Analysis
-
max time kernel
146s -
max time network
154s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 09:33
Static task
static1
Behavioral task
behavioral1
Sample
09afb02a9d645b6b6dd38d969bde96becb959e23f04f6dcb5ea7e44b6b7c6844.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
09afb02a9d645b6b6dd38d969bde96becb959e23f04f6dcb5ea7e44b6b7c6844.exe
Resource
win10v2004-en-20220113
General
-
Target
09afb02a9d645b6b6dd38d969bde96becb959e23f04f6dcb5ea7e44b6b7c6844.exe
-
Size
216KB
-
MD5
851773e63e4cf5d828506b9e6b979ac5
-
SHA1
796eac7057f861e1d13963ca3d3a54ff8aa365d3
-
SHA256
09afb02a9d645b6b6dd38d969bde96becb959e23f04f6dcb5ea7e44b6b7c6844
-
SHA512
898f41cac4a13780d7add3c42c30153cb630c8c21be060add1b2b785df283e9164bbd96635ff1686a8c013af32b0490d646422bfad328c53831d0ff049ecc5b5
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral1/memory/1088-58-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral1/memory/1760-59-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1760 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 932 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
09afb02a9d645b6b6dd38d969bde96becb959e23f04f6dcb5ea7e44b6b7c6844.exepid process 1088 09afb02a9d645b6b6dd38d969bde96becb959e23f04f6dcb5ea7e44b6b7c6844.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
09afb02a9d645b6b6dd38d969bde96becb959e23f04f6dcb5ea7e44b6b7c6844.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 09afb02a9d645b6b6dd38d969bde96becb959e23f04f6dcb5ea7e44b6b7c6844.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
09afb02a9d645b6b6dd38d969bde96becb959e23f04f6dcb5ea7e44b6b7c6844.exedescription pid process Token: SeIncBasePriorityPrivilege 1088 09afb02a9d645b6b6dd38d969bde96becb959e23f04f6dcb5ea7e44b6b7c6844.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
09afb02a9d645b6b6dd38d969bde96becb959e23f04f6dcb5ea7e44b6b7c6844.execmd.exedescription pid process target process PID 1088 wrote to memory of 1760 1088 09afb02a9d645b6b6dd38d969bde96becb959e23f04f6dcb5ea7e44b6b7c6844.exe MediaCenter.exe PID 1088 wrote to memory of 1760 1088 09afb02a9d645b6b6dd38d969bde96becb959e23f04f6dcb5ea7e44b6b7c6844.exe MediaCenter.exe PID 1088 wrote to memory of 1760 1088 09afb02a9d645b6b6dd38d969bde96becb959e23f04f6dcb5ea7e44b6b7c6844.exe MediaCenter.exe PID 1088 wrote to memory of 1760 1088 09afb02a9d645b6b6dd38d969bde96becb959e23f04f6dcb5ea7e44b6b7c6844.exe MediaCenter.exe PID 1088 wrote to memory of 932 1088 09afb02a9d645b6b6dd38d969bde96becb959e23f04f6dcb5ea7e44b6b7c6844.exe cmd.exe PID 1088 wrote to memory of 932 1088 09afb02a9d645b6b6dd38d969bde96becb959e23f04f6dcb5ea7e44b6b7c6844.exe cmd.exe PID 1088 wrote to memory of 932 1088 09afb02a9d645b6b6dd38d969bde96becb959e23f04f6dcb5ea7e44b6b7c6844.exe cmd.exe PID 1088 wrote to memory of 932 1088 09afb02a9d645b6b6dd38d969bde96becb959e23f04f6dcb5ea7e44b6b7c6844.exe cmd.exe PID 932 wrote to memory of 1828 932 cmd.exe PING.EXE PID 932 wrote to memory of 1828 932 cmd.exe PING.EXE PID 932 wrote to memory of 1828 932 cmd.exe PING.EXE PID 932 wrote to memory of 1828 932 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\09afb02a9d645b6b6dd38d969bde96becb959e23f04f6dcb5ea7e44b6b7c6844.exe"C:\Users\Admin\AppData\Local\Temp\09afb02a9d645b6b6dd38d969bde96becb959e23f04f6dcb5ea7e44b6b7c6844.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1088 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1760 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\09afb02a9d645b6b6dd38d969bde96becb959e23f04f6dcb5ea7e44b6b7c6844.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:932 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1828
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
20889158f8dc9bcdccd24f820b0c669e
SHA1c9c23cf8f9eb8090736b01e85263aa26ce24cdd6
SHA256208f8f4794e11103487d73e57dbef74361a40cb32e8a4c738cebc9d49caa648c
SHA51260f96bc33d52540213f22cbf0c473062b3f10166626fdb2a6b778b91740fff5f468eeae63c9f7c0cf2f16b04f599174d89977cc1e1fb6ab306a44aaa76d443aa
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
20889158f8dc9bcdccd24f820b0c669e
SHA1c9c23cf8f9eb8090736b01e85263aa26ce24cdd6
SHA256208f8f4794e11103487d73e57dbef74361a40cb32e8a4c738cebc9d49caa648c
SHA51260f96bc33d52540213f22cbf0c473062b3f10166626fdb2a6b778b91740fff5f468eeae63c9f7c0cf2f16b04f599174d89977cc1e1fb6ab306a44aaa76d443aa
-
memory/1088-54-0x0000000075341000-0x0000000075343000-memory.dmpFilesize
8KB
-
memory/1088-58-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1760-59-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB