Analysis
-
max time kernel
132s -
max time network
141s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 09:17
Static task
static1
Behavioral task
behavioral1
Sample
0a89671067c808a9b32bc1cf488ac2e7c1464a7bf085476a4351e94c952184b8.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0a89671067c808a9b32bc1cf488ac2e7c1464a7bf085476a4351e94c952184b8.exe
Resource
win10v2004-en-20220113
General
-
Target
0a89671067c808a9b32bc1cf488ac2e7c1464a7bf085476a4351e94c952184b8.exe
-
Size
150KB
-
MD5
f5eac658cebe544c926a47ac19dc940b
-
SHA1
625f191f4eee11ce4e66170248ef198d2f05041f
-
SHA256
0a89671067c808a9b32bc1cf488ac2e7c1464a7bf085476a4351e94c952184b8
-
SHA512
e707f199a405e846b6cf0c698268383587baabde3b2b078bd96dd554399c5ce34e38ed49fc0b38a99f04ec89ff707db55a2e6bbe58beb6ab967180a54d174ed5
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1512 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1064 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
0a89671067c808a9b32bc1cf488ac2e7c1464a7bf085476a4351e94c952184b8.exepid process 1584 0a89671067c808a9b32bc1cf488ac2e7c1464a7bf085476a4351e94c952184b8.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0a89671067c808a9b32bc1cf488ac2e7c1464a7bf085476a4351e94c952184b8.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0a89671067c808a9b32bc1cf488ac2e7c1464a7bf085476a4351e94c952184b8.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0a89671067c808a9b32bc1cf488ac2e7c1464a7bf085476a4351e94c952184b8.exedescription pid process Token: SeIncBasePriorityPrivilege 1584 0a89671067c808a9b32bc1cf488ac2e7c1464a7bf085476a4351e94c952184b8.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0a89671067c808a9b32bc1cf488ac2e7c1464a7bf085476a4351e94c952184b8.execmd.exedescription pid process target process PID 1584 wrote to memory of 1512 1584 0a89671067c808a9b32bc1cf488ac2e7c1464a7bf085476a4351e94c952184b8.exe MediaCenter.exe PID 1584 wrote to memory of 1512 1584 0a89671067c808a9b32bc1cf488ac2e7c1464a7bf085476a4351e94c952184b8.exe MediaCenter.exe PID 1584 wrote to memory of 1512 1584 0a89671067c808a9b32bc1cf488ac2e7c1464a7bf085476a4351e94c952184b8.exe MediaCenter.exe PID 1584 wrote to memory of 1512 1584 0a89671067c808a9b32bc1cf488ac2e7c1464a7bf085476a4351e94c952184b8.exe MediaCenter.exe PID 1584 wrote to memory of 1064 1584 0a89671067c808a9b32bc1cf488ac2e7c1464a7bf085476a4351e94c952184b8.exe cmd.exe PID 1584 wrote to memory of 1064 1584 0a89671067c808a9b32bc1cf488ac2e7c1464a7bf085476a4351e94c952184b8.exe cmd.exe PID 1584 wrote to memory of 1064 1584 0a89671067c808a9b32bc1cf488ac2e7c1464a7bf085476a4351e94c952184b8.exe cmd.exe PID 1584 wrote to memory of 1064 1584 0a89671067c808a9b32bc1cf488ac2e7c1464a7bf085476a4351e94c952184b8.exe cmd.exe PID 1064 wrote to memory of 1200 1064 cmd.exe PING.EXE PID 1064 wrote to memory of 1200 1064 cmd.exe PING.EXE PID 1064 wrote to memory of 1200 1064 cmd.exe PING.EXE PID 1064 wrote to memory of 1200 1064 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0a89671067c808a9b32bc1cf488ac2e7c1464a7bf085476a4351e94c952184b8.exe"C:\Users\Admin\AppData\Local\Temp\0a89671067c808a9b32bc1cf488ac2e7c1464a7bf085476a4351e94c952184b8.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1584 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1512 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0a89671067c808a9b32bc1cf488ac2e7c1464a7bf085476a4351e94c952184b8.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1064 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1200
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
89cf5ddb304dd3b51f815684b1af2606
SHA1282799d386f8d681fbd01954599dd3334c9ec8ab
SHA2560b9c91ec49af0f84912e8b66bc7ffea7e0fd66df100a3d17ec80129a8b8563e7
SHA5126151ab1e3a7c76c31fa6db9d55de08a9c58b981dd3fb68d039c0f59eb39b1df9a2d894731094981a01d6f4e8bc42282a8d9f409317a8b4a090c820453c4266c3
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
89cf5ddb304dd3b51f815684b1af2606
SHA1282799d386f8d681fbd01954599dd3334c9ec8ab
SHA2560b9c91ec49af0f84912e8b66bc7ffea7e0fd66df100a3d17ec80129a8b8563e7
SHA5126151ab1e3a7c76c31fa6db9d55de08a9c58b981dd3fb68d039c0f59eb39b1df9a2d894731094981a01d6f4e8bc42282a8d9f409317a8b4a090c820453c4266c3
-
memory/1584-55-0x0000000075191000-0x0000000075193000-memory.dmpFilesize
8KB