Analysis
-
max time kernel
119s -
max time network
125s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 09:11
Static task
static1
Behavioral task
behavioral1
Sample
0ac4fb23d45fdc5f49d73f2253893946ed45b259f304f82342bd79e08b6ce6e8.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0ac4fb23d45fdc5f49d73f2253893946ed45b259f304f82342bd79e08b6ce6e8.exe
Resource
win10v2004-en-20220112
General
-
Target
0ac4fb23d45fdc5f49d73f2253893946ed45b259f304f82342bd79e08b6ce6e8.exe
-
Size
99KB
-
MD5
fd2ede9fd65459ee54ce568b37d58edd
-
SHA1
37c2e6406d7660fa05496d1b1f21d0213bb3e48f
-
SHA256
0ac4fb23d45fdc5f49d73f2253893946ed45b259f304f82342bd79e08b6ce6e8
-
SHA512
0c87b8dac07deebfd8b3fce4684fb2885bfc27a5a0b3cc114542241717813aa343b83b9cabe4dcb5596fa765c58a394636bd06a07db26340bbaeff0542d9b39e
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1536 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1460 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0ac4fb23d45fdc5f49d73f2253893946ed45b259f304f82342bd79e08b6ce6e8.exepid process 832 0ac4fb23d45fdc5f49d73f2253893946ed45b259f304f82342bd79e08b6ce6e8.exe 832 0ac4fb23d45fdc5f49d73f2253893946ed45b259f304f82342bd79e08b6ce6e8.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0ac4fb23d45fdc5f49d73f2253893946ed45b259f304f82342bd79e08b6ce6e8.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0ac4fb23d45fdc5f49d73f2253893946ed45b259f304f82342bd79e08b6ce6e8.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0ac4fb23d45fdc5f49d73f2253893946ed45b259f304f82342bd79e08b6ce6e8.exedescription pid process Token: SeIncBasePriorityPrivilege 832 0ac4fb23d45fdc5f49d73f2253893946ed45b259f304f82342bd79e08b6ce6e8.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0ac4fb23d45fdc5f49d73f2253893946ed45b259f304f82342bd79e08b6ce6e8.execmd.exedescription pid process target process PID 832 wrote to memory of 1536 832 0ac4fb23d45fdc5f49d73f2253893946ed45b259f304f82342bd79e08b6ce6e8.exe MediaCenter.exe PID 832 wrote to memory of 1536 832 0ac4fb23d45fdc5f49d73f2253893946ed45b259f304f82342bd79e08b6ce6e8.exe MediaCenter.exe PID 832 wrote to memory of 1536 832 0ac4fb23d45fdc5f49d73f2253893946ed45b259f304f82342bd79e08b6ce6e8.exe MediaCenter.exe PID 832 wrote to memory of 1536 832 0ac4fb23d45fdc5f49d73f2253893946ed45b259f304f82342bd79e08b6ce6e8.exe MediaCenter.exe PID 832 wrote to memory of 1460 832 0ac4fb23d45fdc5f49d73f2253893946ed45b259f304f82342bd79e08b6ce6e8.exe cmd.exe PID 832 wrote to memory of 1460 832 0ac4fb23d45fdc5f49d73f2253893946ed45b259f304f82342bd79e08b6ce6e8.exe cmd.exe PID 832 wrote to memory of 1460 832 0ac4fb23d45fdc5f49d73f2253893946ed45b259f304f82342bd79e08b6ce6e8.exe cmd.exe PID 832 wrote to memory of 1460 832 0ac4fb23d45fdc5f49d73f2253893946ed45b259f304f82342bd79e08b6ce6e8.exe cmd.exe PID 1460 wrote to memory of 1080 1460 cmd.exe PING.EXE PID 1460 wrote to memory of 1080 1460 cmd.exe PING.EXE PID 1460 wrote to memory of 1080 1460 cmd.exe PING.EXE PID 1460 wrote to memory of 1080 1460 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0ac4fb23d45fdc5f49d73f2253893946ed45b259f304f82342bd79e08b6ce6e8.exe"C:\Users\Admin\AppData\Local\Temp\0ac4fb23d45fdc5f49d73f2253893946ed45b259f304f82342bd79e08b6ce6e8.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:832 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1536 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0ac4fb23d45fdc5f49d73f2253893946ed45b259f304f82342bd79e08b6ce6e8.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1460 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1080
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
296e3e730b900af509add97a2c74b45b
SHA1f194c83d7309648c14f15b1ea4ad5da55391935a
SHA2564a3fc2e6de4b7ae7d8ad9873971a1ddbaba8574920e1075ff9382b51a7f171fb
SHA51259c3496864267ec4b85064b626cd8cfab8f9bec9cfc9073b6c78bf392f2487a72339844b2723fe65f6e462b16194112398da0d24931a5cf4b8f29fbb6c1394b4
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
296e3e730b900af509add97a2c74b45b
SHA1f194c83d7309648c14f15b1ea4ad5da55391935a
SHA2564a3fc2e6de4b7ae7d8ad9873971a1ddbaba8574920e1075ff9382b51a7f171fb
SHA51259c3496864267ec4b85064b626cd8cfab8f9bec9cfc9073b6c78bf392f2487a72339844b2723fe65f6e462b16194112398da0d24931a5cf4b8f29fbb6c1394b4
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
296e3e730b900af509add97a2c74b45b
SHA1f194c83d7309648c14f15b1ea4ad5da55391935a
SHA2564a3fc2e6de4b7ae7d8ad9873971a1ddbaba8574920e1075ff9382b51a7f171fb
SHA51259c3496864267ec4b85064b626cd8cfab8f9bec9cfc9073b6c78bf392f2487a72339844b2723fe65f6e462b16194112398da0d24931a5cf4b8f29fbb6c1394b4
-
memory/832-53-0x0000000076C91000-0x0000000076C93000-memory.dmpFilesize
8KB