Malware Config
Signatures
-
Sakula payload 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1812 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 860 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
5e8784b2d25a38864bc27d592df9bf0c373bba2931a25872bac3043a5d170f60.exepid process 364 5e8784b2d25a38864bc27d592df9bf0c373bba2931a25872bac3043a5d170f60.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
5e8784b2d25a38864bc27d592df9bf0c373bba2931a25872bac3043a5d170f60.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 5e8784b2d25a38864bc27d592df9bf0c373bba2931a25872bac3043a5d170f60.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
5e8784b2d25a38864bc27d592df9bf0c373bba2931a25872bac3043a5d170f60.exedescription pid process Token: SeIncBasePriorityPrivilege 364 5e8784b2d25a38864bc27d592df9bf0c373bba2931a25872bac3043a5d170f60.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
5e8784b2d25a38864bc27d592df9bf0c373bba2931a25872bac3043a5d170f60.execmd.exedescription pid process target process PID 364 wrote to memory of 1812 364 5e8784b2d25a38864bc27d592df9bf0c373bba2931a25872bac3043a5d170f60.exe MediaCenter.exe PID 364 wrote to memory of 1812 364 5e8784b2d25a38864bc27d592df9bf0c373bba2931a25872bac3043a5d170f60.exe MediaCenter.exe PID 364 wrote to memory of 1812 364 5e8784b2d25a38864bc27d592df9bf0c373bba2931a25872bac3043a5d170f60.exe MediaCenter.exe PID 364 wrote to memory of 1812 364 5e8784b2d25a38864bc27d592df9bf0c373bba2931a25872bac3043a5d170f60.exe MediaCenter.exe PID 364 wrote to memory of 860 364 5e8784b2d25a38864bc27d592df9bf0c373bba2931a25872bac3043a5d170f60.exe cmd.exe PID 364 wrote to memory of 860 364 5e8784b2d25a38864bc27d592df9bf0c373bba2931a25872bac3043a5d170f60.exe cmd.exe PID 364 wrote to memory of 860 364 5e8784b2d25a38864bc27d592df9bf0c373bba2931a25872bac3043a5d170f60.exe cmd.exe PID 364 wrote to memory of 860 364 5e8784b2d25a38864bc27d592df9bf0c373bba2931a25872bac3043a5d170f60.exe cmd.exe PID 860 wrote to memory of 1756 860 cmd.exe PING.EXE PID 860 wrote to memory of 1756 860 cmd.exe PING.EXE PID 860 wrote to memory of 1756 860 cmd.exe PING.EXE PID 860 wrote to memory of 1756 860 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\5e8784b2d25a38864bc27d592df9bf0c373bba2931a25872bac3043a5d170f60.exe"C:\Users\Admin\AppData\Local\Temp\5e8784b2d25a38864bc27d592df9bf0c373bba2931a25872bac3043a5d170f60.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\5e8784b2d25a38864bc27d592df9bf0c373bba2931a25872bac3043a5d170f60.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeFilesize
222KB
MD5e117766e2c45a74c08d8382a14f8ca45
SHA17b8c45bd16d5bf628c2f4833d0650490d16d5021
SHA25686cb8e7003783f77b1db6f075fea341aeb693593b569551daa0daef6a0759358
SHA512037d92e46038f0f0d97851365797e35ab8aba3c25f0e2c3f506a927a5d44dd35224b2ef836f0d9e038cd1bedd9a2666bc71731a173ba1ff717596a51f1561544
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeFilesize
222KB
MD5e117766e2c45a74c08d8382a14f8ca45
SHA17b8c45bd16d5bf628c2f4833d0650490d16d5021
SHA25686cb8e7003783f77b1db6f075fea341aeb693593b569551daa0daef6a0759358
SHA512037d92e46038f0f0d97851365797e35ab8aba3c25f0e2c3f506a927a5d44dd35224b2ef836f0d9e038cd1bedd9a2666bc71731a173ba1ff717596a51f1561544
-
memory/364-54-0x0000000076681000-0x0000000076683000-memory.dmpFilesize
8KB
-
memory/860-59-0x0000000000000000-mapping.dmp
-
memory/1756-60-0x0000000000000000-mapping.dmp
-
memory/1812-56-0x0000000000000000-mapping.dmp