Analysis
-
max time kernel
132s -
max time network
145s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 09:11
Static task
static1
Behavioral task
behavioral1
Sample
0ac5421c704269518f7099aa9ba3d46e43f03059111b9cef88a8193a1e5c7245.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0ac5421c704269518f7099aa9ba3d46e43f03059111b9cef88a8193a1e5c7245.exe
Resource
win10v2004-en-20220112
General
-
Target
0ac5421c704269518f7099aa9ba3d46e43f03059111b9cef88a8193a1e5c7245.exe
-
Size
100KB
-
MD5
fcd3a9a8f7a230886288a72e838938dc
-
SHA1
718a4c37e84c03ba7b96f1def6b90c1cc3bce4f7
-
SHA256
0ac5421c704269518f7099aa9ba3d46e43f03059111b9cef88a8193a1e5c7245
-
SHA512
731dd3ad25b215915ddeb7450f23ab8411fa08a97b7c4ca41321e9b040fa7e71aec72b27a1bc341fb75640e4341d62871a6397ed7ef378bb88959cc8e045a371
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1664 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 396 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0ac5421c704269518f7099aa9ba3d46e43f03059111b9cef88a8193a1e5c7245.exepid process 952 0ac5421c704269518f7099aa9ba3d46e43f03059111b9cef88a8193a1e5c7245.exe 952 0ac5421c704269518f7099aa9ba3d46e43f03059111b9cef88a8193a1e5c7245.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0ac5421c704269518f7099aa9ba3d46e43f03059111b9cef88a8193a1e5c7245.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0ac5421c704269518f7099aa9ba3d46e43f03059111b9cef88a8193a1e5c7245.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0ac5421c704269518f7099aa9ba3d46e43f03059111b9cef88a8193a1e5c7245.exedescription pid process Token: SeIncBasePriorityPrivilege 952 0ac5421c704269518f7099aa9ba3d46e43f03059111b9cef88a8193a1e5c7245.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0ac5421c704269518f7099aa9ba3d46e43f03059111b9cef88a8193a1e5c7245.execmd.exedescription pid process target process PID 952 wrote to memory of 1664 952 0ac5421c704269518f7099aa9ba3d46e43f03059111b9cef88a8193a1e5c7245.exe MediaCenter.exe PID 952 wrote to memory of 1664 952 0ac5421c704269518f7099aa9ba3d46e43f03059111b9cef88a8193a1e5c7245.exe MediaCenter.exe PID 952 wrote to memory of 1664 952 0ac5421c704269518f7099aa9ba3d46e43f03059111b9cef88a8193a1e5c7245.exe MediaCenter.exe PID 952 wrote to memory of 1664 952 0ac5421c704269518f7099aa9ba3d46e43f03059111b9cef88a8193a1e5c7245.exe MediaCenter.exe PID 952 wrote to memory of 396 952 0ac5421c704269518f7099aa9ba3d46e43f03059111b9cef88a8193a1e5c7245.exe cmd.exe PID 952 wrote to memory of 396 952 0ac5421c704269518f7099aa9ba3d46e43f03059111b9cef88a8193a1e5c7245.exe cmd.exe PID 952 wrote to memory of 396 952 0ac5421c704269518f7099aa9ba3d46e43f03059111b9cef88a8193a1e5c7245.exe cmd.exe PID 952 wrote to memory of 396 952 0ac5421c704269518f7099aa9ba3d46e43f03059111b9cef88a8193a1e5c7245.exe cmd.exe PID 396 wrote to memory of 1048 396 cmd.exe PING.EXE PID 396 wrote to memory of 1048 396 cmd.exe PING.EXE PID 396 wrote to memory of 1048 396 cmd.exe PING.EXE PID 396 wrote to memory of 1048 396 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0ac5421c704269518f7099aa9ba3d46e43f03059111b9cef88a8193a1e5c7245.exe"C:\Users\Admin\AppData\Local\Temp\0ac5421c704269518f7099aa9ba3d46e43f03059111b9cef88a8193a1e5c7245.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:952 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1664 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0ac5421c704269518f7099aa9ba3d46e43f03059111b9cef88a8193a1e5c7245.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:396 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1048
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
47ab367eb542d54f2bc7d5cec45be109
SHA1f6cf71dac285d1c4ece1eeae0718f84f88b37fb9
SHA25658004b095cba36dd5f0eb48bd2557bc6a2a9f96c9176d2694b2c5c3bc63b5b53
SHA512de57689ddfe66c809a3e4f19f42cb4006892d12eb31cb60be2129604a2d4163d94492b1092030a142aeb975f73be31136279fc822c5052af94470eb16c6ef8d6
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
47ab367eb542d54f2bc7d5cec45be109
SHA1f6cf71dac285d1c4ece1eeae0718f84f88b37fb9
SHA25658004b095cba36dd5f0eb48bd2557bc6a2a9f96c9176d2694b2c5c3bc63b5b53
SHA512de57689ddfe66c809a3e4f19f42cb4006892d12eb31cb60be2129604a2d4163d94492b1092030a142aeb975f73be31136279fc822c5052af94470eb16c6ef8d6
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
47ab367eb542d54f2bc7d5cec45be109
SHA1f6cf71dac285d1c4ece1eeae0718f84f88b37fb9
SHA25658004b095cba36dd5f0eb48bd2557bc6a2a9f96c9176d2694b2c5c3bc63b5b53
SHA512de57689ddfe66c809a3e4f19f42cb4006892d12eb31cb60be2129604a2d4163d94492b1092030a142aeb975f73be31136279fc822c5052af94470eb16c6ef8d6
-
memory/952-54-0x0000000075B51000-0x0000000075B53000-memory.dmpFilesize
8KB