Analysis
-
max time kernel
136s -
max time network
158s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 08:27
Static task
static1
Behavioral task
behavioral1
Sample
0b04655588cdcb3161c06cc6dd571638dca8fa18e92069a58e78ffecc453b25c.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0b04655588cdcb3161c06cc6dd571638dca8fa18e92069a58e78ffecc453b25c.exe
Resource
win10v2004-en-20220113
General
-
Target
0b04655588cdcb3161c06cc6dd571638dca8fa18e92069a58e78ffecc453b25c.exe
-
Size
79KB
-
MD5
70c208ded9dcbd77d3a82e12275ac2cb
-
SHA1
687849cc03667ea32ce8b564dea2d40a6b4e2b6c
-
SHA256
0b04655588cdcb3161c06cc6dd571638dca8fa18e92069a58e78ffecc453b25c
-
SHA512
3852b0d487ec9019707ac52f6a88a8728cedeb4789699865d8d70a0aa95846bffce2ad6488815beb56a63eaf9c9bc8dbbb04ddbc79efa46f13a3a1d27aba4bcc
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1796 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1596 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0b04655588cdcb3161c06cc6dd571638dca8fa18e92069a58e78ffecc453b25c.exepid process 1572 0b04655588cdcb3161c06cc6dd571638dca8fa18e92069a58e78ffecc453b25c.exe 1572 0b04655588cdcb3161c06cc6dd571638dca8fa18e92069a58e78ffecc453b25c.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0b04655588cdcb3161c06cc6dd571638dca8fa18e92069a58e78ffecc453b25c.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0b04655588cdcb3161c06cc6dd571638dca8fa18e92069a58e78ffecc453b25c.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0b04655588cdcb3161c06cc6dd571638dca8fa18e92069a58e78ffecc453b25c.exedescription pid process Token: SeIncBasePriorityPrivilege 1572 0b04655588cdcb3161c06cc6dd571638dca8fa18e92069a58e78ffecc453b25c.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0b04655588cdcb3161c06cc6dd571638dca8fa18e92069a58e78ffecc453b25c.execmd.exedescription pid process target process PID 1572 wrote to memory of 1796 1572 0b04655588cdcb3161c06cc6dd571638dca8fa18e92069a58e78ffecc453b25c.exe MediaCenter.exe PID 1572 wrote to memory of 1796 1572 0b04655588cdcb3161c06cc6dd571638dca8fa18e92069a58e78ffecc453b25c.exe MediaCenter.exe PID 1572 wrote to memory of 1796 1572 0b04655588cdcb3161c06cc6dd571638dca8fa18e92069a58e78ffecc453b25c.exe MediaCenter.exe PID 1572 wrote to memory of 1796 1572 0b04655588cdcb3161c06cc6dd571638dca8fa18e92069a58e78ffecc453b25c.exe MediaCenter.exe PID 1572 wrote to memory of 1596 1572 0b04655588cdcb3161c06cc6dd571638dca8fa18e92069a58e78ffecc453b25c.exe cmd.exe PID 1572 wrote to memory of 1596 1572 0b04655588cdcb3161c06cc6dd571638dca8fa18e92069a58e78ffecc453b25c.exe cmd.exe PID 1572 wrote to memory of 1596 1572 0b04655588cdcb3161c06cc6dd571638dca8fa18e92069a58e78ffecc453b25c.exe cmd.exe PID 1572 wrote to memory of 1596 1572 0b04655588cdcb3161c06cc6dd571638dca8fa18e92069a58e78ffecc453b25c.exe cmd.exe PID 1596 wrote to memory of 1636 1596 cmd.exe PING.EXE PID 1596 wrote to memory of 1636 1596 cmd.exe PING.EXE PID 1596 wrote to memory of 1636 1596 cmd.exe PING.EXE PID 1596 wrote to memory of 1636 1596 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0b04655588cdcb3161c06cc6dd571638dca8fa18e92069a58e78ffecc453b25c.exe"C:\Users\Admin\AppData\Local\Temp\0b04655588cdcb3161c06cc6dd571638dca8fa18e92069a58e78ffecc453b25c.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1572 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1796 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0b04655588cdcb3161c06cc6dd571638dca8fa18e92069a58e78ffecc453b25c.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1596 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1636
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
db5e0952e0fac069ee47c2df8dc9a3f8
SHA1aa5e705c481b3cb9bb26c6269c9970cfbaf205ed
SHA256ab5500d8a01dfa29b10a1807f94274f6d99b769e055caf059f066134a3f3be0d
SHA5126a65a4a4dd5dd62fc6a9ca0793232ca85675e80a25083989673144a137b8b81b9f0693a8a5e5c1ae7d125734fe65dc0b2b09bc6fa2e7f643183e411a1a821d3c
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
db5e0952e0fac069ee47c2df8dc9a3f8
SHA1aa5e705c481b3cb9bb26c6269c9970cfbaf205ed
SHA256ab5500d8a01dfa29b10a1807f94274f6d99b769e055caf059f066134a3f3be0d
SHA5126a65a4a4dd5dd62fc6a9ca0793232ca85675e80a25083989673144a137b8b81b9f0693a8a5e5c1ae7d125734fe65dc0b2b09bc6fa2e7f643183e411a1a821d3c
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
db5e0952e0fac069ee47c2df8dc9a3f8
SHA1aa5e705c481b3cb9bb26c6269c9970cfbaf205ed
SHA256ab5500d8a01dfa29b10a1807f94274f6d99b769e055caf059f066134a3f3be0d
SHA5126a65a4a4dd5dd62fc6a9ca0793232ca85675e80a25083989673144a137b8b81b9f0693a8a5e5c1ae7d125734fe65dc0b2b09bc6fa2e7f643183e411a1a821d3c
-
memory/1572-54-0x0000000076C61000-0x0000000076C63000-memory.dmpFilesize
8KB