Analysis
-
max time kernel
123s -
max time network
144s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 09:38
Static task
static1
Behavioral task
behavioral1
Sample
0973d3010ee016d92584ce8ccd3ec56b007a33369f3f7a25d952965257d20bfc.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0973d3010ee016d92584ce8ccd3ec56b007a33369f3f7a25d952965257d20bfc.exe
Resource
win10v2004-en-20220113
General
-
Target
0973d3010ee016d92584ce8ccd3ec56b007a33369f3f7a25d952965257d20bfc.exe
-
Size
100KB
-
MD5
30be8982448cdb1450e6408680242cfc
-
SHA1
6c57340709f9ef3b179d4a069a282277ba7ad57d
-
SHA256
0973d3010ee016d92584ce8ccd3ec56b007a33369f3f7a25d952965257d20bfc
-
SHA512
be806e030c16dced433fe14785c97546714a82c12231d54967c8ea41ad83846f38222d5148b0e0b4beb0d14121492a4c78b319d6ecb8607a3716e6a760e7a973
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1768 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1108 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0973d3010ee016d92584ce8ccd3ec56b007a33369f3f7a25d952965257d20bfc.exepid process 624 0973d3010ee016d92584ce8ccd3ec56b007a33369f3f7a25d952965257d20bfc.exe 624 0973d3010ee016d92584ce8ccd3ec56b007a33369f3f7a25d952965257d20bfc.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0973d3010ee016d92584ce8ccd3ec56b007a33369f3f7a25d952965257d20bfc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0973d3010ee016d92584ce8ccd3ec56b007a33369f3f7a25d952965257d20bfc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0973d3010ee016d92584ce8ccd3ec56b007a33369f3f7a25d952965257d20bfc.exedescription pid process Token: SeIncBasePriorityPrivilege 624 0973d3010ee016d92584ce8ccd3ec56b007a33369f3f7a25d952965257d20bfc.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0973d3010ee016d92584ce8ccd3ec56b007a33369f3f7a25d952965257d20bfc.execmd.exedescription pid process target process PID 624 wrote to memory of 1768 624 0973d3010ee016d92584ce8ccd3ec56b007a33369f3f7a25d952965257d20bfc.exe MediaCenter.exe PID 624 wrote to memory of 1768 624 0973d3010ee016d92584ce8ccd3ec56b007a33369f3f7a25d952965257d20bfc.exe MediaCenter.exe PID 624 wrote to memory of 1768 624 0973d3010ee016d92584ce8ccd3ec56b007a33369f3f7a25d952965257d20bfc.exe MediaCenter.exe PID 624 wrote to memory of 1768 624 0973d3010ee016d92584ce8ccd3ec56b007a33369f3f7a25d952965257d20bfc.exe MediaCenter.exe PID 624 wrote to memory of 1108 624 0973d3010ee016d92584ce8ccd3ec56b007a33369f3f7a25d952965257d20bfc.exe cmd.exe PID 624 wrote to memory of 1108 624 0973d3010ee016d92584ce8ccd3ec56b007a33369f3f7a25d952965257d20bfc.exe cmd.exe PID 624 wrote to memory of 1108 624 0973d3010ee016d92584ce8ccd3ec56b007a33369f3f7a25d952965257d20bfc.exe cmd.exe PID 624 wrote to memory of 1108 624 0973d3010ee016d92584ce8ccd3ec56b007a33369f3f7a25d952965257d20bfc.exe cmd.exe PID 1108 wrote to memory of 1076 1108 cmd.exe PING.EXE PID 1108 wrote to memory of 1076 1108 cmd.exe PING.EXE PID 1108 wrote to memory of 1076 1108 cmd.exe PING.EXE PID 1108 wrote to memory of 1076 1108 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0973d3010ee016d92584ce8ccd3ec56b007a33369f3f7a25d952965257d20bfc.exe"C:\Users\Admin\AppData\Local\Temp\0973d3010ee016d92584ce8ccd3ec56b007a33369f3f7a25d952965257d20bfc.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:624 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1768 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0973d3010ee016d92584ce8ccd3ec56b007a33369f3f7a25d952965257d20bfc.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1108 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1076
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
b775dda46b2ff93a5df71950709d5d4d
SHA1ee385c6cb4b5595ddc9243a2bcf787b390282d46
SHA2568a9f5a1c69d5a5cd29c40df6420fc976767c3657180ebc77eadc24341918c049
SHA5128a8b49026555ba5f73776de030625460a1298bd92dd6f9fa5713eaf0c78f747e27791e56cdad42006591c0c62feb323df3af06eb487c8fb95f34f97079d04d9e
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
b775dda46b2ff93a5df71950709d5d4d
SHA1ee385c6cb4b5595ddc9243a2bcf787b390282d46
SHA2568a9f5a1c69d5a5cd29c40df6420fc976767c3657180ebc77eadc24341918c049
SHA5128a8b49026555ba5f73776de030625460a1298bd92dd6f9fa5713eaf0c78f747e27791e56cdad42006591c0c62feb323df3af06eb487c8fb95f34f97079d04d9e
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
b775dda46b2ff93a5df71950709d5d4d
SHA1ee385c6cb4b5595ddc9243a2bcf787b390282d46
SHA2568a9f5a1c69d5a5cd29c40df6420fc976767c3657180ebc77eadc24341918c049
SHA5128a8b49026555ba5f73776de030625460a1298bd92dd6f9fa5713eaf0c78f747e27791e56cdad42006591c0c62feb323df3af06eb487c8fb95f34f97079d04d9e
-
memory/624-55-0x00000000758A1000-0x00000000758A3000-memory.dmpFilesize
8KB