Analysis
-
max time kernel
138s -
max time network
146s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 08:31
Static task
static1
Behavioral task
behavioral1
Sample
0aefc66dffe23351f7fca601b899422490198be2bf00720871e4e1e295357ca2.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0aefc66dffe23351f7fca601b899422490198be2bf00720871e4e1e295357ca2.exe
Resource
win10v2004-en-20220113
General
-
Target
0aefc66dffe23351f7fca601b899422490198be2bf00720871e4e1e295357ca2.exe
-
Size
176KB
-
MD5
ea60be8ec92728f912df128d5e9447b8
-
SHA1
b6882f781ee2a07e4505d3ad6e3a2eda726b8678
-
SHA256
0aefc66dffe23351f7fca601b899422490198be2bf00720871e4e1e295357ca2
-
SHA512
61ac74f7b1889ef7e9465536dfa224321e5033270edf7e7d2ce5beb5501bee98159178bc942d63f96f4b9635025f373cee7aa6f1b831ca7ccc953bc3007559c4
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral1/memory/1308-58-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral1/memory/1892-59-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1892 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 684 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
0aefc66dffe23351f7fca601b899422490198be2bf00720871e4e1e295357ca2.exepid process 1308 0aefc66dffe23351f7fca601b899422490198be2bf00720871e4e1e295357ca2.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0aefc66dffe23351f7fca601b899422490198be2bf00720871e4e1e295357ca2.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0aefc66dffe23351f7fca601b899422490198be2bf00720871e4e1e295357ca2.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0aefc66dffe23351f7fca601b899422490198be2bf00720871e4e1e295357ca2.exedescription pid process Token: SeIncBasePriorityPrivilege 1308 0aefc66dffe23351f7fca601b899422490198be2bf00720871e4e1e295357ca2.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0aefc66dffe23351f7fca601b899422490198be2bf00720871e4e1e295357ca2.execmd.exedescription pid process target process PID 1308 wrote to memory of 1892 1308 0aefc66dffe23351f7fca601b899422490198be2bf00720871e4e1e295357ca2.exe MediaCenter.exe PID 1308 wrote to memory of 1892 1308 0aefc66dffe23351f7fca601b899422490198be2bf00720871e4e1e295357ca2.exe MediaCenter.exe PID 1308 wrote to memory of 1892 1308 0aefc66dffe23351f7fca601b899422490198be2bf00720871e4e1e295357ca2.exe MediaCenter.exe PID 1308 wrote to memory of 1892 1308 0aefc66dffe23351f7fca601b899422490198be2bf00720871e4e1e295357ca2.exe MediaCenter.exe PID 1308 wrote to memory of 684 1308 0aefc66dffe23351f7fca601b899422490198be2bf00720871e4e1e295357ca2.exe cmd.exe PID 1308 wrote to memory of 684 1308 0aefc66dffe23351f7fca601b899422490198be2bf00720871e4e1e295357ca2.exe cmd.exe PID 1308 wrote to memory of 684 1308 0aefc66dffe23351f7fca601b899422490198be2bf00720871e4e1e295357ca2.exe cmd.exe PID 1308 wrote to memory of 684 1308 0aefc66dffe23351f7fca601b899422490198be2bf00720871e4e1e295357ca2.exe cmd.exe PID 684 wrote to memory of 1800 684 cmd.exe PING.EXE PID 684 wrote to memory of 1800 684 cmd.exe PING.EXE PID 684 wrote to memory of 1800 684 cmd.exe PING.EXE PID 684 wrote to memory of 1800 684 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0aefc66dffe23351f7fca601b899422490198be2bf00720871e4e1e295357ca2.exe"C:\Users\Admin\AppData\Local\Temp\0aefc66dffe23351f7fca601b899422490198be2bf00720871e4e1e295357ca2.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1308 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1892 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0aefc66dffe23351f7fca601b899422490198be2bf00720871e4e1e295357ca2.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:684 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1800
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
2b225b7b12d1da2cb9be5e1ac85b1cd1
SHA11bdaa72d8fbb9ed04942260e6bb82c256ac1dbd0
SHA256955b1d887f43d5be34cfa013409207447a1327b510d2399192d7915c36a2c3bc
SHA512f090d448f1625fad8ac11e894436715b7387d835bc4768ae177564728e19138b7cb083f9423e9c27ad4ffcee77612575d64bed13ae8f4f10ed1884e953fa0226
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
2b225b7b12d1da2cb9be5e1ac85b1cd1
SHA11bdaa72d8fbb9ed04942260e6bb82c256ac1dbd0
SHA256955b1d887f43d5be34cfa013409207447a1327b510d2399192d7915c36a2c3bc
SHA512f090d448f1625fad8ac11e894436715b7387d835bc4768ae177564728e19138b7cb083f9423e9c27ad4ffcee77612575d64bed13ae8f4f10ed1884e953fa0226
-
memory/1308-54-0x0000000076071000-0x0000000076073000-memory.dmpFilesize
8KB
-
memory/1308-58-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1892-59-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB