Analysis
-
max time kernel
118s -
max time network
133s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 09:32
Static task
static1
Behavioral task
behavioral1
Sample
09c3a4fa4b1a3ae3687f3ea6d23e9e15032569fb87288f784c7cfabcc60bd1ca.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
09c3a4fa4b1a3ae3687f3ea6d23e9e15032569fb87288f784c7cfabcc60bd1ca.exe
Resource
win10v2004-en-20220112
General
-
Target
09c3a4fa4b1a3ae3687f3ea6d23e9e15032569fb87288f784c7cfabcc60bd1ca.exe
-
Size
192KB
-
MD5
3da4fa0fb356222d7f5fdb05414b44e5
-
SHA1
423b8d77336b4d152dee6b2da0f999cfbf38b84f
-
SHA256
09c3a4fa4b1a3ae3687f3ea6d23e9e15032569fb87288f784c7cfabcc60bd1ca
-
SHA512
d7ea50d3910b1985bd829517760dc40663fc3a4b1b2b9c5abe5468d8f94e5d81b307a087b1da53d7e246bc69deabfcae77a9464fd4df860c78eb5de49089650f
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1624 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 744 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
09c3a4fa4b1a3ae3687f3ea6d23e9e15032569fb87288f784c7cfabcc60bd1ca.exepid process 1608 09c3a4fa4b1a3ae3687f3ea6d23e9e15032569fb87288f784c7cfabcc60bd1ca.exe 1608 09c3a4fa4b1a3ae3687f3ea6d23e9e15032569fb87288f784c7cfabcc60bd1ca.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
09c3a4fa4b1a3ae3687f3ea6d23e9e15032569fb87288f784c7cfabcc60bd1ca.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 09c3a4fa4b1a3ae3687f3ea6d23e9e15032569fb87288f784c7cfabcc60bd1ca.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
09c3a4fa4b1a3ae3687f3ea6d23e9e15032569fb87288f784c7cfabcc60bd1ca.exedescription pid process Token: SeIncBasePriorityPrivilege 1608 09c3a4fa4b1a3ae3687f3ea6d23e9e15032569fb87288f784c7cfabcc60bd1ca.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
09c3a4fa4b1a3ae3687f3ea6d23e9e15032569fb87288f784c7cfabcc60bd1ca.execmd.exedescription pid process target process PID 1608 wrote to memory of 1624 1608 09c3a4fa4b1a3ae3687f3ea6d23e9e15032569fb87288f784c7cfabcc60bd1ca.exe MediaCenter.exe PID 1608 wrote to memory of 1624 1608 09c3a4fa4b1a3ae3687f3ea6d23e9e15032569fb87288f784c7cfabcc60bd1ca.exe MediaCenter.exe PID 1608 wrote to memory of 1624 1608 09c3a4fa4b1a3ae3687f3ea6d23e9e15032569fb87288f784c7cfabcc60bd1ca.exe MediaCenter.exe PID 1608 wrote to memory of 1624 1608 09c3a4fa4b1a3ae3687f3ea6d23e9e15032569fb87288f784c7cfabcc60bd1ca.exe MediaCenter.exe PID 1608 wrote to memory of 744 1608 09c3a4fa4b1a3ae3687f3ea6d23e9e15032569fb87288f784c7cfabcc60bd1ca.exe cmd.exe PID 1608 wrote to memory of 744 1608 09c3a4fa4b1a3ae3687f3ea6d23e9e15032569fb87288f784c7cfabcc60bd1ca.exe cmd.exe PID 1608 wrote to memory of 744 1608 09c3a4fa4b1a3ae3687f3ea6d23e9e15032569fb87288f784c7cfabcc60bd1ca.exe cmd.exe PID 1608 wrote to memory of 744 1608 09c3a4fa4b1a3ae3687f3ea6d23e9e15032569fb87288f784c7cfabcc60bd1ca.exe cmd.exe PID 744 wrote to memory of 1056 744 cmd.exe PING.EXE PID 744 wrote to memory of 1056 744 cmd.exe PING.EXE PID 744 wrote to memory of 1056 744 cmd.exe PING.EXE PID 744 wrote to memory of 1056 744 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\09c3a4fa4b1a3ae3687f3ea6d23e9e15032569fb87288f784c7cfabcc60bd1ca.exe"C:\Users\Admin\AppData\Local\Temp\09c3a4fa4b1a3ae3687f3ea6d23e9e15032569fb87288f784c7cfabcc60bd1ca.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1608 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1624 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\09c3a4fa4b1a3ae3687f3ea6d23e9e15032569fb87288f784c7cfabcc60bd1ca.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:744 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1056
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
a3d8a7e4514b469f73bca5880641d524
SHA148b91ca59e19e15148da562fbdbee6aa118e1172
SHA256c8ee1bcf21e7091449b3f1a2a83083624a650babf2dc536d0958a2dedd452fff
SHA512c8b79cdebfee3c2ca8d3f40832c54bb5171c06279d0e035316037f82057c04cb6480293e5f545dea57acf6c8854d23708bccefea6778a23d7ac6844a773088cf
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
a3d8a7e4514b469f73bca5880641d524
SHA148b91ca59e19e15148da562fbdbee6aa118e1172
SHA256c8ee1bcf21e7091449b3f1a2a83083624a650babf2dc536d0958a2dedd452fff
SHA512c8b79cdebfee3c2ca8d3f40832c54bb5171c06279d0e035316037f82057c04cb6480293e5f545dea57acf6c8854d23708bccefea6778a23d7ac6844a773088cf
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
a3d8a7e4514b469f73bca5880641d524
SHA148b91ca59e19e15148da562fbdbee6aa118e1172
SHA256c8ee1bcf21e7091449b3f1a2a83083624a650babf2dc536d0958a2dedd452fff
SHA512c8b79cdebfee3c2ca8d3f40832c54bb5171c06279d0e035316037f82057c04cb6480293e5f545dea57acf6c8854d23708bccefea6778a23d7ac6844a773088cf
-
memory/1608-55-0x0000000075AC1000-0x0000000075AC3000-memory.dmpFilesize
8KB