Analysis
-
max time kernel
147s -
max time network
164s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 09:28
Static task
static1
Behavioral task
behavioral1
Sample
09f62a8b75044d2bfc13cfed89f3f4f78e175957c833e14baf7b3f885d7a0a68.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
09f62a8b75044d2bfc13cfed89f3f4f78e175957c833e14baf7b3f885d7a0a68.exe
Resource
win10v2004-en-20220112
General
-
Target
09f62a8b75044d2bfc13cfed89f3f4f78e175957c833e14baf7b3f885d7a0a68.exe
-
Size
79KB
-
MD5
87ad6acbedddffae2ceb54d9dcaf17c1
-
SHA1
94d38b9a40bb485358e2ae9132d132d5190bd625
-
SHA256
09f62a8b75044d2bfc13cfed89f3f4f78e175957c833e14baf7b3f885d7a0a68
-
SHA512
29ba6d524cec0fd08f9296d4db02562ff0ecf79951e1c0cdf8f15767afd32470034804fc0726dbf8654fe4a2f468b9fb2551eac90a2b3b2a17b2459ec2cd83be
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1160 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 956 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
09f62a8b75044d2bfc13cfed89f3f4f78e175957c833e14baf7b3f885d7a0a68.exepid process 1672 09f62a8b75044d2bfc13cfed89f3f4f78e175957c833e14baf7b3f885d7a0a68.exe 1672 09f62a8b75044d2bfc13cfed89f3f4f78e175957c833e14baf7b3f885d7a0a68.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
09f62a8b75044d2bfc13cfed89f3f4f78e175957c833e14baf7b3f885d7a0a68.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 09f62a8b75044d2bfc13cfed89f3f4f78e175957c833e14baf7b3f885d7a0a68.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
09f62a8b75044d2bfc13cfed89f3f4f78e175957c833e14baf7b3f885d7a0a68.exedescription pid process Token: SeIncBasePriorityPrivilege 1672 09f62a8b75044d2bfc13cfed89f3f4f78e175957c833e14baf7b3f885d7a0a68.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
09f62a8b75044d2bfc13cfed89f3f4f78e175957c833e14baf7b3f885d7a0a68.execmd.exedescription pid process target process PID 1672 wrote to memory of 1160 1672 09f62a8b75044d2bfc13cfed89f3f4f78e175957c833e14baf7b3f885d7a0a68.exe MediaCenter.exe PID 1672 wrote to memory of 1160 1672 09f62a8b75044d2bfc13cfed89f3f4f78e175957c833e14baf7b3f885d7a0a68.exe MediaCenter.exe PID 1672 wrote to memory of 1160 1672 09f62a8b75044d2bfc13cfed89f3f4f78e175957c833e14baf7b3f885d7a0a68.exe MediaCenter.exe PID 1672 wrote to memory of 1160 1672 09f62a8b75044d2bfc13cfed89f3f4f78e175957c833e14baf7b3f885d7a0a68.exe MediaCenter.exe PID 1672 wrote to memory of 956 1672 09f62a8b75044d2bfc13cfed89f3f4f78e175957c833e14baf7b3f885d7a0a68.exe cmd.exe PID 1672 wrote to memory of 956 1672 09f62a8b75044d2bfc13cfed89f3f4f78e175957c833e14baf7b3f885d7a0a68.exe cmd.exe PID 1672 wrote to memory of 956 1672 09f62a8b75044d2bfc13cfed89f3f4f78e175957c833e14baf7b3f885d7a0a68.exe cmd.exe PID 1672 wrote to memory of 956 1672 09f62a8b75044d2bfc13cfed89f3f4f78e175957c833e14baf7b3f885d7a0a68.exe cmd.exe PID 956 wrote to memory of 336 956 cmd.exe PING.EXE PID 956 wrote to memory of 336 956 cmd.exe PING.EXE PID 956 wrote to memory of 336 956 cmd.exe PING.EXE PID 956 wrote to memory of 336 956 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\09f62a8b75044d2bfc13cfed89f3f4f78e175957c833e14baf7b3f885d7a0a68.exe"C:\Users\Admin\AppData\Local\Temp\09f62a8b75044d2bfc13cfed89f3f4f78e175957c833e14baf7b3f885d7a0a68.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1672 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1160 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\09f62a8b75044d2bfc13cfed89f3f4f78e175957c833e14baf7b3f885d7a0a68.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:956 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:336
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
d59683b9c9af86f34fe3422e57c0c62f
SHA12f9d474cee53d2c45c00beddc04ff4a21b571e65
SHA256c04ad9c4fa54603bf9eeae6347ea65c6310c22d93f962b5f2da513ba4cc25c42
SHA51245b34a231eefb85a6aec0a4813108cb9ba664329a729ae8097f124007d084f33644ee23c66a8a09e39ebce5805defd524ccb0432f400eba25431b65bcd224585
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
d59683b9c9af86f34fe3422e57c0c62f
SHA12f9d474cee53d2c45c00beddc04ff4a21b571e65
SHA256c04ad9c4fa54603bf9eeae6347ea65c6310c22d93f962b5f2da513ba4cc25c42
SHA51245b34a231eefb85a6aec0a4813108cb9ba664329a729ae8097f124007d084f33644ee23c66a8a09e39ebce5805defd524ccb0432f400eba25431b65bcd224585
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
d59683b9c9af86f34fe3422e57c0c62f
SHA12f9d474cee53d2c45c00beddc04ff4a21b571e65
SHA256c04ad9c4fa54603bf9eeae6347ea65c6310c22d93f962b5f2da513ba4cc25c42
SHA51245b34a231eefb85a6aec0a4813108cb9ba664329a729ae8097f124007d084f33644ee23c66a8a09e39ebce5805defd524ccb0432f400eba25431b65bcd224585
-
memory/1672-55-0x0000000075DF1000-0x0000000075DF3000-memory.dmpFilesize
8KB