Analysis
-
max time kernel
155s -
max time network
133s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 09:29
Static task
static1
Behavioral task
behavioral1
Sample
09e25ec0a48cc4d636d23c2c150eb32e71770f4678177403f47fddb079d1a842.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
09e25ec0a48cc4d636d23c2c150eb32e71770f4678177403f47fddb079d1a842.exe
Resource
win10v2004-en-20220113
General
-
Target
09e25ec0a48cc4d636d23c2c150eb32e71770f4678177403f47fddb079d1a842.exe
-
Size
144KB
-
MD5
6b34b36340103c8966e5504de35dd681
-
SHA1
cabc5ddc5130318d334c1ac5b3c1c380d96d4e6a
-
SHA256
09e25ec0a48cc4d636d23c2c150eb32e71770f4678177403f47fddb079d1a842
-
SHA512
8c4a7b91d58859f63ff0b85088fc6b77ab2384783627a3b4413a145b30d9c3eecfdc0722c185b50d9072c1960219bd8d73038d54eb1d29b10cbf96369dcdb95c
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 948 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1084 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
09e25ec0a48cc4d636d23c2c150eb32e71770f4678177403f47fddb079d1a842.exepid process 812 09e25ec0a48cc4d636d23c2c150eb32e71770f4678177403f47fddb079d1a842.exe 812 09e25ec0a48cc4d636d23c2c150eb32e71770f4678177403f47fddb079d1a842.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
09e25ec0a48cc4d636d23c2c150eb32e71770f4678177403f47fddb079d1a842.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 09e25ec0a48cc4d636d23c2c150eb32e71770f4678177403f47fddb079d1a842.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
09e25ec0a48cc4d636d23c2c150eb32e71770f4678177403f47fddb079d1a842.exedescription pid process Token: SeIncBasePriorityPrivilege 812 09e25ec0a48cc4d636d23c2c150eb32e71770f4678177403f47fddb079d1a842.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
09e25ec0a48cc4d636d23c2c150eb32e71770f4678177403f47fddb079d1a842.execmd.exedescription pid process target process PID 812 wrote to memory of 948 812 09e25ec0a48cc4d636d23c2c150eb32e71770f4678177403f47fddb079d1a842.exe MediaCenter.exe PID 812 wrote to memory of 948 812 09e25ec0a48cc4d636d23c2c150eb32e71770f4678177403f47fddb079d1a842.exe MediaCenter.exe PID 812 wrote to memory of 948 812 09e25ec0a48cc4d636d23c2c150eb32e71770f4678177403f47fddb079d1a842.exe MediaCenter.exe PID 812 wrote to memory of 948 812 09e25ec0a48cc4d636d23c2c150eb32e71770f4678177403f47fddb079d1a842.exe MediaCenter.exe PID 812 wrote to memory of 1084 812 09e25ec0a48cc4d636d23c2c150eb32e71770f4678177403f47fddb079d1a842.exe cmd.exe PID 812 wrote to memory of 1084 812 09e25ec0a48cc4d636d23c2c150eb32e71770f4678177403f47fddb079d1a842.exe cmd.exe PID 812 wrote to memory of 1084 812 09e25ec0a48cc4d636d23c2c150eb32e71770f4678177403f47fddb079d1a842.exe cmd.exe PID 812 wrote to memory of 1084 812 09e25ec0a48cc4d636d23c2c150eb32e71770f4678177403f47fddb079d1a842.exe cmd.exe PID 1084 wrote to memory of 872 1084 cmd.exe PING.EXE PID 1084 wrote to memory of 872 1084 cmd.exe PING.EXE PID 1084 wrote to memory of 872 1084 cmd.exe PING.EXE PID 1084 wrote to memory of 872 1084 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\09e25ec0a48cc4d636d23c2c150eb32e71770f4678177403f47fddb079d1a842.exe"C:\Users\Admin\AppData\Local\Temp\09e25ec0a48cc4d636d23c2c150eb32e71770f4678177403f47fddb079d1a842.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:812 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:948 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\09e25ec0a48cc4d636d23c2c150eb32e71770f4678177403f47fddb079d1a842.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1084 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:872
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
445233219bf7ac8fc50568d0be0940dd
SHA199e2d06c1905dcd938516cd399a151e1201e28bc
SHA2565b75142d84e8d8db20f9397f72215bc02662b637f23ca370403bf2b7e66f1e51
SHA5124243d6af02a65250ecce237d6b5ee84d8bedb7d67a0776e70a49c0e8406d02a1641b77b307c2ba8ae871786ecbef0433cbad38ef2785f8be9ed694b32d595eb3
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
445233219bf7ac8fc50568d0be0940dd
SHA199e2d06c1905dcd938516cd399a151e1201e28bc
SHA2565b75142d84e8d8db20f9397f72215bc02662b637f23ca370403bf2b7e66f1e51
SHA5124243d6af02a65250ecce237d6b5ee84d8bedb7d67a0776e70a49c0e8406d02a1641b77b307c2ba8ae871786ecbef0433cbad38ef2785f8be9ed694b32d595eb3
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
445233219bf7ac8fc50568d0be0940dd
SHA199e2d06c1905dcd938516cd399a151e1201e28bc
SHA2565b75142d84e8d8db20f9397f72215bc02662b637f23ca370403bf2b7e66f1e51
SHA5124243d6af02a65250ecce237d6b5ee84d8bedb7d67a0776e70a49c0e8406d02a1641b77b307c2ba8ae871786ecbef0433cbad38ef2785f8be9ed694b32d595eb3
-
memory/812-54-0x0000000076C91000-0x0000000076C93000-memory.dmpFilesize
8KB