Analysis
-
max time kernel
147s -
max time network
162s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 09:20
Static task
static1
Behavioral task
behavioral1
Sample
0a6069cf22def0c2529a66e0477467f24e083bc990bc3b24225fc957e30f2b87.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0a6069cf22def0c2529a66e0477467f24e083bc990bc3b24225fc957e30f2b87.exe
Resource
win10v2004-en-20220112
General
-
Target
0a6069cf22def0c2529a66e0477467f24e083bc990bc3b24225fc957e30f2b87.exe
-
Size
216KB
-
MD5
7f0eefea9b5a52b33f9ef490f599a1fe
-
SHA1
4346091f85766bce7167d87312e05f2073a15bff
-
SHA256
0a6069cf22def0c2529a66e0477467f24e083bc990bc3b24225fc957e30f2b87
-
SHA512
2258572f2bdcd9cfb5c8e9943f5f1d00a59d43aea39db2f6cb95887dd741f79b0660cf332fec82375bdc28e7d575711ff0cd756228c76adf032fcc5884b6efd7
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral1/memory/736-59-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral1/memory/788-60-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 788 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1192 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
0a6069cf22def0c2529a66e0477467f24e083bc990bc3b24225fc957e30f2b87.exepid process 736 0a6069cf22def0c2529a66e0477467f24e083bc990bc3b24225fc957e30f2b87.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0a6069cf22def0c2529a66e0477467f24e083bc990bc3b24225fc957e30f2b87.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0a6069cf22def0c2529a66e0477467f24e083bc990bc3b24225fc957e30f2b87.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0a6069cf22def0c2529a66e0477467f24e083bc990bc3b24225fc957e30f2b87.exedescription pid process Token: SeIncBasePriorityPrivilege 736 0a6069cf22def0c2529a66e0477467f24e083bc990bc3b24225fc957e30f2b87.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0a6069cf22def0c2529a66e0477467f24e083bc990bc3b24225fc957e30f2b87.execmd.exedescription pid process target process PID 736 wrote to memory of 788 736 0a6069cf22def0c2529a66e0477467f24e083bc990bc3b24225fc957e30f2b87.exe MediaCenter.exe PID 736 wrote to memory of 788 736 0a6069cf22def0c2529a66e0477467f24e083bc990bc3b24225fc957e30f2b87.exe MediaCenter.exe PID 736 wrote to memory of 788 736 0a6069cf22def0c2529a66e0477467f24e083bc990bc3b24225fc957e30f2b87.exe MediaCenter.exe PID 736 wrote to memory of 788 736 0a6069cf22def0c2529a66e0477467f24e083bc990bc3b24225fc957e30f2b87.exe MediaCenter.exe PID 736 wrote to memory of 1192 736 0a6069cf22def0c2529a66e0477467f24e083bc990bc3b24225fc957e30f2b87.exe cmd.exe PID 736 wrote to memory of 1192 736 0a6069cf22def0c2529a66e0477467f24e083bc990bc3b24225fc957e30f2b87.exe cmd.exe PID 736 wrote to memory of 1192 736 0a6069cf22def0c2529a66e0477467f24e083bc990bc3b24225fc957e30f2b87.exe cmd.exe PID 736 wrote to memory of 1192 736 0a6069cf22def0c2529a66e0477467f24e083bc990bc3b24225fc957e30f2b87.exe cmd.exe PID 1192 wrote to memory of 1044 1192 cmd.exe PING.EXE PID 1192 wrote to memory of 1044 1192 cmd.exe PING.EXE PID 1192 wrote to memory of 1044 1192 cmd.exe PING.EXE PID 1192 wrote to memory of 1044 1192 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0a6069cf22def0c2529a66e0477467f24e083bc990bc3b24225fc957e30f2b87.exe"C:\Users\Admin\AppData\Local\Temp\0a6069cf22def0c2529a66e0477467f24e083bc990bc3b24225fc957e30f2b87.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:736 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:788 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0a6069cf22def0c2529a66e0477467f24e083bc990bc3b24225fc957e30f2b87.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1192 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1044
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
04d61ecad9e17392ace52ac3571cfbd6
SHA12cafbed890bac975d7269ec1bfc6c8acf3fd0097
SHA25648b55393a4b519e8143b92b794104800106effa3b1daeb7706d7a6919ad13c6f
SHA512211a104766f7015c56afb80c8f151c0ba67469a1074096d751616965e32311a817381745480eeb8f7e0cb18b95e3eaaca2a3d98a847692053d6a5ad26d466b1a
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
04d61ecad9e17392ace52ac3571cfbd6
SHA12cafbed890bac975d7269ec1bfc6c8acf3fd0097
SHA25648b55393a4b519e8143b92b794104800106effa3b1daeb7706d7a6919ad13c6f
SHA512211a104766f7015c56afb80c8f151c0ba67469a1074096d751616965e32311a817381745480eeb8f7e0cb18b95e3eaaca2a3d98a847692053d6a5ad26d466b1a
-
memory/736-55-0x0000000076B81000-0x0000000076B83000-memory.dmpFilesize
8KB
-
memory/736-59-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/788-60-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB