Analysis
-
max time kernel
120s -
max time network
133s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 09:37
Static task
static1
Behavioral task
behavioral1
Sample
097aae1a6ad8630c6613d3cdc32c84dcd89942697b4e825aa58d1051b6f7f3bc.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
097aae1a6ad8630c6613d3cdc32c84dcd89942697b4e825aa58d1051b6f7f3bc.exe
Resource
win10v2004-en-20220113
General
-
Target
097aae1a6ad8630c6613d3cdc32c84dcd89942697b4e825aa58d1051b6f7f3bc.exe
-
Size
101KB
-
MD5
9bccc66f78054616ee9b068de88a93a3
-
SHA1
aa2cbf6563e2dd024ec6a62fa2d0d49e6f6539c1
-
SHA256
097aae1a6ad8630c6613d3cdc32c84dcd89942697b4e825aa58d1051b6f7f3bc
-
SHA512
2f856ce2e9bc0c6d5f8600f9c258a4baccf86ee5879b6bff80f6dd0cb8da88bd4860019ee4c5c55e946a56542dab8629994246a625d7c55ba468fb09af31d886
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1428 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 776 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
097aae1a6ad8630c6613d3cdc32c84dcd89942697b4e825aa58d1051b6f7f3bc.exepid process 1448 097aae1a6ad8630c6613d3cdc32c84dcd89942697b4e825aa58d1051b6f7f3bc.exe 1448 097aae1a6ad8630c6613d3cdc32c84dcd89942697b4e825aa58d1051b6f7f3bc.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
097aae1a6ad8630c6613d3cdc32c84dcd89942697b4e825aa58d1051b6f7f3bc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 097aae1a6ad8630c6613d3cdc32c84dcd89942697b4e825aa58d1051b6f7f3bc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
097aae1a6ad8630c6613d3cdc32c84dcd89942697b4e825aa58d1051b6f7f3bc.exedescription pid process Token: SeIncBasePriorityPrivilege 1448 097aae1a6ad8630c6613d3cdc32c84dcd89942697b4e825aa58d1051b6f7f3bc.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
097aae1a6ad8630c6613d3cdc32c84dcd89942697b4e825aa58d1051b6f7f3bc.execmd.exedescription pid process target process PID 1448 wrote to memory of 1428 1448 097aae1a6ad8630c6613d3cdc32c84dcd89942697b4e825aa58d1051b6f7f3bc.exe MediaCenter.exe PID 1448 wrote to memory of 1428 1448 097aae1a6ad8630c6613d3cdc32c84dcd89942697b4e825aa58d1051b6f7f3bc.exe MediaCenter.exe PID 1448 wrote to memory of 1428 1448 097aae1a6ad8630c6613d3cdc32c84dcd89942697b4e825aa58d1051b6f7f3bc.exe MediaCenter.exe PID 1448 wrote to memory of 1428 1448 097aae1a6ad8630c6613d3cdc32c84dcd89942697b4e825aa58d1051b6f7f3bc.exe MediaCenter.exe PID 1448 wrote to memory of 776 1448 097aae1a6ad8630c6613d3cdc32c84dcd89942697b4e825aa58d1051b6f7f3bc.exe cmd.exe PID 1448 wrote to memory of 776 1448 097aae1a6ad8630c6613d3cdc32c84dcd89942697b4e825aa58d1051b6f7f3bc.exe cmd.exe PID 1448 wrote to memory of 776 1448 097aae1a6ad8630c6613d3cdc32c84dcd89942697b4e825aa58d1051b6f7f3bc.exe cmd.exe PID 1448 wrote to memory of 776 1448 097aae1a6ad8630c6613d3cdc32c84dcd89942697b4e825aa58d1051b6f7f3bc.exe cmd.exe PID 776 wrote to memory of 1096 776 cmd.exe PING.EXE PID 776 wrote to memory of 1096 776 cmd.exe PING.EXE PID 776 wrote to memory of 1096 776 cmd.exe PING.EXE PID 776 wrote to memory of 1096 776 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\097aae1a6ad8630c6613d3cdc32c84dcd89942697b4e825aa58d1051b6f7f3bc.exe"C:\Users\Admin\AppData\Local\Temp\097aae1a6ad8630c6613d3cdc32c84dcd89942697b4e825aa58d1051b6f7f3bc.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1448 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1428 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\097aae1a6ad8630c6613d3cdc32c84dcd89942697b4e825aa58d1051b6f7f3bc.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:776 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1096
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
26bfef5d2d99a90b05503266114dbb69
SHA1a70532d01dbf77fed40d637b2953b0ce8d922a84
SHA256edc3c5c8a89dc78d658382a75d3906c439dc5e80b12fa95a8ab65940af2a5182
SHA512150b3257ca7aea4cf583563884a830aeec5a5a2c1191034f33ec66abae9c4ab1e8c750c6b9cffd5b8a0d6b2fa8689c05018dc72b33d7f7e07c4c51eb689e17d7
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
26bfef5d2d99a90b05503266114dbb69
SHA1a70532d01dbf77fed40d637b2953b0ce8d922a84
SHA256edc3c5c8a89dc78d658382a75d3906c439dc5e80b12fa95a8ab65940af2a5182
SHA512150b3257ca7aea4cf583563884a830aeec5a5a2c1191034f33ec66abae9c4ab1e8c750c6b9cffd5b8a0d6b2fa8689c05018dc72b33d7f7e07c4c51eb689e17d7
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
26bfef5d2d99a90b05503266114dbb69
SHA1a70532d01dbf77fed40d637b2953b0ce8d922a84
SHA256edc3c5c8a89dc78d658382a75d3906c439dc5e80b12fa95a8ab65940af2a5182
SHA512150b3257ca7aea4cf583563884a830aeec5a5a2c1191034f33ec66abae9c4ab1e8c750c6b9cffd5b8a0d6b2fa8689c05018dc72b33d7f7e07c4c51eb689e17d7
-
memory/1448-54-0x0000000076421000-0x0000000076423000-memory.dmpFilesize
8KB