Analysis
-
max time kernel
119s -
max time network
130s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 09:32
Static task
static1
Behavioral task
behavioral1
Sample
09c3ca4af8a2b614932dd1b1f1aa375dac1503c7208f773dfd46bcf6539c7915.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
09c3ca4af8a2b614932dd1b1f1aa375dac1503c7208f773dfd46bcf6539c7915.exe
Resource
win10v2004-en-20220113
General
-
Target
09c3ca4af8a2b614932dd1b1f1aa375dac1503c7208f773dfd46bcf6539c7915.exe
-
Size
79KB
-
MD5
6beea83af352b25b71073388e945770d
-
SHA1
918d34a49f2a636fdd0840fc375a34bffdcf9b21
-
SHA256
09c3ca4af8a2b614932dd1b1f1aa375dac1503c7208f773dfd46bcf6539c7915
-
SHA512
b3504851164677dcb3cd0461c0ee386b7129d0b60dbb9b3cbb547437fe498679da9a886025513a74d17b42d004b3cf4e8177b31f67bc183c375ac7876c1f108e
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 268 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1604 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
09c3ca4af8a2b614932dd1b1f1aa375dac1503c7208f773dfd46bcf6539c7915.exepid process 1632 09c3ca4af8a2b614932dd1b1f1aa375dac1503c7208f773dfd46bcf6539c7915.exe 1632 09c3ca4af8a2b614932dd1b1f1aa375dac1503c7208f773dfd46bcf6539c7915.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
09c3ca4af8a2b614932dd1b1f1aa375dac1503c7208f773dfd46bcf6539c7915.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 09c3ca4af8a2b614932dd1b1f1aa375dac1503c7208f773dfd46bcf6539c7915.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
09c3ca4af8a2b614932dd1b1f1aa375dac1503c7208f773dfd46bcf6539c7915.exedescription pid process Token: SeIncBasePriorityPrivilege 1632 09c3ca4af8a2b614932dd1b1f1aa375dac1503c7208f773dfd46bcf6539c7915.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
09c3ca4af8a2b614932dd1b1f1aa375dac1503c7208f773dfd46bcf6539c7915.execmd.exedescription pid process target process PID 1632 wrote to memory of 268 1632 09c3ca4af8a2b614932dd1b1f1aa375dac1503c7208f773dfd46bcf6539c7915.exe MediaCenter.exe PID 1632 wrote to memory of 268 1632 09c3ca4af8a2b614932dd1b1f1aa375dac1503c7208f773dfd46bcf6539c7915.exe MediaCenter.exe PID 1632 wrote to memory of 268 1632 09c3ca4af8a2b614932dd1b1f1aa375dac1503c7208f773dfd46bcf6539c7915.exe MediaCenter.exe PID 1632 wrote to memory of 268 1632 09c3ca4af8a2b614932dd1b1f1aa375dac1503c7208f773dfd46bcf6539c7915.exe MediaCenter.exe PID 1632 wrote to memory of 1604 1632 09c3ca4af8a2b614932dd1b1f1aa375dac1503c7208f773dfd46bcf6539c7915.exe cmd.exe PID 1632 wrote to memory of 1604 1632 09c3ca4af8a2b614932dd1b1f1aa375dac1503c7208f773dfd46bcf6539c7915.exe cmd.exe PID 1632 wrote to memory of 1604 1632 09c3ca4af8a2b614932dd1b1f1aa375dac1503c7208f773dfd46bcf6539c7915.exe cmd.exe PID 1632 wrote to memory of 1604 1632 09c3ca4af8a2b614932dd1b1f1aa375dac1503c7208f773dfd46bcf6539c7915.exe cmd.exe PID 1604 wrote to memory of 988 1604 cmd.exe PING.EXE PID 1604 wrote to memory of 988 1604 cmd.exe PING.EXE PID 1604 wrote to memory of 988 1604 cmd.exe PING.EXE PID 1604 wrote to memory of 988 1604 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\09c3ca4af8a2b614932dd1b1f1aa375dac1503c7208f773dfd46bcf6539c7915.exe"C:\Users\Admin\AppData\Local\Temp\09c3ca4af8a2b614932dd1b1f1aa375dac1503c7208f773dfd46bcf6539c7915.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1632 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:268 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\09c3ca4af8a2b614932dd1b1f1aa375dac1503c7208f773dfd46bcf6539c7915.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1604 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:988
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
c2fb9adcba270fea100294985fec324c
SHA1366533fdd01805cdac384af2ab330bfe6f82f5d4
SHA256d8e7ab00be2a0f02924b1e7c7eb176b46090817d05081b79f4569f6c1a87fe4b
SHA512d9e4093b0f41969ce4d5ba5f698f94dcbdd0fff8bbecbf9d5c35ba736c2ee72e9842cf15cf293d22ace26e6101deea98ab6bc899fd6b11461e890beaa6884e84
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
c2fb9adcba270fea100294985fec324c
SHA1366533fdd01805cdac384af2ab330bfe6f82f5d4
SHA256d8e7ab00be2a0f02924b1e7c7eb176b46090817d05081b79f4569f6c1a87fe4b
SHA512d9e4093b0f41969ce4d5ba5f698f94dcbdd0fff8bbecbf9d5c35ba736c2ee72e9842cf15cf293d22ace26e6101deea98ab6bc899fd6b11461e890beaa6884e84
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
c2fb9adcba270fea100294985fec324c
SHA1366533fdd01805cdac384af2ab330bfe6f82f5d4
SHA256d8e7ab00be2a0f02924b1e7c7eb176b46090817d05081b79f4569f6c1a87fe4b
SHA512d9e4093b0f41969ce4d5ba5f698f94dcbdd0fff8bbecbf9d5c35ba736c2ee72e9842cf15cf293d22ace26e6101deea98ab6bc899fd6b11461e890beaa6884e84
-
memory/1632-54-0x0000000076141000-0x0000000076143000-memory.dmpFilesize
8KB