Analysis
-
max time kernel
137s -
max time network
156s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 09:22
Static task
static1
Behavioral task
behavioral1
Sample
0a447c43387c247e6d7a318a57dc4d1add02419eac0c72fd552aad84bba397b1.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0a447c43387c247e6d7a318a57dc4d1add02419eac0c72fd552aad84bba397b1.exe
Resource
win10v2004-en-20220113
General
-
Target
0a447c43387c247e6d7a318a57dc4d1add02419eac0c72fd552aad84bba397b1.exe
-
Size
216KB
-
MD5
31313ea53bdda3f94de8047663d5d404
-
SHA1
d46b0650e2e74a8cce92de37d9981964459b152d
-
SHA256
0a447c43387c247e6d7a318a57dc4d1add02419eac0c72fd552aad84bba397b1
-
SHA512
79a719a05ef29a35d99625c94b0b33b92c764d094b725e278f282d9a742f12160c931b006d5fba5c19ecebfa485cad09a4a2ac681b1ccb1ca35ab642de574c56
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral1/memory/960-59-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral1/memory/1668-60-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1668 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1640 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
0a447c43387c247e6d7a318a57dc4d1add02419eac0c72fd552aad84bba397b1.exepid process 960 0a447c43387c247e6d7a318a57dc4d1add02419eac0c72fd552aad84bba397b1.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0a447c43387c247e6d7a318a57dc4d1add02419eac0c72fd552aad84bba397b1.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0a447c43387c247e6d7a318a57dc4d1add02419eac0c72fd552aad84bba397b1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0a447c43387c247e6d7a318a57dc4d1add02419eac0c72fd552aad84bba397b1.exedescription pid process Token: SeIncBasePriorityPrivilege 960 0a447c43387c247e6d7a318a57dc4d1add02419eac0c72fd552aad84bba397b1.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0a447c43387c247e6d7a318a57dc4d1add02419eac0c72fd552aad84bba397b1.execmd.exedescription pid process target process PID 960 wrote to memory of 1668 960 0a447c43387c247e6d7a318a57dc4d1add02419eac0c72fd552aad84bba397b1.exe MediaCenter.exe PID 960 wrote to memory of 1668 960 0a447c43387c247e6d7a318a57dc4d1add02419eac0c72fd552aad84bba397b1.exe MediaCenter.exe PID 960 wrote to memory of 1668 960 0a447c43387c247e6d7a318a57dc4d1add02419eac0c72fd552aad84bba397b1.exe MediaCenter.exe PID 960 wrote to memory of 1668 960 0a447c43387c247e6d7a318a57dc4d1add02419eac0c72fd552aad84bba397b1.exe MediaCenter.exe PID 960 wrote to memory of 1640 960 0a447c43387c247e6d7a318a57dc4d1add02419eac0c72fd552aad84bba397b1.exe cmd.exe PID 960 wrote to memory of 1640 960 0a447c43387c247e6d7a318a57dc4d1add02419eac0c72fd552aad84bba397b1.exe cmd.exe PID 960 wrote to memory of 1640 960 0a447c43387c247e6d7a318a57dc4d1add02419eac0c72fd552aad84bba397b1.exe cmd.exe PID 960 wrote to memory of 1640 960 0a447c43387c247e6d7a318a57dc4d1add02419eac0c72fd552aad84bba397b1.exe cmd.exe PID 1640 wrote to memory of 1292 1640 cmd.exe PING.EXE PID 1640 wrote to memory of 1292 1640 cmd.exe PING.EXE PID 1640 wrote to memory of 1292 1640 cmd.exe PING.EXE PID 1640 wrote to memory of 1292 1640 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0a447c43387c247e6d7a318a57dc4d1add02419eac0c72fd552aad84bba397b1.exe"C:\Users\Admin\AppData\Local\Temp\0a447c43387c247e6d7a318a57dc4d1add02419eac0c72fd552aad84bba397b1.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:960 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1668 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0a447c43387c247e6d7a318a57dc4d1add02419eac0c72fd552aad84bba397b1.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1640 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1292
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
7be9d6f77ccd7767d70ad2dba3206d15
SHA19016d54aa32b09c1c87c59aa43bffa1e4408276e
SHA25646db793f4221fcef2d15935b834c54c9ca76cb6db43cb9a290bdb8b228430b21
SHA512209f634a0ab89bd89cee42ee19ffd29aec01ce96b474e9429678954d9a7b072c24b28b0f2c559c9b25569a80ae316fc5aed8e67a8ad05cb20719874aa0e7b1be
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
7be9d6f77ccd7767d70ad2dba3206d15
SHA19016d54aa32b09c1c87c59aa43bffa1e4408276e
SHA25646db793f4221fcef2d15935b834c54c9ca76cb6db43cb9a290bdb8b228430b21
SHA512209f634a0ab89bd89cee42ee19ffd29aec01ce96b474e9429678954d9a7b072c24b28b0f2c559c9b25569a80ae316fc5aed8e67a8ad05cb20719874aa0e7b1be
-
memory/960-55-0x0000000076921000-0x0000000076923000-memory.dmpFilesize
8KB
-
memory/960-59-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1668-60-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB