Analysis
-
max time kernel
135s -
max time network
146s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 09:29
Static task
static1
Behavioral task
behavioral1
Sample
09e0e801e8ddfeeeab7908c8859aba2552e78413aad0661c84c3e966d9269f1d.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
09e0e801e8ddfeeeab7908c8859aba2552e78413aad0661c84c3e966d9269f1d.exe
Resource
win10v2004-en-20220113
General
-
Target
09e0e801e8ddfeeeab7908c8859aba2552e78413aad0661c84c3e966d9269f1d.exe
-
Size
89KB
-
MD5
d50589fe7e6df9885f779926d424899c
-
SHA1
9ea398b6bb9b3a61a29e886f20fab8184311779c
-
SHA256
09e0e801e8ddfeeeab7908c8859aba2552e78413aad0661c84c3e966d9269f1d
-
SHA512
a4c0a8efb74ee17ed144bf6989ef7e0467befb319daaa976414462d03d6a3b6710855749bffbab915ddd1d4e2b3952b9a391feefdf76a8f273df64e57c9f60b3
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral1/memory/1096-58-0x0000000000400000-0x000000000041B000-memory.dmp family_sakula behavioral1/memory/1664-59-0x0000000000400000-0x000000000041B000-memory.dmp family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1664 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1212 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
09e0e801e8ddfeeeab7908c8859aba2552e78413aad0661c84c3e966d9269f1d.exepid process 1096 09e0e801e8ddfeeeab7908c8859aba2552e78413aad0661c84c3e966d9269f1d.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
09e0e801e8ddfeeeab7908c8859aba2552e78413aad0661c84c3e966d9269f1d.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 09e0e801e8ddfeeeab7908c8859aba2552e78413aad0661c84c3e966d9269f1d.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
09e0e801e8ddfeeeab7908c8859aba2552e78413aad0661c84c3e966d9269f1d.exedescription pid process Token: SeIncBasePriorityPrivilege 1096 09e0e801e8ddfeeeab7908c8859aba2552e78413aad0661c84c3e966d9269f1d.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
09e0e801e8ddfeeeab7908c8859aba2552e78413aad0661c84c3e966d9269f1d.execmd.exedescription pid process target process PID 1096 wrote to memory of 1664 1096 09e0e801e8ddfeeeab7908c8859aba2552e78413aad0661c84c3e966d9269f1d.exe MediaCenter.exe PID 1096 wrote to memory of 1664 1096 09e0e801e8ddfeeeab7908c8859aba2552e78413aad0661c84c3e966d9269f1d.exe MediaCenter.exe PID 1096 wrote to memory of 1664 1096 09e0e801e8ddfeeeab7908c8859aba2552e78413aad0661c84c3e966d9269f1d.exe MediaCenter.exe PID 1096 wrote to memory of 1664 1096 09e0e801e8ddfeeeab7908c8859aba2552e78413aad0661c84c3e966d9269f1d.exe MediaCenter.exe PID 1096 wrote to memory of 1212 1096 09e0e801e8ddfeeeab7908c8859aba2552e78413aad0661c84c3e966d9269f1d.exe cmd.exe PID 1096 wrote to memory of 1212 1096 09e0e801e8ddfeeeab7908c8859aba2552e78413aad0661c84c3e966d9269f1d.exe cmd.exe PID 1096 wrote to memory of 1212 1096 09e0e801e8ddfeeeab7908c8859aba2552e78413aad0661c84c3e966d9269f1d.exe cmd.exe PID 1096 wrote to memory of 1212 1096 09e0e801e8ddfeeeab7908c8859aba2552e78413aad0661c84c3e966d9269f1d.exe cmd.exe PID 1212 wrote to memory of 1948 1212 cmd.exe PING.EXE PID 1212 wrote to memory of 1948 1212 cmd.exe PING.EXE PID 1212 wrote to memory of 1948 1212 cmd.exe PING.EXE PID 1212 wrote to memory of 1948 1212 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\09e0e801e8ddfeeeab7908c8859aba2552e78413aad0661c84c3e966d9269f1d.exe"C:\Users\Admin\AppData\Local\Temp\09e0e801e8ddfeeeab7908c8859aba2552e78413aad0661c84c3e966d9269f1d.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1096 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1664 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\09e0e801e8ddfeeeab7908c8859aba2552e78413aad0661c84c3e966d9269f1d.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1212 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1948
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
dd3fcf5b3e300a7b38559cbdb969b2f2
SHA15f8865c0a2a3bceccd5f261c97fb7f5235aabaa4
SHA256f0159cf27c38976d4640e99e6cead229aa6f09268abbaf0932f983271115591b
SHA51285f45d22c88aed024cc824423a4fa84b6bb0b62f22397f78e158e025e98a91717812e75a18038878331f2c1945c18044eccce0ed1777b1b0bac86be73bb1e921
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
dd3fcf5b3e300a7b38559cbdb969b2f2
SHA15f8865c0a2a3bceccd5f261c97fb7f5235aabaa4
SHA256f0159cf27c38976d4640e99e6cead229aa6f09268abbaf0932f983271115591b
SHA51285f45d22c88aed024cc824423a4fa84b6bb0b62f22397f78e158e025e98a91717812e75a18038878331f2c1945c18044eccce0ed1777b1b0bac86be73bb1e921
-
memory/1096-54-0x0000000076491000-0x0000000076493000-memory.dmpFilesize
8KB
-
memory/1096-58-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1664-59-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB