Analysis
-
max time kernel
125s -
max time network
152s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 09:21
Static task
static1
Behavioral task
behavioral1
Sample
0a53368264bddb59f32c25ad10a2791e438c687b849b2294c99142a2315b2f01.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0a53368264bddb59f32c25ad10a2791e438c687b849b2294c99142a2315b2f01.exe
Resource
win10v2004-en-20220113
General
-
Target
0a53368264bddb59f32c25ad10a2791e438c687b849b2294c99142a2315b2f01.exe
-
Size
100KB
-
MD5
48d3c6663a2af416dd5caf5be0ec1e68
-
SHA1
e83b09d0d005789252a557b33435000b5634c843
-
SHA256
0a53368264bddb59f32c25ad10a2791e438c687b849b2294c99142a2315b2f01
-
SHA512
b970bd8e8eb48c91517543ef1cdcf8a8f8887c7c8a04a697819b0289f49b69871c3f7e46b6501646c2e074a5ef82f673d4bec5ab3b22b6c1f0426de78cfb21c4
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1072 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 440 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0a53368264bddb59f32c25ad10a2791e438c687b849b2294c99142a2315b2f01.exepid process 2008 0a53368264bddb59f32c25ad10a2791e438c687b849b2294c99142a2315b2f01.exe 2008 0a53368264bddb59f32c25ad10a2791e438c687b849b2294c99142a2315b2f01.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0a53368264bddb59f32c25ad10a2791e438c687b849b2294c99142a2315b2f01.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0a53368264bddb59f32c25ad10a2791e438c687b849b2294c99142a2315b2f01.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0a53368264bddb59f32c25ad10a2791e438c687b849b2294c99142a2315b2f01.exedescription pid process Token: SeIncBasePriorityPrivilege 2008 0a53368264bddb59f32c25ad10a2791e438c687b849b2294c99142a2315b2f01.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0a53368264bddb59f32c25ad10a2791e438c687b849b2294c99142a2315b2f01.execmd.exedescription pid process target process PID 2008 wrote to memory of 1072 2008 0a53368264bddb59f32c25ad10a2791e438c687b849b2294c99142a2315b2f01.exe MediaCenter.exe PID 2008 wrote to memory of 1072 2008 0a53368264bddb59f32c25ad10a2791e438c687b849b2294c99142a2315b2f01.exe MediaCenter.exe PID 2008 wrote to memory of 1072 2008 0a53368264bddb59f32c25ad10a2791e438c687b849b2294c99142a2315b2f01.exe MediaCenter.exe PID 2008 wrote to memory of 1072 2008 0a53368264bddb59f32c25ad10a2791e438c687b849b2294c99142a2315b2f01.exe MediaCenter.exe PID 2008 wrote to memory of 440 2008 0a53368264bddb59f32c25ad10a2791e438c687b849b2294c99142a2315b2f01.exe cmd.exe PID 2008 wrote to memory of 440 2008 0a53368264bddb59f32c25ad10a2791e438c687b849b2294c99142a2315b2f01.exe cmd.exe PID 2008 wrote to memory of 440 2008 0a53368264bddb59f32c25ad10a2791e438c687b849b2294c99142a2315b2f01.exe cmd.exe PID 2008 wrote to memory of 440 2008 0a53368264bddb59f32c25ad10a2791e438c687b849b2294c99142a2315b2f01.exe cmd.exe PID 440 wrote to memory of 1760 440 cmd.exe PING.EXE PID 440 wrote to memory of 1760 440 cmd.exe PING.EXE PID 440 wrote to memory of 1760 440 cmd.exe PING.EXE PID 440 wrote to memory of 1760 440 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0a53368264bddb59f32c25ad10a2791e438c687b849b2294c99142a2315b2f01.exe"C:\Users\Admin\AppData\Local\Temp\0a53368264bddb59f32c25ad10a2791e438c687b849b2294c99142a2315b2f01.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1072 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0a53368264bddb59f32c25ad10a2791e438c687b849b2294c99142a2315b2f01.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:440 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1760
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
ce18139bfc7647f42067d142074799d7
SHA18570eedac408f02bf5b30aaf54c1ae313fcbf51a
SHA256a3c539690399429cd8c4991aa34bcdfc1097d14f64fd33afb32331182737a90d
SHA512db32fb7813b9d1ee8f99b7880255d6016a20053a63ffbaab4e4cfb20c904acc0fa311bf78a2f235ea0e618fabe80f28845b8202ba6c619ef4cfdf36676ff4d26
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
ce18139bfc7647f42067d142074799d7
SHA18570eedac408f02bf5b30aaf54c1ae313fcbf51a
SHA256a3c539690399429cd8c4991aa34bcdfc1097d14f64fd33afb32331182737a90d
SHA512db32fb7813b9d1ee8f99b7880255d6016a20053a63ffbaab4e4cfb20c904acc0fa311bf78a2f235ea0e618fabe80f28845b8202ba6c619ef4cfdf36676ff4d26
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
ce18139bfc7647f42067d142074799d7
SHA18570eedac408f02bf5b30aaf54c1ae313fcbf51a
SHA256a3c539690399429cd8c4991aa34bcdfc1097d14f64fd33afb32331182737a90d
SHA512db32fb7813b9d1ee8f99b7880255d6016a20053a63ffbaab4e4cfb20c904acc0fa311bf78a2f235ea0e618fabe80f28845b8202ba6c619ef4cfdf36676ff4d26
-
memory/2008-55-0x00000000760F1000-0x00000000760F3000-memory.dmpFilesize
8KB