Analysis
-
max time kernel
147s -
max time network
155s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 09:59
Static task
static1
Behavioral task
behavioral1
Sample
0873e710b263d979389b58b5beb6b16ad2653a2f31dcd9a36657f3c56f9e4201.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0873e710b263d979389b58b5beb6b16ad2653a2f31dcd9a36657f3c56f9e4201.exe
Resource
win10v2004-en-20220113
General
-
Target
0873e710b263d979389b58b5beb6b16ad2653a2f31dcd9a36657f3c56f9e4201.exe
-
Size
216KB
-
MD5
45c2ea647ec7363c4b94b33080719eb7
-
SHA1
5b74a1e0a4e76d4ac445c23511430670554f3c00
-
SHA256
0873e710b263d979389b58b5beb6b16ad2653a2f31dcd9a36657f3c56f9e4201
-
SHA512
99f373b1f50f838f8dcda1f606b56af45f4ae0ad49b787ca0b0a791ca2c64d822b38d64aa71fe939d1974c58f5ef411868ace3e61de354d9ca731da121af25dc
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral1/memory/1536-58-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral1/memory/964-59-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 964 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 432 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
0873e710b263d979389b58b5beb6b16ad2653a2f31dcd9a36657f3c56f9e4201.exepid process 1536 0873e710b263d979389b58b5beb6b16ad2653a2f31dcd9a36657f3c56f9e4201.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0873e710b263d979389b58b5beb6b16ad2653a2f31dcd9a36657f3c56f9e4201.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0873e710b263d979389b58b5beb6b16ad2653a2f31dcd9a36657f3c56f9e4201.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0873e710b263d979389b58b5beb6b16ad2653a2f31dcd9a36657f3c56f9e4201.exedescription pid process Token: SeIncBasePriorityPrivilege 1536 0873e710b263d979389b58b5beb6b16ad2653a2f31dcd9a36657f3c56f9e4201.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0873e710b263d979389b58b5beb6b16ad2653a2f31dcd9a36657f3c56f9e4201.execmd.exedescription pid process target process PID 1536 wrote to memory of 964 1536 0873e710b263d979389b58b5beb6b16ad2653a2f31dcd9a36657f3c56f9e4201.exe MediaCenter.exe PID 1536 wrote to memory of 964 1536 0873e710b263d979389b58b5beb6b16ad2653a2f31dcd9a36657f3c56f9e4201.exe MediaCenter.exe PID 1536 wrote to memory of 964 1536 0873e710b263d979389b58b5beb6b16ad2653a2f31dcd9a36657f3c56f9e4201.exe MediaCenter.exe PID 1536 wrote to memory of 964 1536 0873e710b263d979389b58b5beb6b16ad2653a2f31dcd9a36657f3c56f9e4201.exe MediaCenter.exe PID 1536 wrote to memory of 432 1536 0873e710b263d979389b58b5beb6b16ad2653a2f31dcd9a36657f3c56f9e4201.exe cmd.exe PID 1536 wrote to memory of 432 1536 0873e710b263d979389b58b5beb6b16ad2653a2f31dcd9a36657f3c56f9e4201.exe cmd.exe PID 1536 wrote to memory of 432 1536 0873e710b263d979389b58b5beb6b16ad2653a2f31dcd9a36657f3c56f9e4201.exe cmd.exe PID 1536 wrote to memory of 432 1536 0873e710b263d979389b58b5beb6b16ad2653a2f31dcd9a36657f3c56f9e4201.exe cmd.exe PID 432 wrote to memory of 956 432 cmd.exe PING.EXE PID 432 wrote to memory of 956 432 cmd.exe PING.EXE PID 432 wrote to memory of 956 432 cmd.exe PING.EXE PID 432 wrote to memory of 956 432 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0873e710b263d979389b58b5beb6b16ad2653a2f31dcd9a36657f3c56f9e4201.exe"C:\Users\Admin\AppData\Local\Temp\0873e710b263d979389b58b5beb6b16ad2653a2f31dcd9a36657f3c56f9e4201.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1536 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:964 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0873e710b263d979389b58b5beb6b16ad2653a2f31dcd9a36657f3c56f9e4201.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:432 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:956
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
535eb546bb619759621540d28bee17c0
SHA1bec90240fbc7fd8c11eb6a0345152e38b59c6905
SHA25627171e3cb54eb915bd1ecee27955d7910912f68653925fe08780e6ceb47c56e5
SHA51283e514221b907e56bdb504244656764346c8fdc09022cb6c8e85851f893ef4364c3aa1581b1a56bdcb844ce47c404f1b7d32531b825c89f9d66598f8015a6370
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
535eb546bb619759621540d28bee17c0
SHA1bec90240fbc7fd8c11eb6a0345152e38b59c6905
SHA25627171e3cb54eb915bd1ecee27955d7910912f68653925fe08780e6ceb47c56e5
SHA51283e514221b907e56bdb504244656764346c8fdc09022cb6c8e85851f893ef4364c3aa1581b1a56bdcb844ce47c404f1b7d32531b825c89f9d66598f8015a6370
-
memory/964-59-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1536-54-0x0000000076C91000-0x0000000076C93000-memory.dmpFilesize
8KB
-
memory/1536-58-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB