Analysis
-
max time kernel
125s -
max time network
141s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 09:25
Static task
static1
Behavioral task
behavioral1
Sample
0a1802b8d44666b6aa4fdc193039f1a8e09f76d130a7928b269aace057c3a2ca.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0a1802b8d44666b6aa4fdc193039f1a8e09f76d130a7928b269aace057c3a2ca.exe
Resource
win10v2004-en-20220112
General
-
Target
0a1802b8d44666b6aa4fdc193039f1a8e09f76d130a7928b269aace057c3a2ca.exe
-
Size
100KB
-
MD5
49e4e4d524617d172b03c3c0a8dd34fe
-
SHA1
1081c352202abf8a9000367b0c1229453f04ee4a
-
SHA256
0a1802b8d44666b6aa4fdc193039f1a8e09f76d130a7928b269aace057c3a2ca
-
SHA512
0e3398d46303a6e65ed2cd486e05e44080a558b26f12742f5f0ab960fa22cc3d41c556bb3e66d63a230f227a1c3be3663265bf5666830382eea5976df8149844
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1472 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1084 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0a1802b8d44666b6aa4fdc193039f1a8e09f76d130a7928b269aace057c3a2ca.exepid process 1616 0a1802b8d44666b6aa4fdc193039f1a8e09f76d130a7928b269aace057c3a2ca.exe 1616 0a1802b8d44666b6aa4fdc193039f1a8e09f76d130a7928b269aace057c3a2ca.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0a1802b8d44666b6aa4fdc193039f1a8e09f76d130a7928b269aace057c3a2ca.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0a1802b8d44666b6aa4fdc193039f1a8e09f76d130a7928b269aace057c3a2ca.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0a1802b8d44666b6aa4fdc193039f1a8e09f76d130a7928b269aace057c3a2ca.exedescription pid process Token: SeIncBasePriorityPrivilege 1616 0a1802b8d44666b6aa4fdc193039f1a8e09f76d130a7928b269aace057c3a2ca.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0a1802b8d44666b6aa4fdc193039f1a8e09f76d130a7928b269aace057c3a2ca.execmd.exedescription pid process target process PID 1616 wrote to memory of 1472 1616 0a1802b8d44666b6aa4fdc193039f1a8e09f76d130a7928b269aace057c3a2ca.exe MediaCenter.exe PID 1616 wrote to memory of 1472 1616 0a1802b8d44666b6aa4fdc193039f1a8e09f76d130a7928b269aace057c3a2ca.exe MediaCenter.exe PID 1616 wrote to memory of 1472 1616 0a1802b8d44666b6aa4fdc193039f1a8e09f76d130a7928b269aace057c3a2ca.exe MediaCenter.exe PID 1616 wrote to memory of 1472 1616 0a1802b8d44666b6aa4fdc193039f1a8e09f76d130a7928b269aace057c3a2ca.exe MediaCenter.exe PID 1616 wrote to memory of 1084 1616 0a1802b8d44666b6aa4fdc193039f1a8e09f76d130a7928b269aace057c3a2ca.exe cmd.exe PID 1616 wrote to memory of 1084 1616 0a1802b8d44666b6aa4fdc193039f1a8e09f76d130a7928b269aace057c3a2ca.exe cmd.exe PID 1616 wrote to memory of 1084 1616 0a1802b8d44666b6aa4fdc193039f1a8e09f76d130a7928b269aace057c3a2ca.exe cmd.exe PID 1616 wrote to memory of 1084 1616 0a1802b8d44666b6aa4fdc193039f1a8e09f76d130a7928b269aace057c3a2ca.exe cmd.exe PID 1084 wrote to memory of 1984 1084 cmd.exe PING.EXE PID 1084 wrote to memory of 1984 1084 cmd.exe PING.EXE PID 1084 wrote to memory of 1984 1084 cmd.exe PING.EXE PID 1084 wrote to memory of 1984 1084 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0a1802b8d44666b6aa4fdc193039f1a8e09f76d130a7928b269aace057c3a2ca.exe"C:\Users\Admin\AppData\Local\Temp\0a1802b8d44666b6aa4fdc193039f1a8e09f76d130a7928b269aace057c3a2ca.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1616 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1472 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0a1802b8d44666b6aa4fdc193039f1a8e09f76d130a7928b269aace057c3a2ca.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1084 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1984
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
2495c9c5fed6fa3c27cab4158a961604
SHA1071f3074eccffcf6a5a089072e2b19bb07f6690d
SHA25660ba5a14006ca5b5aef89f41c14c92e339cc5ea337f3644697a24a43000d8b39
SHA512dcf21fe5f039fefb6e7f684009ddeb9b88bad9e2a4f5cbf24164d7d58c930f8830444762aa0d1583de75537b5ab57b209d6747e8999415f04593725beb72717b
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
2495c9c5fed6fa3c27cab4158a961604
SHA1071f3074eccffcf6a5a089072e2b19bb07f6690d
SHA25660ba5a14006ca5b5aef89f41c14c92e339cc5ea337f3644697a24a43000d8b39
SHA512dcf21fe5f039fefb6e7f684009ddeb9b88bad9e2a4f5cbf24164d7d58c930f8830444762aa0d1583de75537b5ab57b209d6747e8999415f04593725beb72717b
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
2495c9c5fed6fa3c27cab4158a961604
SHA1071f3074eccffcf6a5a089072e2b19bb07f6690d
SHA25660ba5a14006ca5b5aef89f41c14c92e339cc5ea337f3644697a24a43000d8b39
SHA512dcf21fe5f039fefb6e7f684009ddeb9b88bad9e2a4f5cbf24164d7d58c930f8830444762aa0d1583de75537b5ab57b209d6747e8999415f04593725beb72717b
-
memory/1616-55-0x0000000075F81000-0x0000000075F83000-memory.dmpFilesize
8KB