Analysis
-
max time kernel
143s -
max time network
170s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 09:41
Static task
static1
Behavioral task
behavioral1
Sample
0944ce9ed7860d600073a8c0f4695c4e9e0b4312c05dbd2be68dbc233fee6b57.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0944ce9ed7860d600073a8c0f4695c4e9e0b4312c05dbd2be68dbc233fee6b57.exe
Resource
win10v2004-en-20220112
General
-
Target
0944ce9ed7860d600073a8c0f4695c4e9e0b4312c05dbd2be68dbc233fee6b57.exe
-
Size
99KB
-
MD5
8dc605fb92f85af7612f7fe5bc38bc11
-
SHA1
1c79e268ecbd6c5f964084823c0081c355a66a00
-
SHA256
0944ce9ed7860d600073a8c0f4695c4e9e0b4312c05dbd2be68dbc233fee6b57
-
SHA512
cd0afe4a580f58928628de700be4a38ad9bd984184965f229a658fc43e5b787bfcdede56ff0d3cb7151221a3222d7ea3941c0722d8063780c1c443bfd5263e17
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 268 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1624 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0944ce9ed7860d600073a8c0f4695c4e9e0b4312c05dbd2be68dbc233fee6b57.exepid process 1632 0944ce9ed7860d600073a8c0f4695c4e9e0b4312c05dbd2be68dbc233fee6b57.exe 1632 0944ce9ed7860d600073a8c0f4695c4e9e0b4312c05dbd2be68dbc233fee6b57.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0944ce9ed7860d600073a8c0f4695c4e9e0b4312c05dbd2be68dbc233fee6b57.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0944ce9ed7860d600073a8c0f4695c4e9e0b4312c05dbd2be68dbc233fee6b57.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0944ce9ed7860d600073a8c0f4695c4e9e0b4312c05dbd2be68dbc233fee6b57.exedescription pid process Token: SeIncBasePriorityPrivilege 1632 0944ce9ed7860d600073a8c0f4695c4e9e0b4312c05dbd2be68dbc233fee6b57.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0944ce9ed7860d600073a8c0f4695c4e9e0b4312c05dbd2be68dbc233fee6b57.execmd.exedescription pid process target process PID 1632 wrote to memory of 268 1632 0944ce9ed7860d600073a8c0f4695c4e9e0b4312c05dbd2be68dbc233fee6b57.exe MediaCenter.exe PID 1632 wrote to memory of 268 1632 0944ce9ed7860d600073a8c0f4695c4e9e0b4312c05dbd2be68dbc233fee6b57.exe MediaCenter.exe PID 1632 wrote to memory of 268 1632 0944ce9ed7860d600073a8c0f4695c4e9e0b4312c05dbd2be68dbc233fee6b57.exe MediaCenter.exe PID 1632 wrote to memory of 268 1632 0944ce9ed7860d600073a8c0f4695c4e9e0b4312c05dbd2be68dbc233fee6b57.exe MediaCenter.exe PID 1632 wrote to memory of 1624 1632 0944ce9ed7860d600073a8c0f4695c4e9e0b4312c05dbd2be68dbc233fee6b57.exe cmd.exe PID 1632 wrote to memory of 1624 1632 0944ce9ed7860d600073a8c0f4695c4e9e0b4312c05dbd2be68dbc233fee6b57.exe cmd.exe PID 1632 wrote to memory of 1624 1632 0944ce9ed7860d600073a8c0f4695c4e9e0b4312c05dbd2be68dbc233fee6b57.exe cmd.exe PID 1632 wrote to memory of 1624 1632 0944ce9ed7860d600073a8c0f4695c4e9e0b4312c05dbd2be68dbc233fee6b57.exe cmd.exe PID 1624 wrote to memory of 1268 1624 cmd.exe PING.EXE PID 1624 wrote to memory of 1268 1624 cmd.exe PING.EXE PID 1624 wrote to memory of 1268 1624 cmd.exe PING.EXE PID 1624 wrote to memory of 1268 1624 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0944ce9ed7860d600073a8c0f4695c4e9e0b4312c05dbd2be68dbc233fee6b57.exe"C:\Users\Admin\AppData\Local\Temp\0944ce9ed7860d600073a8c0f4695c4e9e0b4312c05dbd2be68dbc233fee6b57.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1632 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:268 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0944ce9ed7860d600073a8c0f4695c4e9e0b4312c05dbd2be68dbc233fee6b57.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1624 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1268
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
9081e95322af4fd8a88151c9892a5aa8
SHA1bd1ff9d85bed2ed1e1663c0a7415dd8c011e19aa
SHA256bebac99419f2ff72ed53b34e08cec0985e6f077edf18358de3da773ec8ad8183
SHA5121c8ea3e3ec42dbb4dbb77cb633d033bd1cd053ee4698439f3f250ac693a4a9af666d304c890b31753be60c27e37273387afb0ac27069c5fc86d1482b254799fd
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
9081e95322af4fd8a88151c9892a5aa8
SHA1bd1ff9d85bed2ed1e1663c0a7415dd8c011e19aa
SHA256bebac99419f2ff72ed53b34e08cec0985e6f077edf18358de3da773ec8ad8183
SHA5121c8ea3e3ec42dbb4dbb77cb633d033bd1cd053ee4698439f3f250ac693a4a9af666d304c890b31753be60c27e37273387afb0ac27069c5fc86d1482b254799fd
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
9081e95322af4fd8a88151c9892a5aa8
SHA1bd1ff9d85bed2ed1e1663c0a7415dd8c011e19aa
SHA256bebac99419f2ff72ed53b34e08cec0985e6f077edf18358de3da773ec8ad8183
SHA5121c8ea3e3ec42dbb4dbb77cb633d033bd1cd053ee4698439f3f250ac693a4a9af666d304c890b31753be60c27e37273387afb0ac27069c5fc86d1482b254799fd
-
memory/1632-55-0x0000000076141000-0x0000000076143000-memory.dmpFilesize
8KB