Analysis
-
max time kernel
127s -
max time network
151s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 09:28
Static task
static1
Behavioral task
behavioral1
Sample
0a01b97d1eef9c4e6ee069b0960189626eab417f013524d58d268dd13d5614e1.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0a01b97d1eef9c4e6ee069b0960189626eab417f013524d58d268dd13d5614e1.exe
Resource
win10v2004-en-20220112
General
-
Target
0a01b97d1eef9c4e6ee069b0960189626eab417f013524d58d268dd13d5614e1.exe
-
Size
101KB
-
MD5
f54dff0b267641bbdfa6875095a59098
-
SHA1
bd0111a35630b4aa27de5ecf2f7d7f8d5132a25c
-
SHA256
0a01b97d1eef9c4e6ee069b0960189626eab417f013524d58d268dd13d5614e1
-
SHA512
09b447dbd1f3564795d08312532fde482eb8a2b5b951fe17901dd0e9e228bb53300e3beffb69906f013d52fc7eb3ede439e3a79c54d405e1366eb2abdf0d4ec9
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 368 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1056 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0a01b97d1eef9c4e6ee069b0960189626eab417f013524d58d268dd13d5614e1.exepid process 1824 0a01b97d1eef9c4e6ee069b0960189626eab417f013524d58d268dd13d5614e1.exe 1824 0a01b97d1eef9c4e6ee069b0960189626eab417f013524d58d268dd13d5614e1.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0a01b97d1eef9c4e6ee069b0960189626eab417f013524d58d268dd13d5614e1.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0a01b97d1eef9c4e6ee069b0960189626eab417f013524d58d268dd13d5614e1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0a01b97d1eef9c4e6ee069b0960189626eab417f013524d58d268dd13d5614e1.exedescription pid process Token: SeIncBasePriorityPrivilege 1824 0a01b97d1eef9c4e6ee069b0960189626eab417f013524d58d268dd13d5614e1.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0a01b97d1eef9c4e6ee069b0960189626eab417f013524d58d268dd13d5614e1.execmd.exedescription pid process target process PID 1824 wrote to memory of 368 1824 0a01b97d1eef9c4e6ee069b0960189626eab417f013524d58d268dd13d5614e1.exe MediaCenter.exe PID 1824 wrote to memory of 368 1824 0a01b97d1eef9c4e6ee069b0960189626eab417f013524d58d268dd13d5614e1.exe MediaCenter.exe PID 1824 wrote to memory of 368 1824 0a01b97d1eef9c4e6ee069b0960189626eab417f013524d58d268dd13d5614e1.exe MediaCenter.exe PID 1824 wrote to memory of 368 1824 0a01b97d1eef9c4e6ee069b0960189626eab417f013524d58d268dd13d5614e1.exe MediaCenter.exe PID 1824 wrote to memory of 1056 1824 0a01b97d1eef9c4e6ee069b0960189626eab417f013524d58d268dd13d5614e1.exe cmd.exe PID 1824 wrote to memory of 1056 1824 0a01b97d1eef9c4e6ee069b0960189626eab417f013524d58d268dd13d5614e1.exe cmd.exe PID 1824 wrote to memory of 1056 1824 0a01b97d1eef9c4e6ee069b0960189626eab417f013524d58d268dd13d5614e1.exe cmd.exe PID 1824 wrote to memory of 1056 1824 0a01b97d1eef9c4e6ee069b0960189626eab417f013524d58d268dd13d5614e1.exe cmd.exe PID 1056 wrote to memory of 1820 1056 cmd.exe PING.EXE PID 1056 wrote to memory of 1820 1056 cmd.exe PING.EXE PID 1056 wrote to memory of 1820 1056 cmd.exe PING.EXE PID 1056 wrote to memory of 1820 1056 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0a01b97d1eef9c4e6ee069b0960189626eab417f013524d58d268dd13d5614e1.exe"C:\Users\Admin\AppData\Local\Temp\0a01b97d1eef9c4e6ee069b0960189626eab417f013524d58d268dd13d5614e1.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1824 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:368 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0a01b97d1eef9c4e6ee069b0960189626eab417f013524d58d268dd13d5614e1.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1056 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1820
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
dd2c4e96de219b7fa03fac7bf7517e80
SHA16844020a87b3bb57756c53e664b71ba96b748d41
SHA2567af82f1ed7d1f5db79388a6aaecf78ac5d06ac1ee5f8d763a8e52a1021895785
SHA512d8509d3568c738496f61f1d7bde4380f92063f2f8efd27f013f4895cd3adcb1254293d4f65cbb0b48351b2450f050fe303007750b61fd152eaa796eca7a9a30e
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
dd2c4e96de219b7fa03fac7bf7517e80
SHA16844020a87b3bb57756c53e664b71ba96b748d41
SHA2567af82f1ed7d1f5db79388a6aaecf78ac5d06ac1ee5f8d763a8e52a1021895785
SHA512d8509d3568c738496f61f1d7bde4380f92063f2f8efd27f013f4895cd3adcb1254293d4f65cbb0b48351b2450f050fe303007750b61fd152eaa796eca7a9a30e
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
dd2c4e96de219b7fa03fac7bf7517e80
SHA16844020a87b3bb57756c53e664b71ba96b748d41
SHA2567af82f1ed7d1f5db79388a6aaecf78ac5d06ac1ee5f8d763a8e52a1021895785
SHA512d8509d3568c738496f61f1d7bde4380f92063f2f8efd27f013f4895cd3adcb1254293d4f65cbb0b48351b2450f050fe303007750b61fd152eaa796eca7a9a30e
-
memory/1824-55-0x0000000075421000-0x0000000075423000-memory.dmpFilesize
8KB