Analysis
-
max time kernel
120s -
max time network
126s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 09:21
Static task
static1
Behavioral task
behavioral1
Sample
0a52c64f0963d5334d47924640ce13da3a93d42cb05d141fcc05eb42a18fc844.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0a52c64f0963d5334d47924640ce13da3a93d42cb05d141fcc05eb42a18fc844.exe
Resource
win10v2004-en-20220112
General
-
Target
0a52c64f0963d5334d47924640ce13da3a93d42cb05d141fcc05eb42a18fc844.exe
-
Size
80KB
-
MD5
3df0a16cd79bdeeea9942c3476de8913
-
SHA1
1cab9e6b21e81a68a129c13c1653ce9d7df91638
-
SHA256
0a52c64f0963d5334d47924640ce13da3a93d42cb05d141fcc05eb42a18fc844
-
SHA512
e9e9fc7f4b64211d77670bbbfac222a0cae19be100be27fef584e36ba33238b0dd7c93956d410a9d32508736a1af6509cfe25e06ccad1ba17c1d191c424615fb
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1892 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1768 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0a52c64f0963d5334d47924640ce13da3a93d42cb05d141fcc05eb42a18fc844.exepid process 1308 0a52c64f0963d5334d47924640ce13da3a93d42cb05d141fcc05eb42a18fc844.exe 1308 0a52c64f0963d5334d47924640ce13da3a93d42cb05d141fcc05eb42a18fc844.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0a52c64f0963d5334d47924640ce13da3a93d42cb05d141fcc05eb42a18fc844.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0a52c64f0963d5334d47924640ce13da3a93d42cb05d141fcc05eb42a18fc844.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0a52c64f0963d5334d47924640ce13da3a93d42cb05d141fcc05eb42a18fc844.exedescription pid process Token: SeIncBasePriorityPrivilege 1308 0a52c64f0963d5334d47924640ce13da3a93d42cb05d141fcc05eb42a18fc844.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0a52c64f0963d5334d47924640ce13da3a93d42cb05d141fcc05eb42a18fc844.execmd.exedescription pid process target process PID 1308 wrote to memory of 1892 1308 0a52c64f0963d5334d47924640ce13da3a93d42cb05d141fcc05eb42a18fc844.exe MediaCenter.exe PID 1308 wrote to memory of 1892 1308 0a52c64f0963d5334d47924640ce13da3a93d42cb05d141fcc05eb42a18fc844.exe MediaCenter.exe PID 1308 wrote to memory of 1892 1308 0a52c64f0963d5334d47924640ce13da3a93d42cb05d141fcc05eb42a18fc844.exe MediaCenter.exe PID 1308 wrote to memory of 1892 1308 0a52c64f0963d5334d47924640ce13da3a93d42cb05d141fcc05eb42a18fc844.exe MediaCenter.exe PID 1308 wrote to memory of 1768 1308 0a52c64f0963d5334d47924640ce13da3a93d42cb05d141fcc05eb42a18fc844.exe cmd.exe PID 1308 wrote to memory of 1768 1308 0a52c64f0963d5334d47924640ce13da3a93d42cb05d141fcc05eb42a18fc844.exe cmd.exe PID 1308 wrote to memory of 1768 1308 0a52c64f0963d5334d47924640ce13da3a93d42cb05d141fcc05eb42a18fc844.exe cmd.exe PID 1308 wrote to memory of 1768 1308 0a52c64f0963d5334d47924640ce13da3a93d42cb05d141fcc05eb42a18fc844.exe cmd.exe PID 1768 wrote to memory of 396 1768 cmd.exe PING.EXE PID 1768 wrote to memory of 396 1768 cmd.exe PING.EXE PID 1768 wrote to memory of 396 1768 cmd.exe PING.EXE PID 1768 wrote to memory of 396 1768 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0a52c64f0963d5334d47924640ce13da3a93d42cb05d141fcc05eb42a18fc844.exe"C:\Users\Admin\AppData\Local\Temp\0a52c64f0963d5334d47924640ce13da3a93d42cb05d141fcc05eb42a18fc844.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1308 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1892 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0a52c64f0963d5334d47924640ce13da3a93d42cb05d141fcc05eb42a18fc844.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1768 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:396
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
7f24c27edbdc85017cd87468b29744b9
SHA1be7fb8daa703e707492f35b77abbfc45a05c64bc
SHA2568ea38f223d2960cab567357f46ff3ab2d0217effc5a02c99069e56d66f83f86e
SHA5129744cfb5bea89e79cdd7c3333995a1e18a6ddf96113879be7a1e49df64c4f5458a6e18c16e3bf15431bd7b300e7983fd1121185257b638e666678fe87bdcd159
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
7f24c27edbdc85017cd87468b29744b9
SHA1be7fb8daa703e707492f35b77abbfc45a05c64bc
SHA2568ea38f223d2960cab567357f46ff3ab2d0217effc5a02c99069e56d66f83f86e
SHA5129744cfb5bea89e79cdd7c3333995a1e18a6ddf96113879be7a1e49df64c4f5458a6e18c16e3bf15431bd7b300e7983fd1121185257b638e666678fe87bdcd159
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
7f24c27edbdc85017cd87468b29744b9
SHA1be7fb8daa703e707492f35b77abbfc45a05c64bc
SHA2568ea38f223d2960cab567357f46ff3ab2d0217effc5a02c99069e56d66f83f86e
SHA5129744cfb5bea89e79cdd7c3333995a1e18a6ddf96113879be7a1e49df64c4f5458a6e18c16e3bf15431bd7b300e7983fd1121185257b638e666678fe87bdcd159
-
memory/1308-54-0x0000000076071000-0x0000000076073000-memory.dmpFilesize
8KB