Analysis
-
max time kernel
152s -
max time network
169s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 09:12
Static task
static1
Behavioral task
behavioral1
Sample
0abd88f76efa984c76aeeaf14de591a9656f33fed2e0236cbb0cdc3d9b695fd3.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0abd88f76efa984c76aeeaf14de591a9656f33fed2e0236cbb0cdc3d9b695fd3.exe
Resource
win10v2004-en-20220113
General
-
Target
0abd88f76efa984c76aeeaf14de591a9656f33fed2e0236cbb0cdc3d9b695fd3.exe
-
Size
216KB
-
MD5
ac829dd26d9d9237dee728f7b4cc5b99
-
SHA1
5ea3ab7bc395f0f59ea577eedcd79993efe6e759
-
SHA256
0abd88f76efa984c76aeeaf14de591a9656f33fed2e0236cbb0cdc3d9b695fd3
-
SHA512
84167f90c74c4ebb9dc4a3dc00c6895423f3a0dea1f121ee6456615bcb4d5a2db965b35c519092e337998fc8f1b0d41eb31d7c6cbca5623c586442be67f88959
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral1/memory/1612-59-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral1/memory/736-61-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 736 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2024 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
0abd88f76efa984c76aeeaf14de591a9656f33fed2e0236cbb0cdc3d9b695fd3.exepid process 1612 0abd88f76efa984c76aeeaf14de591a9656f33fed2e0236cbb0cdc3d9b695fd3.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0abd88f76efa984c76aeeaf14de591a9656f33fed2e0236cbb0cdc3d9b695fd3.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0abd88f76efa984c76aeeaf14de591a9656f33fed2e0236cbb0cdc3d9b695fd3.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0abd88f76efa984c76aeeaf14de591a9656f33fed2e0236cbb0cdc3d9b695fd3.exedescription pid process Token: SeIncBasePriorityPrivilege 1612 0abd88f76efa984c76aeeaf14de591a9656f33fed2e0236cbb0cdc3d9b695fd3.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0abd88f76efa984c76aeeaf14de591a9656f33fed2e0236cbb0cdc3d9b695fd3.execmd.exedescription pid process target process PID 1612 wrote to memory of 736 1612 0abd88f76efa984c76aeeaf14de591a9656f33fed2e0236cbb0cdc3d9b695fd3.exe MediaCenter.exe PID 1612 wrote to memory of 736 1612 0abd88f76efa984c76aeeaf14de591a9656f33fed2e0236cbb0cdc3d9b695fd3.exe MediaCenter.exe PID 1612 wrote to memory of 736 1612 0abd88f76efa984c76aeeaf14de591a9656f33fed2e0236cbb0cdc3d9b695fd3.exe MediaCenter.exe PID 1612 wrote to memory of 736 1612 0abd88f76efa984c76aeeaf14de591a9656f33fed2e0236cbb0cdc3d9b695fd3.exe MediaCenter.exe PID 1612 wrote to memory of 2024 1612 0abd88f76efa984c76aeeaf14de591a9656f33fed2e0236cbb0cdc3d9b695fd3.exe cmd.exe PID 1612 wrote to memory of 2024 1612 0abd88f76efa984c76aeeaf14de591a9656f33fed2e0236cbb0cdc3d9b695fd3.exe cmd.exe PID 1612 wrote to memory of 2024 1612 0abd88f76efa984c76aeeaf14de591a9656f33fed2e0236cbb0cdc3d9b695fd3.exe cmd.exe PID 1612 wrote to memory of 2024 1612 0abd88f76efa984c76aeeaf14de591a9656f33fed2e0236cbb0cdc3d9b695fd3.exe cmd.exe PID 2024 wrote to memory of 2036 2024 cmd.exe PING.EXE PID 2024 wrote to memory of 2036 2024 cmd.exe PING.EXE PID 2024 wrote to memory of 2036 2024 cmd.exe PING.EXE PID 2024 wrote to memory of 2036 2024 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0abd88f76efa984c76aeeaf14de591a9656f33fed2e0236cbb0cdc3d9b695fd3.exe"C:\Users\Admin\AppData\Local\Temp\0abd88f76efa984c76aeeaf14de591a9656f33fed2e0236cbb0cdc3d9b695fd3.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1612 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:736 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0abd88f76efa984c76aeeaf14de591a9656f33fed2e0236cbb0cdc3d9b695fd3.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:2036
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
8bc53d3f52b10d8d24e96d55445302d7
SHA1faf214db3718b6d287922c749fe590824898620e
SHA256506535bc029fd1defe2ab96c67c085d5ed7d420c02e06128ea1fad632903b055
SHA512f09076299751e06ea5a33bfbd180e6822316c2b580fb2f93d35421abec18bef5ec52a7b369641175f4bb044fa509686c9439f6a240f767b861af5bcbc79c1e91
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
8bc53d3f52b10d8d24e96d55445302d7
SHA1faf214db3718b6d287922c749fe590824898620e
SHA256506535bc029fd1defe2ab96c67c085d5ed7d420c02e06128ea1fad632903b055
SHA512f09076299751e06ea5a33bfbd180e6822316c2b580fb2f93d35421abec18bef5ec52a7b369641175f4bb044fa509686c9439f6a240f767b861af5bcbc79c1e91
-
memory/736-61-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1612-55-0x0000000075B11000-0x0000000075B13000-memory.dmpFilesize
8KB
-
memory/1612-59-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1612-60-0x0000000000230000-0x0000000000250000-memory.dmpFilesize
128KB