Analysis
-
max time kernel
139s -
max time network
169s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 09:27
Static task
static1
Behavioral task
behavioral1
Sample
0a0b10adcb14ddf6c0817206884f3d90c114e21ba96a1825b401eaf49f8d7b9f.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0a0b10adcb14ddf6c0817206884f3d90c114e21ba96a1825b401eaf49f8d7b9f.exe
Resource
win10v2004-en-20220112
General
-
Target
0a0b10adcb14ddf6c0817206884f3d90c114e21ba96a1825b401eaf49f8d7b9f.exe
-
Size
191KB
-
MD5
c15c7ba556c1cf25ca6c5dfd19555e31
-
SHA1
bc176b64e59245311a44326fa17cb1fb54eaab15
-
SHA256
0a0b10adcb14ddf6c0817206884f3d90c114e21ba96a1825b401eaf49f8d7b9f
-
SHA512
1ca0397cce49a67b8bc3dc44e34e642041201f7215e4de7fc9424de099b587ff4adb1d35e7a69e506d20712337300481554bc3a130ee95144ddb06a80b71e32f
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1884 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 432 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0a0b10adcb14ddf6c0817206884f3d90c114e21ba96a1825b401eaf49f8d7b9f.exepid process 1072 0a0b10adcb14ddf6c0817206884f3d90c114e21ba96a1825b401eaf49f8d7b9f.exe 1072 0a0b10adcb14ddf6c0817206884f3d90c114e21ba96a1825b401eaf49f8d7b9f.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0a0b10adcb14ddf6c0817206884f3d90c114e21ba96a1825b401eaf49f8d7b9f.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0a0b10adcb14ddf6c0817206884f3d90c114e21ba96a1825b401eaf49f8d7b9f.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0a0b10adcb14ddf6c0817206884f3d90c114e21ba96a1825b401eaf49f8d7b9f.exedescription pid process Token: SeIncBasePriorityPrivilege 1072 0a0b10adcb14ddf6c0817206884f3d90c114e21ba96a1825b401eaf49f8d7b9f.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0a0b10adcb14ddf6c0817206884f3d90c114e21ba96a1825b401eaf49f8d7b9f.execmd.exedescription pid process target process PID 1072 wrote to memory of 1884 1072 0a0b10adcb14ddf6c0817206884f3d90c114e21ba96a1825b401eaf49f8d7b9f.exe MediaCenter.exe PID 1072 wrote to memory of 1884 1072 0a0b10adcb14ddf6c0817206884f3d90c114e21ba96a1825b401eaf49f8d7b9f.exe MediaCenter.exe PID 1072 wrote to memory of 1884 1072 0a0b10adcb14ddf6c0817206884f3d90c114e21ba96a1825b401eaf49f8d7b9f.exe MediaCenter.exe PID 1072 wrote to memory of 1884 1072 0a0b10adcb14ddf6c0817206884f3d90c114e21ba96a1825b401eaf49f8d7b9f.exe MediaCenter.exe PID 1072 wrote to memory of 432 1072 0a0b10adcb14ddf6c0817206884f3d90c114e21ba96a1825b401eaf49f8d7b9f.exe cmd.exe PID 1072 wrote to memory of 432 1072 0a0b10adcb14ddf6c0817206884f3d90c114e21ba96a1825b401eaf49f8d7b9f.exe cmd.exe PID 1072 wrote to memory of 432 1072 0a0b10adcb14ddf6c0817206884f3d90c114e21ba96a1825b401eaf49f8d7b9f.exe cmd.exe PID 1072 wrote to memory of 432 1072 0a0b10adcb14ddf6c0817206884f3d90c114e21ba96a1825b401eaf49f8d7b9f.exe cmd.exe PID 432 wrote to memory of 1972 432 cmd.exe PING.EXE PID 432 wrote to memory of 1972 432 cmd.exe PING.EXE PID 432 wrote to memory of 1972 432 cmd.exe PING.EXE PID 432 wrote to memory of 1972 432 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0a0b10adcb14ddf6c0817206884f3d90c114e21ba96a1825b401eaf49f8d7b9f.exe"C:\Users\Admin\AppData\Local\Temp\0a0b10adcb14ddf6c0817206884f3d90c114e21ba96a1825b401eaf49f8d7b9f.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1072 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1884 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0a0b10adcb14ddf6c0817206884f3d90c114e21ba96a1825b401eaf49f8d7b9f.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:432 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1972
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
84ad2202502cb7292c929e15e0e66bb8
SHA1f05e8008338e74c17daa915c6f790144fdd4cb15
SHA256f1891e9eec09e92b6a4ee85bfa41a56d3c636dd1fb4c6fdb538e4f0b505741df
SHA512bbd8c060cba9916c15e770d6a1e89de6b044b97e46afcc088195648ebef01d414964b3b4e5f8370236dd57eca46a7f8d64a3b791d78453cbf0a1e3be89901657
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
84ad2202502cb7292c929e15e0e66bb8
SHA1f05e8008338e74c17daa915c6f790144fdd4cb15
SHA256f1891e9eec09e92b6a4ee85bfa41a56d3c636dd1fb4c6fdb538e4f0b505741df
SHA512bbd8c060cba9916c15e770d6a1e89de6b044b97e46afcc088195648ebef01d414964b3b4e5f8370236dd57eca46a7f8d64a3b791d78453cbf0a1e3be89901657
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
84ad2202502cb7292c929e15e0e66bb8
SHA1f05e8008338e74c17daa915c6f790144fdd4cb15
SHA256f1891e9eec09e92b6a4ee85bfa41a56d3c636dd1fb4c6fdb538e4f0b505741df
SHA512bbd8c060cba9916c15e770d6a1e89de6b044b97e46afcc088195648ebef01d414964b3b4e5f8370236dd57eca46a7f8d64a3b791d78453cbf0a1e3be89901657
-
memory/1072-54-0x0000000075D61000-0x0000000075D63000-memory.dmpFilesize
8KB