Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 09:25
Static task
static1
Behavioral task
behavioral1
Sample
0a23e00d4502b506bc2683ac2e95b00e6e795186d0739eacf913298f9cd8a89e.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0a23e00d4502b506bc2683ac2e95b00e6e795186d0739eacf913298f9cd8a89e.exe
Resource
win10v2004-en-20220113
General
-
Target
0a23e00d4502b506bc2683ac2e95b00e6e795186d0739eacf913298f9cd8a89e.exe
-
Size
99KB
-
MD5
0760e1744a92bfaafd0b72c1f25c4319
-
SHA1
5c40873ad4beb4a06c9d57faf80b3da02c05e4f0
-
SHA256
0a23e00d4502b506bc2683ac2e95b00e6e795186d0739eacf913298f9cd8a89e
-
SHA512
755905e7c1d79e24a7384090b953bbf43f0c4c22c16a31685ee37ad447c0caa7beed65e4e016c217bfc26325bea967187b845fd7dc8cb6f6b9c3a242d87f7bf4
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 944 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1032 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0a23e00d4502b506bc2683ac2e95b00e6e795186d0739eacf913298f9cd8a89e.exepid process 1620 0a23e00d4502b506bc2683ac2e95b00e6e795186d0739eacf913298f9cd8a89e.exe 1620 0a23e00d4502b506bc2683ac2e95b00e6e795186d0739eacf913298f9cd8a89e.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0a23e00d4502b506bc2683ac2e95b00e6e795186d0739eacf913298f9cd8a89e.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0a23e00d4502b506bc2683ac2e95b00e6e795186d0739eacf913298f9cd8a89e.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0a23e00d4502b506bc2683ac2e95b00e6e795186d0739eacf913298f9cd8a89e.exedescription pid process Token: SeIncBasePriorityPrivilege 1620 0a23e00d4502b506bc2683ac2e95b00e6e795186d0739eacf913298f9cd8a89e.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0a23e00d4502b506bc2683ac2e95b00e6e795186d0739eacf913298f9cd8a89e.execmd.exedescription pid process target process PID 1620 wrote to memory of 944 1620 0a23e00d4502b506bc2683ac2e95b00e6e795186d0739eacf913298f9cd8a89e.exe MediaCenter.exe PID 1620 wrote to memory of 944 1620 0a23e00d4502b506bc2683ac2e95b00e6e795186d0739eacf913298f9cd8a89e.exe MediaCenter.exe PID 1620 wrote to memory of 944 1620 0a23e00d4502b506bc2683ac2e95b00e6e795186d0739eacf913298f9cd8a89e.exe MediaCenter.exe PID 1620 wrote to memory of 944 1620 0a23e00d4502b506bc2683ac2e95b00e6e795186d0739eacf913298f9cd8a89e.exe MediaCenter.exe PID 1620 wrote to memory of 1032 1620 0a23e00d4502b506bc2683ac2e95b00e6e795186d0739eacf913298f9cd8a89e.exe cmd.exe PID 1620 wrote to memory of 1032 1620 0a23e00d4502b506bc2683ac2e95b00e6e795186d0739eacf913298f9cd8a89e.exe cmd.exe PID 1620 wrote to memory of 1032 1620 0a23e00d4502b506bc2683ac2e95b00e6e795186d0739eacf913298f9cd8a89e.exe cmd.exe PID 1620 wrote to memory of 1032 1620 0a23e00d4502b506bc2683ac2e95b00e6e795186d0739eacf913298f9cd8a89e.exe cmd.exe PID 1032 wrote to memory of 1540 1032 cmd.exe PING.EXE PID 1032 wrote to memory of 1540 1032 cmd.exe PING.EXE PID 1032 wrote to memory of 1540 1032 cmd.exe PING.EXE PID 1032 wrote to memory of 1540 1032 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0a23e00d4502b506bc2683ac2e95b00e6e795186d0739eacf913298f9cd8a89e.exe"C:\Users\Admin\AppData\Local\Temp\0a23e00d4502b506bc2683ac2e95b00e6e795186d0739eacf913298f9cd8a89e.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:944 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0a23e00d4502b506bc2683ac2e95b00e6e795186d0739eacf913298f9cd8a89e.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1032 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1540
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
5a56099366461e9d0409bc533c38e40c
SHA1fbe88b20cf0546b8748a3d65a86315321c30605e
SHA256a08eb24c7609192f122626ae337cf0533698a55306ca3b18e4054d66c7469454
SHA5120b8899f5d9ba6f7988cf24a30e73e7a19651293b36caeb0c9358dcce1a9420afbeee648d4e51064dbacdcc36f65fd37995b32e002084986f4336ba7868013b61
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
5a56099366461e9d0409bc533c38e40c
SHA1fbe88b20cf0546b8748a3d65a86315321c30605e
SHA256a08eb24c7609192f122626ae337cf0533698a55306ca3b18e4054d66c7469454
SHA5120b8899f5d9ba6f7988cf24a30e73e7a19651293b36caeb0c9358dcce1a9420afbeee648d4e51064dbacdcc36f65fd37995b32e002084986f4336ba7868013b61
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
5a56099366461e9d0409bc533c38e40c
SHA1fbe88b20cf0546b8748a3d65a86315321c30605e
SHA256a08eb24c7609192f122626ae337cf0533698a55306ca3b18e4054d66c7469454
SHA5120b8899f5d9ba6f7988cf24a30e73e7a19651293b36caeb0c9358dcce1a9420afbeee648d4e51064dbacdcc36f65fd37995b32e002084986f4336ba7868013b61
-
memory/1620-55-0x0000000076921000-0x0000000076923000-memory.dmpFilesize
8KB