Analysis
-
max time kernel
143s -
max time network
156s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 09:37
Static task
static1
Behavioral task
behavioral1
Sample
0976a63cdb77bf2945b72b01e3e20d7c961566177d5a98703e753acca1d1a55b.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0976a63cdb77bf2945b72b01e3e20d7c961566177d5a98703e753acca1d1a55b.exe
Resource
win10v2004-en-20220113
General
-
Target
0976a63cdb77bf2945b72b01e3e20d7c961566177d5a98703e753acca1d1a55b.exe
-
Size
176KB
-
MD5
ada8ef4ef4ac4570e23a51b480e7ec10
-
SHA1
8d43b967540a9b0c69b989c6e5a23623f0b42831
-
SHA256
0976a63cdb77bf2945b72b01e3e20d7c961566177d5a98703e753acca1d1a55b
-
SHA512
278ffd26e7f0028c522063497af7c3ced8c9acb8c39c734490414888e874a4c7b55964eaef6f9ac26894c910f18ffd0746853b210cfd919d4f3a2ae44eb0c268
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral1/memory/812-59-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral1/memory/1508-60-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1508 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 716 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
0976a63cdb77bf2945b72b01e3e20d7c961566177d5a98703e753acca1d1a55b.exepid process 812 0976a63cdb77bf2945b72b01e3e20d7c961566177d5a98703e753acca1d1a55b.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0976a63cdb77bf2945b72b01e3e20d7c961566177d5a98703e753acca1d1a55b.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0976a63cdb77bf2945b72b01e3e20d7c961566177d5a98703e753acca1d1a55b.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0976a63cdb77bf2945b72b01e3e20d7c961566177d5a98703e753acca1d1a55b.exedescription pid process Token: SeIncBasePriorityPrivilege 812 0976a63cdb77bf2945b72b01e3e20d7c961566177d5a98703e753acca1d1a55b.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0976a63cdb77bf2945b72b01e3e20d7c961566177d5a98703e753acca1d1a55b.execmd.exedescription pid process target process PID 812 wrote to memory of 1508 812 0976a63cdb77bf2945b72b01e3e20d7c961566177d5a98703e753acca1d1a55b.exe MediaCenter.exe PID 812 wrote to memory of 1508 812 0976a63cdb77bf2945b72b01e3e20d7c961566177d5a98703e753acca1d1a55b.exe MediaCenter.exe PID 812 wrote to memory of 1508 812 0976a63cdb77bf2945b72b01e3e20d7c961566177d5a98703e753acca1d1a55b.exe MediaCenter.exe PID 812 wrote to memory of 1508 812 0976a63cdb77bf2945b72b01e3e20d7c961566177d5a98703e753acca1d1a55b.exe MediaCenter.exe PID 812 wrote to memory of 716 812 0976a63cdb77bf2945b72b01e3e20d7c961566177d5a98703e753acca1d1a55b.exe cmd.exe PID 812 wrote to memory of 716 812 0976a63cdb77bf2945b72b01e3e20d7c961566177d5a98703e753acca1d1a55b.exe cmd.exe PID 812 wrote to memory of 716 812 0976a63cdb77bf2945b72b01e3e20d7c961566177d5a98703e753acca1d1a55b.exe cmd.exe PID 812 wrote to memory of 716 812 0976a63cdb77bf2945b72b01e3e20d7c961566177d5a98703e753acca1d1a55b.exe cmd.exe PID 716 wrote to memory of 944 716 cmd.exe PING.EXE PID 716 wrote to memory of 944 716 cmd.exe PING.EXE PID 716 wrote to memory of 944 716 cmd.exe PING.EXE PID 716 wrote to memory of 944 716 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0976a63cdb77bf2945b72b01e3e20d7c961566177d5a98703e753acca1d1a55b.exe"C:\Users\Admin\AppData\Local\Temp\0976a63cdb77bf2945b72b01e3e20d7c961566177d5a98703e753acca1d1a55b.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:812 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1508 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0976a63cdb77bf2945b72b01e3e20d7c961566177d5a98703e753acca1d1a55b.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:716 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:944
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
c1e9ee1b3fcdf4401f2adade5264438b
SHA1d163741debc5daff6fd2d3a2954d0ffdd35466dc
SHA2567e3fc77086a8c477cd2b5381f496d654be59df9c2bc683a25c8851b83c5d3809
SHA51242eac708364eec12852c0ffdba17adb8b95cdfb73b0960239a1098c9455411fa431ef9305b80291ea2b3dcfe2157efd67ebfc01fe3a6b972b4a35e0fac1f10fc
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
c1e9ee1b3fcdf4401f2adade5264438b
SHA1d163741debc5daff6fd2d3a2954d0ffdd35466dc
SHA2567e3fc77086a8c477cd2b5381f496d654be59df9c2bc683a25c8851b83c5d3809
SHA51242eac708364eec12852c0ffdba17adb8b95cdfb73b0960239a1098c9455411fa431ef9305b80291ea2b3dcfe2157efd67ebfc01fe3a6b972b4a35e0fac1f10fc
-
memory/812-55-0x0000000075AB1000-0x0000000075AB3000-memory.dmpFilesize
8KB
-
memory/812-59-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1508-60-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB