Analysis
-
max time kernel
119s -
max time network
132s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 09:36
Static task
static1
Behavioral task
behavioral1
Sample
097ce089319fe404759f8b8ff5114489d2de2be1b987106d9029ee7ef34d9625.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
097ce089319fe404759f8b8ff5114489d2de2be1b987106d9029ee7ef34d9625.exe
Resource
win10v2004-en-20220113
General
-
Target
097ce089319fe404759f8b8ff5114489d2de2be1b987106d9029ee7ef34d9625.exe
-
Size
191KB
-
MD5
3cec41a7e85791b9e5d54aba9fb022cb
-
SHA1
ce04b260522132c191521962dcf9b26e20c2cecb
-
SHA256
097ce089319fe404759f8b8ff5114489d2de2be1b987106d9029ee7ef34d9625
-
SHA512
2a4a6b0a09f824e339466832d1aa90c40a56f8caa6c6779c0c5e06e99be78a3ac8fd27fbed8f8e2e2fde392e3a6c996389db912d327455a97a3e82bd4d118c13
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 948 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 740 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
097ce089319fe404759f8b8ff5114489d2de2be1b987106d9029ee7ef34d9625.exepid process 812 097ce089319fe404759f8b8ff5114489d2de2be1b987106d9029ee7ef34d9625.exe 812 097ce089319fe404759f8b8ff5114489d2de2be1b987106d9029ee7ef34d9625.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
097ce089319fe404759f8b8ff5114489d2de2be1b987106d9029ee7ef34d9625.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 097ce089319fe404759f8b8ff5114489d2de2be1b987106d9029ee7ef34d9625.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
097ce089319fe404759f8b8ff5114489d2de2be1b987106d9029ee7ef34d9625.exedescription pid process Token: SeIncBasePriorityPrivilege 812 097ce089319fe404759f8b8ff5114489d2de2be1b987106d9029ee7ef34d9625.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
097ce089319fe404759f8b8ff5114489d2de2be1b987106d9029ee7ef34d9625.execmd.exedescription pid process target process PID 812 wrote to memory of 948 812 097ce089319fe404759f8b8ff5114489d2de2be1b987106d9029ee7ef34d9625.exe MediaCenter.exe PID 812 wrote to memory of 948 812 097ce089319fe404759f8b8ff5114489d2de2be1b987106d9029ee7ef34d9625.exe MediaCenter.exe PID 812 wrote to memory of 948 812 097ce089319fe404759f8b8ff5114489d2de2be1b987106d9029ee7ef34d9625.exe MediaCenter.exe PID 812 wrote to memory of 948 812 097ce089319fe404759f8b8ff5114489d2de2be1b987106d9029ee7ef34d9625.exe MediaCenter.exe PID 812 wrote to memory of 740 812 097ce089319fe404759f8b8ff5114489d2de2be1b987106d9029ee7ef34d9625.exe cmd.exe PID 812 wrote to memory of 740 812 097ce089319fe404759f8b8ff5114489d2de2be1b987106d9029ee7ef34d9625.exe cmd.exe PID 812 wrote to memory of 740 812 097ce089319fe404759f8b8ff5114489d2de2be1b987106d9029ee7ef34d9625.exe cmd.exe PID 812 wrote to memory of 740 812 097ce089319fe404759f8b8ff5114489d2de2be1b987106d9029ee7ef34d9625.exe cmd.exe PID 740 wrote to memory of 1040 740 cmd.exe PING.EXE PID 740 wrote to memory of 1040 740 cmd.exe PING.EXE PID 740 wrote to memory of 1040 740 cmd.exe PING.EXE PID 740 wrote to memory of 1040 740 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\097ce089319fe404759f8b8ff5114489d2de2be1b987106d9029ee7ef34d9625.exe"C:\Users\Admin\AppData\Local\Temp\097ce089319fe404759f8b8ff5114489d2de2be1b987106d9029ee7ef34d9625.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:812 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:948 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\097ce089319fe404759f8b8ff5114489d2de2be1b987106d9029ee7ef34d9625.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:740 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1040
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
f61594173d58e2d6cc2e453095e4fc10
SHA1f78c02d731a0112ac59c3ad33e987895f6d77dec
SHA2564e9be1c5e1188834c2123f394c41e04345b713303e0ea420c0c62a6d1fe0d37a
SHA512e55f05b3b96d34e2da0b1a62342b9ce5ef2afbb2efc85d806387bd238c95b49f4ebce0258b4a26773a3415325427be98f2a2056b5292d49209f518319da71e9e
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
f61594173d58e2d6cc2e453095e4fc10
SHA1f78c02d731a0112ac59c3ad33e987895f6d77dec
SHA2564e9be1c5e1188834c2123f394c41e04345b713303e0ea420c0c62a6d1fe0d37a
SHA512e55f05b3b96d34e2da0b1a62342b9ce5ef2afbb2efc85d806387bd238c95b49f4ebce0258b4a26773a3415325427be98f2a2056b5292d49209f518319da71e9e
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
f61594173d58e2d6cc2e453095e4fc10
SHA1f78c02d731a0112ac59c3ad33e987895f6d77dec
SHA2564e9be1c5e1188834c2123f394c41e04345b713303e0ea420c0c62a6d1fe0d37a
SHA512e55f05b3b96d34e2da0b1a62342b9ce5ef2afbb2efc85d806387bd238c95b49f4ebce0258b4a26773a3415325427be98f2a2056b5292d49209f518319da71e9e
-
memory/812-54-0x0000000076C91000-0x0000000076C93000-memory.dmpFilesize
8KB