Analysis
-
max time kernel
139s -
max time network
153s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 09:33
Static task
static1
Behavioral task
behavioral1
Sample
09adc10f86805d09ea113f969fad1715622a166fcaf690933acaf9b3dcfcdfd3.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
09adc10f86805d09ea113f969fad1715622a166fcaf690933acaf9b3dcfcdfd3.exe
Resource
win10v2004-en-20220112
General
-
Target
09adc10f86805d09ea113f969fad1715622a166fcaf690933acaf9b3dcfcdfd3.exe
-
Size
89KB
-
MD5
ad2ba37d4a2bfd4d1dd02d0ebb74aa19
-
SHA1
5e96b3093f2c75ca95296a225a1f124458125edc
-
SHA256
09adc10f86805d09ea113f969fad1715622a166fcaf690933acaf9b3dcfcdfd3
-
SHA512
52090137c162664f03b7239867afcc44b17e3e6bdabb34cde9d22cf90d310e4e1bb35ccff5998e532ac3a04a1d57640da4dc5e15787f50e41c8f98ee537ecdb0
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral1/memory/1548-58-0x0000000000400000-0x000000000041B000-memory.dmp family_sakula behavioral1/memory/1608-59-0x0000000000400000-0x000000000041B000-memory.dmp family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1608 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 608 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
09adc10f86805d09ea113f969fad1715622a166fcaf690933acaf9b3dcfcdfd3.exepid process 1548 09adc10f86805d09ea113f969fad1715622a166fcaf690933acaf9b3dcfcdfd3.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
09adc10f86805d09ea113f969fad1715622a166fcaf690933acaf9b3dcfcdfd3.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 09adc10f86805d09ea113f969fad1715622a166fcaf690933acaf9b3dcfcdfd3.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
09adc10f86805d09ea113f969fad1715622a166fcaf690933acaf9b3dcfcdfd3.exedescription pid process Token: SeIncBasePriorityPrivilege 1548 09adc10f86805d09ea113f969fad1715622a166fcaf690933acaf9b3dcfcdfd3.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
09adc10f86805d09ea113f969fad1715622a166fcaf690933acaf9b3dcfcdfd3.execmd.exedescription pid process target process PID 1548 wrote to memory of 1608 1548 09adc10f86805d09ea113f969fad1715622a166fcaf690933acaf9b3dcfcdfd3.exe MediaCenter.exe PID 1548 wrote to memory of 1608 1548 09adc10f86805d09ea113f969fad1715622a166fcaf690933acaf9b3dcfcdfd3.exe MediaCenter.exe PID 1548 wrote to memory of 1608 1548 09adc10f86805d09ea113f969fad1715622a166fcaf690933acaf9b3dcfcdfd3.exe MediaCenter.exe PID 1548 wrote to memory of 1608 1548 09adc10f86805d09ea113f969fad1715622a166fcaf690933acaf9b3dcfcdfd3.exe MediaCenter.exe PID 1548 wrote to memory of 608 1548 09adc10f86805d09ea113f969fad1715622a166fcaf690933acaf9b3dcfcdfd3.exe cmd.exe PID 1548 wrote to memory of 608 1548 09adc10f86805d09ea113f969fad1715622a166fcaf690933acaf9b3dcfcdfd3.exe cmd.exe PID 1548 wrote to memory of 608 1548 09adc10f86805d09ea113f969fad1715622a166fcaf690933acaf9b3dcfcdfd3.exe cmd.exe PID 1548 wrote to memory of 608 1548 09adc10f86805d09ea113f969fad1715622a166fcaf690933acaf9b3dcfcdfd3.exe cmd.exe PID 608 wrote to memory of 1672 608 cmd.exe PING.EXE PID 608 wrote to memory of 1672 608 cmd.exe PING.EXE PID 608 wrote to memory of 1672 608 cmd.exe PING.EXE PID 608 wrote to memory of 1672 608 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\09adc10f86805d09ea113f969fad1715622a166fcaf690933acaf9b3dcfcdfd3.exe"C:\Users\Admin\AppData\Local\Temp\09adc10f86805d09ea113f969fad1715622a166fcaf690933acaf9b3dcfcdfd3.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1548 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1608 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\09adc10f86805d09ea113f969fad1715622a166fcaf690933acaf9b3dcfcdfd3.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:608 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1672
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
2a72ac5d1b6727676a6937c0d06c167f
SHA15f3f12a5c96b977fefe6969d8d0bcedc2c15e5a6
SHA256bfcf01592781ed3c825866f942e53aa2d74e942c11c1d046d065efcfb5aef9b4
SHA51243a6499d3fbe5c1ebba7cefec630fe76b66ee3ff87939198228e5857d4e3fb7e3316e1ed03bc3d69a0b41678c39a41c4e8b57c141c17a468a6aaef7d8e3ab8ae
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
2a72ac5d1b6727676a6937c0d06c167f
SHA15f3f12a5c96b977fefe6969d8d0bcedc2c15e5a6
SHA256bfcf01592781ed3c825866f942e53aa2d74e942c11c1d046d065efcfb5aef9b4
SHA51243a6499d3fbe5c1ebba7cefec630fe76b66ee3ff87939198228e5857d4e3fb7e3316e1ed03bc3d69a0b41678c39a41c4e8b57c141c17a468a6aaef7d8e3ab8ae
-
memory/1548-54-0x0000000076451000-0x0000000076453000-memory.dmpFilesize
8KB
-
memory/1548-58-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1608-59-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB