Analysis
-
max time kernel
122s -
max time network
144s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 09:25
Static task
static1
Behavioral task
behavioral1
Sample
0a27f4ddc87156a44b6dcde76289c6c3e19f61b198a731ad96b7624bbb7e7358.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0a27f4ddc87156a44b6dcde76289c6c3e19f61b198a731ad96b7624bbb7e7358.exe
Resource
win10v2004-en-20220113
General
-
Target
0a27f4ddc87156a44b6dcde76289c6c3e19f61b198a731ad96b7624bbb7e7358.exe
-
Size
99KB
-
MD5
c79472cb224ad9fc5d4bd22a482859ae
-
SHA1
af4e09f8a0ec1a800a85399c8bd5cc4d6d00b187
-
SHA256
0a27f4ddc87156a44b6dcde76289c6c3e19f61b198a731ad96b7624bbb7e7358
-
SHA512
9e47da182c3f498cbdd7cae698948816afffdf9723877fc169b81e9d19b2055de8aa3913a746afbe003fe0d7e5ca78e398a341f1a6fbb1eb92095311c64d024c
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1224 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1984 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0a27f4ddc87156a44b6dcde76289c6c3e19f61b198a731ad96b7624bbb7e7358.exepid process 1848 0a27f4ddc87156a44b6dcde76289c6c3e19f61b198a731ad96b7624bbb7e7358.exe 1848 0a27f4ddc87156a44b6dcde76289c6c3e19f61b198a731ad96b7624bbb7e7358.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0a27f4ddc87156a44b6dcde76289c6c3e19f61b198a731ad96b7624bbb7e7358.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0a27f4ddc87156a44b6dcde76289c6c3e19f61b198a731ad96b7624bbb7e7358.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0a27f4ddc87156a44b6dcde76289c6c3e19f61b198a731ad96b7624bbb7e7358.exedescription pid process Token: SeIncBasePriorityPrivilege 1848 0a27f4ddc87156a44b6dcde76289c6c3e19f61b198a731ad96b7624bbb7e7358.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0a27f4ddc87156a44b6dcde76289c6c3e19f61b198a731ad96b7624bbb7e7358.execmd.exedescription pid process target process PID 1848 wrote to memory of 1224 1848 0a27f4ddc87156a44b6dcde76289c6c3e19f61b198a731ad96b7624bbb7e7358.exe MediaCenter.exe PID 1848 wrote to memory of 1224 1848 0a27f4ddc87156a44b6dcde76289c6c3e19f61b198a731ad96b7624bbb7e7358.exe MediaCenter.exe PID 1848 wrote to memory of 1224 1848 0a27f4ddc87156a44b6dcde76289c6c3e19f61b198a731ad96b7624bbb7e7358.exe MediaCenter.exe PID 1848 wrote to memory of 1224 1848 0a27f4ddc87156a44b6dcde76289c6c3e19f61b198a731ad96b7624bbb7e7358.exe MediaCenter.exe PID 1848 wrote to memory of 1984 1848 0a27f4ddc87156a44b6dcde76289c6c3e19f61b198a731ad96b7624bbb7e7358.exe cmd.exe PID 1848 wrote to memory of 1984 1848 0a27f4ddc87156a44b6dcde76289c6c3e19f61b198a731ad96b7624bbb7e7358.exe cmd.exe PID 1848 wrote to memory of 1984 1848 0a27f4ddc87156a44b6dcde76289c6c3e19f61b198a731ad96b7624bbb7e7358.exe cmd.exe PID 1848 wrote to memory of 1984 1848 0a27f4ddc87156a44b6dcde76289c6c3e19f61b198a731ad96b7624bbb7e7358.exe cmd.exe PID 1984 wrote to memory of 1956 1984 cmd.exe PING.EXE PID 1984 wrote to memory of 1956 1984 cmd.exe PING.EXE PID 1984 wrote to memory of 1956 1984 cmd.exe PING.EXE PID 1984 wrote to memory of 1956 1984 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0a27f4ddc87156a44b6dcde76289c6c3e19f61b198a731ad96b7624bbb7e7358.exe"C:\Users\Admin\AppData\Local\Temp\0a27f4ddc87156a44b6dcde76289c6c3e19f61b198a731ad96b7624bbb7e7358.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1848 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1224 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0a27f4ddc87156a44b6dcde76289c6c3e19f61b198a731ad96b7624bbb7e7358.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1984 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1956
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
8c8cd68d61d9b1677651570a7ef59f7c
SHA1385b03c30be831ffcc3700db95e191f9957c8349
SHA25657ec9d2f7723ae6bcf633d1f7d7845a3697ba576e106452e20cd6ca3d4c9c7a6
SHA512b5454c20154ea6659bcdda902b9080252b06b3032338a48ea0f65d863bc8a24babf1c0a6f1391ff054c1bb11fdc2e79f7192e3e1340aaf9a4bd759e14c4eb35c
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
8c8cd68d61d9b1677651570a7ef59f7c
SHA1385b03c30be831ffcc3700db95e191f9957c8349
SHA25657ec9d2f7723ae6bcf633d1f7d7845a3697ba576e106452e20cd6ca3d4c9c7a6
SHA512b5454c20154ea6659bcdda902b9080252b06b3032338a48ea0f65d863bc8a24babf1c0a6f1391ff054c1bb11fdc2e79f7192e3e1340aaf9a4bd759e14c4eb35c
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
8c8cd68d61d9b1677651570a7ef59f7c
SHA1385b03c30be831ffcc3700db95e191f9957c8349
SHA25657ec9d2f7723ae6bcf633d1f7d7845a3697ba576e106452e20cd6ca3d4c9c7a6
SHA512b5454c20154ea6659bcdda902b9080252b06b3032338a48ea0f65d863bc8a24babf1c0a6f1391ff054c1bb11fdc2e79f7192e3e1340aaf9a4bd759e14c4eb35c
-
memory/1848-55-0x0000000075421000-0x0000000075423000-memory.dmpFilesize
8KB