Analysis
-
max time kernel
135s -
max time network
161s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 09:35
Static task
static1
Behavioral task
behavioral1
Sample
0985df5e29fe59f922d77b606089810020f48725ec7fc4cb84b815ed6b876328.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0985df5e29fe59f922d77b606089810020f48725ec7fc4cb84b815ed6b876328.exe
Resource
win10v2004-en-20220112
General
-
Target
0985df5e29fe59f922d77b606089810020f48725ec7fc4cb84b815ed6b876328.exe
-
Size
80KB
-
MD5
0771a14c1e29190001baaa5cc4ab50ca
-
SHA1
3fd5214e57390911d3eb2a84bfc3ee6215c2a8a6
-
SHA256
0985df5e29fe59f922d77b606089810020f48725ec7fc4cb84b815ed6b876328
-
SHA512
1839870c0d08619076443d6705d4b3c0d64bd2328c6d10e0d70180523e35dc71e792310d2afe3792b979d0f38ca1fec5d0cc3d8b942cc52ba8a11904bd866667
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1744 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2040 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0985df5e29fe59f922d77b606089810020f48725ec7fc4cb84b815ed6b876328.exepid process 1608 0985df5e29fe59f922d77b606089810020f48725ec7fc4cb84b815ed6b876328.exe 1608 0985df5e29fe59f922d77b606089810020f48725ec7fc4cb84b815ed6b876328.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0985df5e29fe59f922d77b606089810020f48725ec7fc4cb84b815ed6b876328.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0985df5e29fe59f922d77b606089810020f48725ec7fc4cb84b815ed6b876328.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0985df5e29fe59f922d77b606089810020f48725ec7fc4cb84b815ed6b876328.exedescription pid process Token: SeIncBasePriorityPrivilege 1608 0985df5e29fe59f922d77b606089810020f48725ec7fc4cb84b815ed6b876328.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0985df5e29fe59f922d77b606089810020f48725ec7fc4cb84b815ed6b876328.execmd.exedescription pid process target process PID 1608 wrote to memory of 1744 1608 0985df5e29fe59f922d77b606089810020f48725ec7fc4cb84b815ed6b876328.exe MediaCenter.exe PID 1608 wrote to memory of 1744 1608 0985df5e29fe59f922d77b606089810020f48725ec7fc4cb84b815ed6b876328.exe MediaCenter.exe PID 1608 wrote to memory of 1744 1608 0985df5e29fe59f922d77b606089810020f48725ec7fc4cb84b815ed6b876328.exe MediaCenter.exe PID 1608 wrote to memory of 1744 1608 0985df5e29fe59f922d77b606089810020f48725ec7fc4cb84b815ed6b876328.exe MediaCenter.exe PID 1608 wrote to memory of 2040 1608 0985df5e29fe59f922d77b606089810020f48725ec7fc4cb84b815ed6b876328.exe cmd.exe PID 1608 wrote to memory of 2040 1608 0985df5e29fe59f922d77b606089810020f48725ec7fc4cb84b815ed6b876328.exe cmd.exe PID 1608 wrote to memory of 2040 1608 0985df5e29fe59f922d77b606089810020f48725ec7fc4cb84b815ed6b876328.exe cmd.exe PID 1608 wrote to memory of 2040 1608 0985df5e29fe59f922d77b606089810020f48725ec7fc4cb84b815ed6b876328.exe cmd.exe PID 2040 wrote to memory of 1280 2040 cmd.exe PING.EXE PID 2040 wrote to memory of 1280 2040 cmd.exe PING.EXE PID 2040 wrote to memory of 1280 2040 cmd.exe PING.EXE PID 2040 wrote to memory of 1280 2040 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0985df5e29fe59f922d77b606089810020f48725ec7fc4cb84b815ed6b876328.exe"C:\Users\Admin\AppData\Local\Temp\0985df5e29fe59f922d77b606089810020f48725ec7fc4cb84b815ed6b876328.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1608 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1744 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0985df5e29fe59f922d77b606089810020f48725ec7fc4cb84b815ed6b876328.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1280
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
71ca6a28e3fb87f19c393742a9680795
SHA1116be02b6f011cec044ccb0c9c2e516f42ea5c3d
SHA25688eea43dbaa2c1394aad5640111b2f5e2e5416288a6d1d0afeb3de59f6318388
SHA5126c2fde0fae0c7b235c0f2df07881284a6dda8aab032eb81a30e4d557261ca8aea69e951dba5f52f5185f8e42fcab01e9c4871cd47174e0dbce7049f3d461dd58
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
71ca6a28e3fb87f19c393742a9680795
SHA1116be02b6f011cec044ccb0c9c2e516f42ea5c3d
SHA25688eea43dbaa2c1394aad5640111b2f5e2e5416288a6d1d0afeb3de59f6318388
SHA5126c2fde0fae0c7b235c0f2df07881284a6dda8aab032eb81a30e4d557261ca8aea69e951dba5f52f5185f8e42fcab01e9c4871cd47174e0dbce7049f3d461dd58
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
71ca6a28e3fb87f19c393742a9680795
SHA1116be02b6f011cec044ccb0c9c2e516f42ea5c3d
SHA25688eea43dbaa2c1394aad5640111b2f5e2e5416288a6d1d0afeb3de59f6318388
SHA5126c2fde0fae0c7b235c0f2df07881284a6dda8aab032eb81a30e4d557261ca8aea69e951dba5f52f5185f8e42fcab01e9c4871cd47174e0dbce7049f3d461dd58
-
memory/1608-55-0x00000000763B1000-0x00000000763B3000-memory.dmpFilesize
8KB