Analysis
-
max time kernel
131s -
max time network
140s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 09:33
Static task
static1
Behavioral task
behavioral1
Sample
09b35ef51a31817d84f0937c070200cc6f75fe73f892a19d00f0af9ec19ac8c2.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
09b35ef51a31817d84f0937c070200cc6f75fe73f892a19d00f0af9ec19ac8c2.exe
Resource
win10v2004-en-20220112
General
-
Target
09b35ef51a31817d84f0937c070200cc6f75fe73f892a19d00f0af9ec19ac8c2.exe
-
Size
92KB
-
MD5
29e26e51b1c978c7366dcca103a09346
-
SHA1
b8bf38ac669889aefcbfb26866db9ddca5cb5e24
-
SHA256
09b35ef51a31817d84f0937c070200cc6f75fe73f892a19d00f0af9ec19ac8c2
-
SHA512
edff47b10e78a18ec4742d52800a868efdfeef0c4d54a3da51ec5609052ae65f634bbaabbeb6de802a1f48ff9ce4911bb3566a0e304f19794d28d37c4d72fe82
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1100 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1188 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
09b35ef51a31817d84f0937c070200cc6f75fe73f892a19d00f0af9ec19ac8c2.exepid process 952 09b35ef51a31817d84f0937c070200cc6f75fe73f892a19d00f0af9ec19ac8c2.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
09b35ef51a31817d84f0937c070200cc6f75fe73f892a19d00f0af9ec19ac8c2.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 09b35ef51a31817d84f0937c070200cc6f75fe73f892a19d00f0af9ec19ac8c2.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
09b35ef51a31817d84f0937c070200cc6f75fe73f892a19d00f0af9ec19ac8c2.exedescription pid process Token: SeIncBasePriorityPrivilege 952 09b35ef51a31817d84f0937c070200cc6f75fe73f892a19d00f0af9ec19ac8c2.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
09b35ef51a31817d84f0937c070200cc6f75fe73f892a19d00f0af9ec19ac8c2.execmd.exedescription pid process target process PID 952 wrote to memory of 1100 952 09b35ef51a31817d84f0937c070200cc6f75fe73f892a19d00f0af9ec19ac8c2.exe MediaCenter.exe PID 952 wrote to memory of 1100 952 09b35ef51a31817d84f0937c070200cc6f75fe73f892a19d00f0af9ec19ac8c2.exe MediaCenter.exe PID 952 wrote to memory of 1100 952 09b35ef51a31817d84f0937c070200cc6f75fe73f892a19d00f0af9ec19ac8c2.exe MediaCenter.exe PID 952 wrote to memory of 1100 952 09b35ef51a31817d84f0937c070200cc6f75fe73f892a19d00f0af9ec19ac8c2.exe MediaCenter.exe PID 952 wrote to memory of 1188 952 09b35ef51a31817d84f0937c070200cc6f75fe73f892a19d00f0af9ec19ac8c2.exe cmd.exe PID 952 wrote to memory of 1188 952 09b35ef51a31817d84f0937c070200cc6f75fe73f892a19d00f0af9ec19ac8c2.exe cmd.exe PID 952 wrote to memory of 1188 952 09b35ef51a31817d84f0937c070200cc6f75fe73f892a19d00f0af9ec19ac8c2.exe cmd.exe PID 952 wrote to memory of 1188 952 09b35ef51a31817d84f0937c070200cc6f75fe73f892a19d00f0af9ec19ac8c2.exe cmd.exe PID 1188 wrote to memory of 1184 1188 cmd.exe PING.EXE PID 1188 wrote to memory of 1184 1188 cmd.exe PING.EXE PID 1188 wrote to memory of 1184 1188 cmd.exe PING.EXE PID 1188 wrote to memory of 1184 1188 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\09b35ef51a31817d84f0937c070200cc6f75fe73f892a19d00f0af9ec19ac8c2.exe"C:\Users\Admin\AppData\Local\Temp\09b35ef51a31817d84f0937c070200cc6f75fe73f892a19d00f0af9ec19ac8c2.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:952 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1100 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\09b35ef51a31817d84f0937c070200cc6f75fe73f892a19d00f0af9ec19ac8c2.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1188 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1184
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
9ca2a1770df281711b0fc363479b49f3
SHA1560c703ff7e54a4f8515832e00961982d7a9769b
SHA256f577a8a7b757f54b8fef21a5629da456a2df160356cd197dc912124cc4ad73b5
SHA512850049426c477a00514026af41f3e51d7da133cf2114a3ac76b3eea9cb59487374870c905034eb32695fb5feb972fc53f2f83397db7c0dada08cb3acbdfb555c
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
9ca2a1770df281711b0fc363479b49f3
SHA1560c703ff7e54a4f8515832e00961982d7a9769b
SHA256f577a8a7b757f54b8fef21a5629da456a2df160356cd197dc912124cc4ad73b5
SHA512850049426c477a00514026af41f3e51d7da133cf2114a3ac76b3eea9cb59487374870c905034eb32695fb5feb972fc53f2f83397db7c0dada08cb3acbdfb555c
-
memory/952-54-0x0000000075AB1000-0x0000000075AB3000-memory.dmpFilesize
8KB