Analysis
-
max time kernel
118s -
max time network
128s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 09:09
Static task
static1
Behavioral task
behavioral1
Sample
0ad573f7b208ddcd0936c37458ac00237b00bb3e35197ee72308b25c70b7a287.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0ad573f7b208ddcd0936c37458ac00237b00bb3e35197ee72308b25c70b7a287.exe
Resource
win10v2004-en-20220113
General
-
Target
0ad573f7b208ddcd0936c37458ac00237b00bb3e35197ee72308b25c70b7a287.exe
-
Size
99KB
-
MD5
0b5506363176f153bb5d76d57e57c848
-
SHA1
5e1f0c5df4e59b9608173e0093d4f44ad9f97ae4
-
SHA256
0ad573f7b208ddcd0936c37458ac00237b00bb3e35197ee72308b25c70b7a287
-
SHA512
6724a36ae24071506e72caa79201acdac5ac687a9b2425dafaf60afbf2bb4dc33176c4e4f47bce350a898a0d10f0aea9461b759d4832add8c88c62951084c927
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 804 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 776 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0ad573f7b208ddcd0936c37458ac00237b00bb3e35197ee72308b25c70b7a287.exepid process 1564 0ad573f7b208ddcd0936c37458ac00237b00bb3e35197ee72308b25c70b7a287.exe 1564 0ad573f7b208ddcd0936c37458ac00237b00bb3e35197ee72308b25c70b7a287.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0ad573f7b208ddcd0936c37458ac00237b00bb3e35197ee72308b25c70b7a287.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0ad573f7b208ddcd0936c37458ac00237b00bb3e35197ee72308b25c70b7a287.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0ad573f7b208ddcd0936c37458ac00237b00bb3e35197ee72308b25c70b7a287.exedescription pid process Token: SeIncBasePriorityPrivilege 1564 0ad573f7b208ddcd0936c37458ac00237b00bb3e35197ee72308b25c70b7a287.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0ad573f7b208ddcd0936c37458ac00237b00bb3e35197ee72308b25c70b7a287.execmd.exedescription pid process target process PID 1564 wrote to memory of 804 1564 0ad573f7b208ddcd0936c37458ac00237b00bb3e35197ee72308b25c70b7a287.exe MediaCenter.exe PID 1564 wrote to memory of 804 1564 0ad573f7b208ddcd0936c37458ac00237b00bb3e35197ee72308b25c70b7a287.exe MediaCenter.exe PID 1564 wrote to memory of 804 1564 0ad573f7b208ddcd0936c37458ac00237b00bb3e35197ee72308b25c70b7a287.exe MediaCenter.exe PID 1564 wrote to memory of 804 1564 0ad573f7b208ddcd0936c37458ac00237b00bb3e35197ee72308b25c70b7a287.exe MediaCenter.exe PID 1564 wrote to memory of 776 1564 0ad573f7b208ddcd0936c37458ac00237b00bb3e35197ee72308b25c70b7a287.exe cmd.exe PID 1564 wrote to memory of 776 1564 0ad573f7b208ddcd0936c37458ac00237b00bb3e35197ee72308b25c70b7a287.exe cmd.exe PID 1564 wrote to memory of 776 1564 0ad573f7b208ddcd0936c37458ac00237b00bb3e35197ee72308b25c70b7a287.exe cmd.exe PID 1564 wrote to memory of 776 1564 0ad573f7b208ddcd0936c37458ac00237b00bb3e35197ee72308b25c70b7a287.exe cmd.exe PID 776 wrote to memory of 1096 776 cmd.exe PING.EXE PID 776 wrote to memory of 1096 776 cmd.exe PING.EXE PID 776 wrote to memory of 1096 776 cmd.exe PING.EXE PID 776 wrote to memory of 1096 776 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0ad573f7b208ddcd0936c37458ac00237b00bb3e35197ee72308b25c70b7a287.exe"C:\Users\Admin\AppData\Local\Temp\0ad573f7b208ddcd0936c37458ac00237b00bb3e35197ee72308b25c70b7a287.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1564 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:804 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0ad573f7b208ddcd0936c37458ac00237b00bb3e35197ee72308b25c70b7a287.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:776 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1096
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
7e3de82f6d45f4ad912cc6919e55422c
SHA164f4f1c6d2ec6f7b2eaad67b2c8872454ee9ccc6
SHA256bd38a6ac7242e8e3bbb4311bfae518c3d880332e5bbb20365ef7186a1f260495
SHA512042e74ab9fcb3691e85a93130d43429b215c41da3ec050f6068d1820245e73cff900bc5957f3e52960f8fa97d02214fcb353fb09c43ffe2a24b6596044e2f67f
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
7e3de82f6d45f4ad912cc6919e55422c
SHA164f4f1c6d2ec6f7b2eaad67b2c8872454ee9ccc6
SHA256bd38a6ac7242e8e3bbb4311bfae518c3d880332e5bbb20365ef7186a1f260495
SHA512042e74ab9fcb3691e85a93130d43429b215c41da3ec050f6068d1820245e73cff900bc5957f3e52960f8fa97d02214fcb353fb09c43ffe2a24b6596044e2f67f
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
7e3de82f6d45f4ad912cc6919e55422c
SHA164f4f1c6d2ec6f7b2eaad67b2c8872454ee9ccc6
SHA256bd38a6ac7242e8e3bbb4311bfae518c3d880332e5bbb20365ef7186a1f260495
SHA512042e74ab9fcb3691e85a93130d43429b215c41da3ec050f6068d1820245e73cff900bc5957f3e52960f8fa97d02214fcb353fb09c43ffe2a24b6596044e2f67f
-
memory/1564-54-0x00000000766D1000-0x00000000766D3000-memory.dmpFilesize
8KB