Analysis
-
max time kernel
136s -
max time network
158s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 09:38
Static task
static1
Behavioral task
behavioral1
Sample
09761ddb95ff9bfad75d25f90ce35bae69ebb36f557b17b3faa4d33bac9d9c96.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
09761ddb95ff9bfad75d25f90ce35bae69ebb36f557b17b3faa4d33bac9d9c96.exe
Resource
win10v2004-en-20220113
General
-
Target
09761ddb95ff9bfad75d25f90ce35bae69ebb36f557b17b3faa4d33bac9d9c96.exe
-
Size
80KB
-
MD5
22632819c4c99dcbddfa629c6d0ec7ef
-
SHA1
48c2bd530c57be4e9b364fa060e5aff4dadcd162
-
SHA256
09761ddb95ff9bfad75d25f90ce35bae69ebb36f557b17b3faa4d33bac9d9c96
-
SHA512
3ce998328d3a927b33fbd8f960c7f02b1e007f8f6964eb51a3d41be329b318be896873278f090707adc1dbcbdd08caf3edcf47f358f9fbeac7d9515a6f591aaa
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1892 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 440 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
09761ddb95ff9bfad75d25f90ce35bae69ebb36f557b17b3faa4d33bac9d9c96.exepid process 1712 09761ddb95ff9bfad75d25f90ce35bae69ebb36f557b17b3faa4d33bac9d9c96.exe 1712 09761ddb95ff9bfad75d25f90ce35bae69ebb36f557b17b3faa4d33bac9d9c96.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
09761ddb95ff9bfad75d25f90ce35bae69ebb36f557b17b3faa4d33bac9d9c96.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 09761ddb95ff9bfad75d25f90ce35bae69ebb36f557b17b3faa4d33bac9d9c96.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
09761ddb95ff9bfad75d25f90ce35bae69ebb36f557b17b3faa4d33bac9d9c96.exedescription pid process Token: SeIncBasePriorityPrivilege 1712 09761ddb95ff9bfad75d25f90ce35bae69ebb36f557b17b3faa4d33bac9d9c96.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
09761ddb95ff9bfad75d25f90ce35bae69ebb36f557b17b3faa4d33bac9d9c96.execmd.exedescription pid process target process PID 1712 wrote to memory of 1892 1712 09761ddb95ff9bfad75d25f90ce35bae69ebb36f557b17b3faa4d33bac9d9c96.exe MediaCenter.exe PID 1712 wrote to memory of 1892 1712 09761ddb95ff9bfad75d25f90ce35bae69ebb36f557b17b3faa4d33bac9d9c96.exe MediaCenter.exe PID 1712 wrote to memory of 1892 1712 09761ddb95ff9bfad75d25f90ce35bae69ebb36f557b17b3faa4d33bac9d9c96.exe MediaCenter.exe PID 1712 wrote to memory of 1892 1712 09761ddb95ff9bfad75d25f90ce35bae69ebb36f557b17b3faa4d33bac9d9c96.exe MediaCenter.exe PID 1712 wrote to memory of 440 1712 09761ddb95ff9bfad75d25f90ce35bae69ebb36f557b17b3faa4d33bac9d9c96.exe cmd.exe PID 1712 wrote to memory of 440 1712 09761ddb95ff9bfad75d25f90ce35bae69ebb36f557b17b3faa4d33bac9d9c96.exe cmd.exe PID 1712 wrote to memory of 440 1712 09761ddb95ff9bfad75d25f90ce35bae69ebb36f557b17b3faa4d33bac9d9c96.exe cmd.exe PID 1712 wrote to memory of 440 1712 09761ddb95ff9bfad75d25f90ce35bae69ebb36f557b17b3faa4d33bac9d9c96.exe cmd.exe PID 440 wrote to memory of 1932 440 cmd.exe PING.EXE PID 440 wrote to memory of 1932 440 cmd.exe PING.EXE PID 440 wrote to memory of 1932 440 cmd.exe PING.EXE PID 440 wrote to memory of 1932 440 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\09761ddb95ff9bfad75d25f90ce35bae69ebb36f557b17b3faa4d33bac9d9c96.exe"C:\Users\Admin\AppData\Local\Temp\09761ddb95ff9bfad75d25f90ce35bae69ebb36f557b17b3faa4d33bac9d9c96.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1892 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\09761ddb95ff9bfad75d25f90ce35bae69ebb36f557b17b3faa4d33bac9d9c96.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:440 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1932
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
e46ff5fab926c9888cdb1b2e576cc42f
SHA157f723d8a03c150a549ebeda5337cee19d50e657
SHA2564cc8e37ed9d8604dbfa3df370833ad9c0699d586265e62cc0493d6745a650740
SHA5124c3ce41471bfc019cf3247a9e3d36bf22c88a2c7e4f31488f5577bcf069be1737f21f33468ce1e801cf0fd65d70e0b70b92440012a9f0c1c4a941539a075abc5
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
e46ff5fab926c9888cdb1b2e576cc42f
SHA157f723d8a03c150a549ebeda5337cee19d50e657
SHA2564cc8e37ed9d8604dbfa3df370833ad9c0699d586265e62cc0493d6745a650740
SHA5124c3ce41471bfc019cf3247a9e3d36bf22c88a2c7e4f31488f5577bcf069be1737f21f33468ce1e801cf0fd65d70e0b70b92440012a9f0c1c4a941539a075abc5
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
e46ff5fab926c9888cdb1b2e576cc42f
SHA157f723d8a03c150a549ebeda5337cee19d50e657
SHA2564cc8e37ed9d8604dbfa3df370833ad9c0699d586265e62cc0493d6745a650740
SHA5124c3ce41471bfc019cf3247a9e3d36bf22c88a2c7e4f31488f5577bcf069be1737f21f33468ce1e801cf0fd65d70e0b70b92440012a9f0c1c4a941539a075abc5
-
memory/1712-54-0x0000000075D61000-0x0000000075D63000-memory.dmpFilesize
8KB