Analysis
-
max time kernel
136s -
max time network
148s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 08:25
Static task
static1
Behavioral task
behavioral1
Sample
0b188382593af6f19835504390336f2e6d0eef62b9e3be531e23077dbf301196.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0b188382593af6f19835504390336f2e6d0eef62b9e3be531e23077dbf301196.exe
Resource
win10v2004-en-20220112
General
-
Target
0b188382593af6f19835504390336f2e6d0eef62b9e3be531e23077dbf301196.exe
-
Size
116KB
-
MD5
d801572fd3337510c1d3b22984c90c26
-
SHA1
97b78db5c6e6d80dc397b57eca5726b021ea13d5
-
SHA256
0b188382593af6f19835504390336f2e6d0eef62b9e3be531e23077dbf301196
-
SHA512
28b4adcb4735dfaca6dd5180fc81a6ddc060edd4017991a8ad1e5a2112c0b0126254079f5c1f737024b8781380e26ec81f1e168a3766d310d23d3a71d0c4424c
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral1/memory/792-59-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral1/memory/1592-60-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1592 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1612 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
0b188382593af6f19835504390336f2e6d0eef62b9e3be531e23077dbf301196.exepid process 792 0b188382593af6f19835504390336f2e6d0eef62b9e3be531e23077dbf301196.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0b188382593af6f19835504390336f2e6d0eef62b9e3be531e23077dbf301196.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0b188382593af6f19835504390336f2e6d0eef62b9e3be531e23077dbf301196.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0b188382593af6f19835504390336f2e6d0eef62b9e3be531e23077dbf301196.exedescription pid process Token: SeIncBasePriorityPrivilege 792 0b188382593af6f19835504390336f2e6d0eef62b9e3be531e23077dbf301196.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0b188382593af6f19835504390336f2e6d0eef62b9e3be531e23077dbf301196.execmd.exedescription pid process target process PID 792 wrote to memory of 1592 792 0b188382593af6f19835504390336f2e6d0eef62b9e3be531e23077dbf301196.exe MediaCenter.exe PID 792 wrote to memory of 1592 792 0b188382593af6f19835504390336f2e6d0eef62b9e3be531e23077dbf301196.exe MediaCenter.exe PID 792 wrote to memory of 1592 792 0b188382593af6f19835504390336f2e6d0eef62b9e3be531e23077dbf301196.exe MediaCenter.exe PID 792 wrote to memory of 1592 792 0b188382593af6f19835504390336f2e6d0eef62b9e3be531e23077dbf301196.exe MediaCenter.exe PID 792 wrote to memory of 1612 792 0b188382593af6f19835504390336f2e6d0eef62b9e3be531e23077dbf301196.exe cmd.exe PID 792 wrote to memory of 1612 792 0b188382593af6f19835504390336f2e6d0eef62b9e3be531e23077dbf301196.exe cmd.exe PID 792 wrote to memory of 1612 792 0b188382593af6f19835504390336f2e6d0eef62b9e3be531e23077dbf301196.exe cmd.exe PID 792 wrote to memory of 1612 792 0b188382593af6f19835504390336f2e6d0eef62b9e3be531e23077dbf301196.exe cmd.exe PID 1612 wrote to memory of 1132 1612 cmd.exe PING.EXE PID 1612 wrote to memory of 1132 1612 cmd.exe PING.EXE PID 1612 wrote to memory of 1132 1612 cmd.exe PING.EXE PID 1612 wrote to memory of 1132 1612 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0b188382593af6f19835504390336f2e6d0eef62b9e3be531e23077dbf301196.exe"C:\Users\Admin\AppData\Local\Temp\0b188382593af6f19835504390336f2e6d0eef62b9e3be531e23077dbf301196.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:792 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1592 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0b188382593af6f19835504390336f2e6d0eef62b9e3be531e23077dbf301196.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1612 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1132
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
f3d5a1a05b5d3653a63cf576616d7369
SHA10dc5e86c96ef36f6dbe9f90bf001b1f5767a78a9
SHA256a19ab9774cfbcd31246f4eb5323fe8da9ac669e3d4722e9d65f7b256d8462318
SHA512c160d85e7c46f2c600cd467fa5fed722deba751585c6874365ecad2ae96cb0f4bdf6eefa5adb992f5d2ec2217eb3c508930d91432c267a4f0c245a2983fd6e36
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
f3d5a1a05b5d3653a63cf576616d7369
SHA10dc5e86c96ef36f6dbe9f90bf001b1f5767a78a9
SHA256a19ab9774cfbcd31246f4eb5323fe8da9ac669e3d4722e9d65f7b256d8462318
SHA512c160d85e7c46f2c600cd467fa5fed722deba751585c6874365ecad2ae96cb0f4bdf6eefa5adb992f5d2ec2217eb3c508930d91432c267a4f0c245a2983fd6e36
-
memory/792-55-0x0000000075321000-0x0000000075323000-memory.dmpFilesize
8KB
-
memory/792-59-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1592-60-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB