Analysis
-
max time kernel
135s -
max time network
144s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 10:07
Static task
static1
Behavioral task
behavioral1
Sample
08098d737d8a3c469ba401a69fba1141fa3ded79fea264234a740f7e6d41a91f.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
08098d737d8a3c469ba401a69fba1141fa3ded79fea264234a740f7e6d41a91f.exe
Resource
win10v2004-en-20220113
General
-
Target
08098d737d8a3c469ba401a69fba1141fa3ded79fea264234a740f7e6d41a91f.exe
-
Size
150KB
-
MD5
3adfee89badf85eca3d58731735d15aa
-
SHA1
f8f58b49e46a1729924c0a5048c23ae431fe6e7c
-
SHA256
08098d737d8a3c469ba401a69fba1141fa3ded79fea264234a740f7e6d41a91f
-
SHA512
9af5b25e3d5bd98ee675a692789d4c77e87d5977a17810a0731e46d8bee06a9629cb1a2c6c33100f37646bce95fdb1867a85afb0387b613f570559716c260b52
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1892 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 684 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
08098d737d8a3c469ba401a69fba1141fa3ded79fea264234a740f7e6d41a91f.exepid process 620 08098d737d8a3c469ba401a69fba1141fa3ded79fea264234a740f7e6d41a91f.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
08098d737d8a3c469ba401a69fba1141fa3ded79fea264234a740f7e6d41a91f.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 08098d737d8a3c469ba401a69fba1141fa3ded79fea264234a740f7e6d41a91f.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
08098d737d8a3c469ba401a69fba1141fa3ded79fea264234a740f7e6d41a91f.exedescription pid process Token: SeIncBasePriorityPrivilege 620 08098d737d8a3c469ba401a69fba1141fa3ded79fea264234a740f7e6d41a91f.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
08098d737d8a3c469ba401a69fba1141fa3ded79fea264234a740f7e6d41a91f.execmd.exedescription pid process target process PID 620 wrote to memory of 1892 620 08098d737d8a3c469ba401a69fba1141fa3ded79fea264234a740f7e6d41a91f.exe MediaCenter.exe PID 620 wrote to memory of 1892 620 08098d737d8a3c469ba401a69fba1141fa3ded79fea264234a740f7e6d41a91f.exe MediaCenter.exe PID 620 wrote to memory of 1892 620 08098d737d8a3c469ba401a69fba1141fa3ded79fea264234a740f7e6d41a91f.exe MediaCenter.exe PID 620 wrote to memory of 1892 620 08098d737d8a3c469ba401a69fba1141fa3ded79fea264234a740f7e6d41a91f.exe MediaCenter.exe PID 620 wrote to memory of 684 620 08098d737d8a3c469ba401a69fba1141fa3ded79fea264234a740f7e6d41a91f.exe cmd.exe PID 620 wrote to memory of 684 620 08098d737d8a3c469ba401a69fba1141fa3ded79fea264234a740f7e6d41a91f.exe cmd.exe PID 620 wrote to memory of 684 620 08098d737d8a3c469ba401a69fba1141fa3ded79fea264234a740f7e6d41a91f.exe cmd.exe PID 620 wrote to memory of 684 620 08098d737d8a3c469ba401a69fba1141fa3ded79fea264234a740f7e6d41a91f.exe cmd.exe PID 684 wrote to memory of 1108 684 cmd.exe PING.EXE PID 684 wrote to memory of 1108 684 cmd.exe PING.EXE PID 684 wrote to memory of 1108 684 cmd.exe PING.EXE PID 684 wrote to memory of 1108 684 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\08098d737d8a3c469ba401a69fba1141fa3ded79fea264234a740f7e6d41a91f.exe"C:\Users\Admin\AppData\Local\Temp\08098d737d8a3c469ba401a69fba1141fa3ded79fea264234a740f7e6d41a91f.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:620 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1892 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\08098d737d8a3c469ba401a69fba1141fa3ded79fea264234a740f7e6d41a91f.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:684 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1108
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
e3951016eba7055d0e172d131a8e9c7a
SHA1748e2ecde8f777377879bd76658c77589f44c6f7
SHA256bbc4e652a508a8b93cce8cfbf42f760131584990ead6f8795e9bf995e05351b1
SHA512629144c748d4ce122cc7dc07105434c1be7ba4e5530a5429bbc5a839b352fa3dbcbacb27701081f224164a2851ae6359a9f419e48eafb2b2b5d5f329c0b9b8c2
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
e3951016eba7055d0e172d131a8e9c7a
SHA1748e2ecde8f777377879bd76658c77589f44c6f7
SHA256bbc4e652a508a8b93cce8cfbf42f760131584990ead6f8795e9bf995e05351b1
SHA512629144c748d4ce122cc7dc07105434c1be7ba4e5530a5429bbc5a839b352fa3dbcbacb27701081f224164a2851ae6359a9f419e48eafb2b2b5d5f329c0b9b8c2
-
memory/620-54-0x0000000076071000-0x0000000076073000-memory.dmpFilesize
8KB