Analysis
-
max time kernel
139s -
max time network
142s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 09:15
Static task
static1
Behavioral task
behavioral1
Sample
0a9408f4e114df416240ca346b217893fda3a2de65854f33e1f77d7060c007fa.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0a9408f4e114df416240ca346b217893fda3a2de65854f33e1f77d7060c007fa.exe
Resource
win10v2004-en-20220113
General
-
Target
0a9408f4e114df416240ca346b217893fda3a2de65854f33e1f77d7060c007fa.exe
-
Size
216KB
-
MD5
e47817dc4f644a4d01a409b56aa32784
-
SHA1
dacf30e617f62393fdf4e8d8b9ebb2e823f90d7c
-
SHA256
0a9408f4e114df416240ca346b217893fda3a2de65854f33e1f77d7060c007fa
-
SHA512
2d653502b6b11a6f812338ea64a1277b51db1b397f6e16eb4f112da151cebbd92beac210fd52019834bcee666ea36f3d4fcfc63425dcc886b84cc41e66d5d6dc
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral1/memory/944-57-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral1/memory/1688-58-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1688 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1852 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
0a9408f4e114df416240ca346b217893fda3a2de65854f33e1f77d7060c007fa.exepid process 944 0a9408f4e114df416240ca346b217893fda3a2de65854f33e1f77d7060c007fa.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0a9408f4e114df416240ca346b217893fda3a2de65854f33e1f77d7060c007fa.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0a9408f4e114df416240ca346b217893fda3a2de65854f33e1f77d7060c007fa.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0a9408f4e114df416240ca346b217893fda3a2de65854f33e1f77d7060c007fa.exedescription pid process Token: SeIncBasePriorityPrivilege 944 0a9408f4e114df416240ca346b217893fda3a2de65854f33e1f77d7060c007fa.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0a9408f4e114df416240ca346b217893fda3a2de65854f33e1f77d7060c007fa.execmd.exedescription pid process target process PID 944 wrote to memory of 1688 944 0a9408f4e114df416240ca346b217893fda3a2de65854f33e1f77d7060c007fa.exe MediaCenter.exe PID 944 wrote to memory of 1688 944 0a9408f4e114df416240ca346b217893fda3a2de65854f33e1f77d7060c007fa.exe MediaCenter.exe PID 944 wrote to memory of 1688 944 0a9408f4e114df416240ca346b217893fda3a2de65854f33e1f77d7060c007fa.exe MediaCenter.exe PID 944 wrote to memory of 1688 944 0a9408f4e114df416240ca346b217893fda3a2de65854f33e1f77d7060c007fa.exe MediaCenter.exe PID 944 wrote to memory of 1852 944 0a9408f4e114df416240ca346b217893fda3a2de65854f33e1f77d7060c007fa.exe cmd.exe PID 944 wrote to memory of 1852 944 0a9408f4e114df416240ca346b217893fda3a2de65854f33e1f77d7060c007fa.exe cmd.exe PID 944 wrote to memory of 1852 944 0a9408f4e114df416240ca346b217893fda3a2de65854f33e1f77d7060c007fa.exe cmd.exe PID 944 wrote to memory of 1852 944 0a9408f4e114df416240ca346b217893fda3a2de65854f33e1f77d7060c007fa.exe cmd.exe PID 1852 wrote to memory of 1272 1852 cmd.exe PING.EXE PID 1852 wrote to memory of 1272 1852 cmd.exe PING.EXE PID 1852 wrote to memory of 1272 1852 cmd.exe PING.EXE PID 1852 wrote to memory of 1272 1852 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0a9408f4e114df416240ca346b217893fda3a2de65854f33e1f77d7060c007fa.exe"C:\Users\Admin\AppData\Local\Temp\0a9408f4e114df416240ca346b217893fda3a2de65854f33e1f77d7060c007fa.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:944 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1688 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0a9408f4e114df416240ca346b217893fda3a2de65854f33e1f77d7060c007fa.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1852 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1272
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
898aa57305f2913461cfbbea416411a1
SHA1d83e5d0c2b982abf806f8751be05e32fa8676c25
SHA2560b0f59c53673e1c59351021f3c2153a8197f6a9efec983fb36ca4826a24d1729
SHA5120e649f2a884e6bd9196f3f9384e79c06823150a9ff40ec1b17445414a343b9e20d8d62d01d3604d961155fcdc7b2bc48b6ed01c780eb1946232286dacb596cbb
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
898aa57305f2913461cfbbea416411a1
SHA1d83e5d0c2b982abf806f8751be05e32fa8676c25
SHA2560b0f59c53673e1c59351021f3c2153a8197f6a9efec983fb36ca4826a24d1729
SHA5120e649f2a884e6bd9196f3f9384e79c06823150a9ff40ec1b17445414a343b9e20d8d62d01d3604d961155fcdc7b2bc48b6ed01c780eb1946232286dacb596cbb
-
memory/944-53-0x0000000076151000-0x0000000076153000-memory.dmpFilesize
8KB
-
memory/944-57-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1688-58-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB