Analysis
-
max time kernel
118s -
max time network
127s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 09:34
Static task
static1
Behavioral task
behavioral1
Sample
09aab2e374d4d8c0df66bc72ad1d91b6c005be504a07d2f43de58ed8018807a4.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
09aab2e374d4d8c0df66bc72ad1d91b6c005be504a07d2f43de58ed8018807a4.exe
Resource
win10v2004-en-20220113
General
-
Target
09aab2e374d4d8c0df66bc72ad1d91b6c005be504a07d2f43de58ed8018807a4.exe
-
Size
99KB
-
MD5
85e6b105ed928568d652a411badd517a
-
SHA1
73545d58753259aa6c273c0cb328bde386285f98
-
SHA256
09aab2e374d4d8c0df66bc72ad1d91b6c005be504a07d2f43de58ed8018807a4
-
SHA512
75e64be7a8d6f12b2063ecd1f39074cefe9931f421a542a6b77af9f16ee6399549b14ddf686d552ad9f43237aea17d6e0de50d457b966bd543b8acb871a0f34a
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 320 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 436 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
09aab2e374d4d8c0df66bc72ad1d91b6c005be504a07d2f43de58ed8018807a4.exepid process 808 09aab2e374d4d8c0df66bc72ad1d91b6c005be504a07d2f43de58ed8018807a4.exe 808 09aab2e374d4d8c0df66bc72ad1d91b6c005be504a07d2f43de58ed8018807a4.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
09aab2e374d4d8c0df66bc72ad1d91b6c005be504a07d2f43de58ed8018807a4.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 09aab2e374d4d8c0df66bc72ad1d91b6c005be504a07d2f43de58ed8018807a4.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
09aab2e374d4d8c0df66bc72ad1d91b6c005be504a07d2f43de58ed8018807a4.exedescription pid process Token: SeIncBasePriorityPrivilege 808 09aab2e374d4d8c0df66bc72ad1d91b6c005be504a07d2f43de58ed8018807a4.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
09aab2e374d4d8c0df66bc72ad1d91b6c005be504a07d2f43de58ed8018807a4.execmd.exedescription pid process target process PID 808 wrote to memory of 320 808 09aab2e374d4d8c0df66bc72ad1d91b6c005be504a07d2f43de58ed8018807a4.exe MediaCenter.exe PID 808 wrote to memory of 320 808 09aab2e374d4d8c0df66bc72ad1d91b6c005be504a07d2f43de58ed8018807a4.exe MediaCenter.exe PID 808 wrote to memory of 320 808 09aab2e374d4d8c0df66bc72ad1d91b6c005be504a07d2f43de58ed8018807a4.exe MediaCenter.exe PID 808 wrote to memory of 320 808 09aab2e374d4d8c0df66bc72ad1d91b6c005be504a07d2f43de58ed8018807a4.exe MediaCenter.exe PID 808 wrote to memory of 436 808 09aab2e374d4d8c0df66bc72ad1d91b6c005be504a07d2f43de58ed8018807a4.exe cmd.exe PID 808 wrote to memory of 436 808 09aab2e374d4d8c0df66bc72ad1d91b6c005be504a07d2f43de58ed8018807a4.exe cmd.exe PID 808 wrote to memory of 436 808 09aab2e374d4d8c0df66bc72ad1d91b6c005be504a07d2f43de58ed8018807a4.exe cmd.exe PID 808 wrote to memory of 436 808 09aab2e374d4d8c0df66bc72ad1d91b6c005be504a07d2f43de58ed8018807a4.exe cmd.exe PID 436 wrote to memory of 1104 436 cmd.exe PING.EXE PID 436 wrote to memory of 1104 436 cmd.exe PING.EXE PID 436 wrote to memory of 1104 436 cmd.exe PING.EXE PID 436 wrote to memory of 1104 436 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\09aab2e374d4d8c0df66bc72ad1d91b6c005be504a07d2f43de58ed8018807a4.exe"C:\Users\Admin\AppData\Local\Temp\09aab2e374d4d8c0df66bc72ad1d91b6c005be504a07d2f43de58ed8018807a4.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:808 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:320 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\09aab2e374d4d8c0df66bc72ad1d91b6c005be504a07d2f43de58ed8018807a4.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:436 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1104
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
a8f4d8b057a25f850ae2fb9961a7f443
SHA10a21b1e569e9b406fb02f089af219a5203ff87a0
SHA256e1ad6ee3616c5c1f916fac95ac572411b54bc7f542cc9e656512a301577547a5
SHA51233816d210aa62bd89646ceae64f3caef70fb3dfd92e4aa4f53a82d0fc49f3ae35ffd267cbda32d1d8de227c615ba21f5e740c5f6334e738b38cdb8fd32699120
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
a8f4d8b057a25f850ae2fb9961a7f443
SHA10a21b1e569e9b406fb02f089af219a5203ff87a0
SHA256e1ad6ee3616c5c1f916fac95ac572411b54bc7f542cc9e656512a301577547a5
SHA51233816d210aa62bd89646ceae64f3caef70fb3dfd92e4aa4f53a82d0fc49f3ae35ffd267cbda32d1d8de227c615ba21f5e740c5f6334e738b38cdb8fd32699120
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
a8f4d8b057a25f850ae2fb9961a7f443
SHA10a21b1e569e9b406fb02f089af219a5203ff87a0
SHA256e1ad6ee3616c5c1f916fac95ac572411b54bc7f542cc9e656512a301577547a5
SHA51233816d210aa62bd89646ceae64f3caef70fb3dfd92e4aa4f53a82d0fc49f3ae35ffd267cbda32d1d8de227c615ba21f5e740c5f6334e738b38cdb8fd32699120
-
memory/808-54-0x00000000766D1000-0x00000000766D3000-memory.dmpFilesize
8KB