Analysis
-
max time kernel
123s -
max time network
127s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 09:15
Static task
static1
Behavioral task
behavioral1
Sample
0a99b036ba87ef2aa8452b16fe36da626bce25ee82b99a140160a27014946c7a.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0a99b036ba87ef2aa8452b16fe36da626bce25ee82b99a140160a27014946c7a.exe
Resource
win10v2004-en-20220113
General
-
Target
0a99b036ba87ef2aa8452b16fe36da626bce25ee82b99a140160a27014946c7a.exe
-
Size
216KB
-
MD5
70b7ef123463f702f93e50bebb076879
-
SHA1
40b804cf0c4dd1b2e1070ae895587cb4ae35bdc3
-
SHA256
0a99b036ba87ef2aa8452b16fe36da626bce25ee82b99a140160a27014946c7a
-
SHA512
0c84e233f77cfd51da8b8a889a197aed11eb1c88f956b0d720bae1023c63bb4d3f3bd23791c265b82af7d89da975348c92baa55f340cb0ac3fd0eef8c7cc23ba
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral1/memory/1928-59-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral1/memory/1136-60-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1136 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2024 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
0a99b036ba87ef2aa8452b16fe36da626bce25ee82b99a140160a27014946c7a.exepid process 1928 0a99b036ba87ef2aa8452b16fe36da626bce25ee82b99a140160a27014946c7a.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0a99b036ba87ef2aa8452b16fe36da626bce25ee82b99a140160a27014946c7a.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0a99b036ba87ef2aa8452b16fe36da626bce25ee82b99a140160a27014946c7a.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0a99b036ba87ef2aa8452b16fe36da626bce25ee82b99a140160a27014946c7a.exedescription pid process Token: SeIncBasePriorityPrivilege 1928 0a99b036ba87ef2aa8452b16fe36da626bce25ee82b99a140160a27014946c7a.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0a99b036ba87ef2aa8452b16fe36da626bce25ee82b99a140160a27014946c7a.execmd.exedescription pid process target process PID 1928 wrote to memory of 1136 1928 0a99b036ba87ef2aa8452b16fe36da626bce25ee82b99a140160a27014946c7a.exe MediaCenter.exe PID 1928 wrote to memory of 1136 1928 0a99b036ba87ef2aa8452b16fe36da626bce25ee82b99a140160a27014946c7a.exe MediaCenter.exe PID 1928 wrote to memory of 1136 1928 0a99b036ba87ef2aa8452b16fe36da626bce25ee82b99a140160a27014946c7a.exe MediaCenter.exe PID 1928 wrote to memory of 1136 1928 0a99b036ba87ef2aa8452b16fe36da626bce25ee82b99a140160a27014946c7a.exe MediaCenter.exe PID 1928 wrote to memory of 2024 1928 0a99b036ba87ef2aa8452b16fe36da626bce25ee82b99a140160a27014946c7a.exe cmd.exe PID 1928 wrote to memory of 2024 1928 0a99b036ba87ef2aa8452b16fe36da626bce25ee82b99a140160a27014946c7a.exe cmd.exe PID 1928 wrote to memory of 2024 1928 0a99b036ba87ef2aa8452b16fe36da626bce25ee82b99a140160a27014946c7a.exe cmd.exe PID 1928 wrote to memory of 2024 1928 0a99b036ba87ef2aa8452b16fe36da626bce25ee82b99a140160a27014946c7a.exe cmd.exe PID 2024 wrote to memory of 1624 2024 cmd.exe PING.EXE PID 2024 wrote to memory of 1624 2024 cmd.exe PING.EXE PID 2024 wrote to memory of 1624 2024 cmd.exe PING.EXE PID 2024 wrote to memory of 1624 2024 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0a99b036ba87ef2aa8452b16fe36da626bce25ee82b99a140160a27014946c7a.exe"C:\Users\Admin\AppData\Local\Temp\0a99b036ba87ef2aa8452b16fe36da626bce25ee82b99a140160a27014946c7a.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1928 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1136 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0a99b036ba87ef2aa8452b16fe36da626bce25ee82b99a140160a27014946c7a.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1624
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
a6ecd45fa2540e0e35efccc72de54582
SHA19dc027325d8709debadf70814e546309cdac399a
SHA256db5c195c5c93c2accdfe7028b3fb0138e0a2edb0d22c7ac85b66dce1c08fa620
SHA5120b5392e9466ee9ab2fe2d33820c01ed10f25aff687cfa3b2e1882d317010fe6257bbf4c4a4510bfa8f130f0022e5ca658984fe0795af64b416cfb92e4f3c6365
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
a6ecd45fa2540e0e35efccc72de54582
SHA19dc027325d8709debadf70814e546309cdac399a
SHA256db5c195c5c93c2accdfe7028b3fb0138e0a2edb0d22c7ac85b66dce1c08fa620
SHA5120b5392e9466ee9ab2fe2d33820c01ed10f25aff687cfa3b2e1882d317010fe6257bbf4c4a4510bfa8f130f0022e5ca658984fe0795af64b416cfb92e4f3c6365
-
memory/1136-60-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1928-55-0x0000000076511000-0x0000000076513000-memory.dmpFilesize
8KB
-
memory/1928-59-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB