Analysis
-
max time kernel
118s -
max time network
125s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 09:20
Static task
static1
Behavioral task
behavioral1
Sample
0a567390517cbee3936871bbfe02a6f9d572085c434d1a5ae0ceaa4e619fe12b.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0a567390517cbee3936871bbfe02a6f9d572085c434d1a5ae0ceaa4e619fe12b.exe
Resource
win10v2004-en-20220113
General
-
Target
0a567390517cbee3936871bbfe02a6f9d572085c434d1a5ae0ceaa4e619fe12b.exe
-
Size
101KB
-
MD5
6ad8912308f3613cf6f90fa6bcfd8b4c
-
SHA1
3f000d62e5265a2bc0d053db0426d608f9327320
-
SHA256
0a567390517cbee3936871bbfe02a6f9d572085c434d1a5ae0ceaa4e619fe12b
-
SHA512
df96f93b22f7129c913445c5f0946d1513c7c2690d0a48d9099921661e113faf34cc551c6cab2a8da1087279bef128e29e56142627da634811a44aa44ad0e025
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1532 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 776 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0a567390517cbee3936871bbfe02a6f9d572085c434d1a5ae0ceaa4e619fe12b.exepid process 1528 0a567390517cbee3936871bbfe02a6f9d572085c434d1a5ae0ceaa4e619fe12b.exe 1528 0a567390517cbee3936871bbfe02a6f9d572085c434d1a5ae0ceaa4e619fe12b.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0a567390517cbee3936871bbfe02a6f9d572085c434d1a5ae0ceaa4e619fe12b.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0a567390517cbee3936871bbfe02a6f9d572085c434d1a5ae0ceaa4e619fe12b.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0a567390517cbee3936871bbfe02a6f9d572085c434d1a5ae0ceaa4e619fe12b.exedescription pid process Token: SeIncBasePriorityPrivilege 1528 0a567390517cbee3936871bbfe02a6f9d572085c434d1a5ae0ceaa4e619fe12b.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0a567390517cbee3936871bbfe02a6f9d572085c434d1a5ae0ceaa4e619fe12b.execmd.exedescription pid process target process PID 1528 wrote to memory of 1532 1528 0a567390517cbee3936871bbfe02a6f9d572085c434d1a5ae0ceaa4e619fe12b.exe MediaCenter.exe PID 1528 wrote to memory of 1532 1528 0a567390517cbee3936871bbfe02a6f9d572085c434d1a5ae0ceaa4e619fe12b.exe MediaCenter.exe PID 1528 wrote to memory of 1532 1528 0a567390517cbee3936871bbfe02a6f9d572085c434d1a5ae0ceaa4e619fe12b.exe MediaCenter.exe PID 1528 wrote to memory of 1532 1528 0a567390517cbee3936871bbfe02a6f9d572085c434d1a5ae0ceaa4e619fe12b.exe MediaCenter.exe PID 1528 wrote to memory of 776 1528 0a567390517cbee3936871bbfe02a6f9d572085c434d1a5ae0ceaa4e619fe12b.exe cmd.exe PID 1528 wrote to memory of 776 1528 0a567390517cbee3936871bbfe02a6f9d572085c434d1a5ae0ceaa4e619fe12b.exe cmd.exe PID 1528 wrote to memory of 776 1528 0a567390517cbee3936871bbfe02a6f9d572085c434d1a5ae0ceaa4e619fe12b.exe cmd.exe PID 1528 wrote to memory of 776 1528 0a567390517cbee3936871bbfe02a6f9d572085c434d1a5ae0ceaa4e619fe12b.exe cmd.exe PID 776 wrote to memory of 1096 776 cmd.exe PING.EXE PID 776 wrote to memory of 1096 776 cmd.exe PING.EXE PID 776 wrote to memory of 1096 776 cmd.exe PING.EXE PID 776 wrote to memory of 1096 776 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0a567390517cbee3936871bbfe02a6f9d572085c434d1a5ae0ceaa4e619fe12b.exe"C:\Users\Admin\AppData\Local\Temp\0a567390517cbee3936871bbfe02a6f9d572085c434d1a5ae0ceaa4e619fe12b.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1528 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1532 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0a567390517cbee3936871bbfe02a6f9d572085c434d1a5ae0ceaa4e619fe12b.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:776 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1096
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
1a49420eac2a5b0b9f76af1db6f1f0b2
SHA1433d8ff4c653d6fe47769f32408569fcfe2d874d
SHA25616d6199e08739be374562ee194eb368d9bb3f329f24cb6dd52ccb5043f333477
SHA5120179b29f93b0c6d060fe19ef3280f3a5496b7a2fe20919e657970cb88e3609e160e584d524d237384c8518e536603265ee759d28a893c4d3b4402251a235896b
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
1a49420eac2a5b0b9f76af1db6f1f0b2
SHA1433d8ff4c653d6fe47769f32408569fcfe2d874d
SHA25616d6199e08739be374562ee194eb368d9bb3f329f24cb6dd52ccb5043f333477
SHA5120179b29f93b0c6d060fe19ef3280f3a5496b7a2fe20919e657970cb88e3609e160e584d524d237384c8518e536603265ee759d28a893c4d3b4402251a235896b
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
1a49420eac2a5b0b9f76af1db6f1f0b2
SHA1433d8ff4c653d6fe47769f32408569fcfe2d874d
SHA25616d6199e08739be374562ee194eb368d9bb3f329f24cb6dd52ccb5043f333477
SHA5120179b29f93b0c6d060fe19ef3280f3a5496b7a2fe20919e657970cb88e3609e160e584d524d237384c8518e536603265ee759d28a893c4d3b4402251a235896b
-
memory/1528-53-0x00000000766D1000-0x00000000766D3000-memory.dmpFilesize
8KB