Analysis
-
max time kernel
156s -
max time network
183s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 09:43
Static task
static1
Behavioral task
behavioral1
Sample
09366210f77c39cab265fa9433a4f7b2c7e46270b50b2c9bbba733b93258e91b.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
09366210f77c39cab265fa9433a4f7b2c7e46270b50b2c9bbba733b93258e91b.exe
Resource
win10v2004-en-20220112
General
-
Target
09366210f77c39cab265fa9433a4f7b2c7e46270b50b2c9bbba733b93258e91b.exe
-
Size
192KB
-
MD5
ef5c7d79e14d1c3d5ca40455fd1e23c1
-
SHA1
eaac062a5c8665f8f7683819581a20d206212508
-
SHA256
09366210f77c39cab265fa9433a4f7b2c7e46270b50b2c9bbba733b93258e91b
-
SHA512
1216fc9ccff005a82b94e694572aedf99ea514b9338f1cf172bd3300c3d7d4908002c0ab17527039dc7b5ae3d2a9666c080df18c442475a4f438b1b872c7dc1a
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1660 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1996 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
09366210f77c39cab265fa9433a4f7b2c7e46270b50b2c9bbba733b93258e91b.exepid process 1916 09366210f77c39cab265fa9433a4f7b2c7e46270b50b2c9bbba733b93258e91b.exe 1916 09366210f77c39cab265fa9433a4f7b2c7e46270b50b2c9bbba733b93258e91b.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
09366210f77c39cab265fa9433a4f7b2c7e46270b50b2c9bbba733b93258e91b.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 09366210f77c39cab265fa9433a4f7b2c7e46270b50b2c9bbba733b93258e91b.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
09366210f77c39cab265fa9433a4f7b2c7e46270b50b2c9bbba733b93258e91b.exedescription pid process Token: SeIncBasePriorityPrivilege 1916 09366210f77c39cab265fa9433a4f7b2c7e46270b50b2c9bbba733b93258e91b.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
09366210f77c39cab265fa9433a4f7b2c7e46270b50b2c9bbba733b93258e91b.execmd.exedescription pid process target process PID 1916 wrote to memory of 1660 1916 09366210f77c39cab265fa9433a4f7b2c7e46270b50b2c9bbba733b93258e91b.exe MediaCenter.exe PID 1916 wrote to memory of 1660 1916 09366210f77c39cab265fa9433a4f7b2c7e46270b50b2c9bbba733b93258e91b.exe MediaCenter.exe PID 1916 wrote to memory of 1660 1916 09366210f77c39cab265fa9433a4f7b2c7e46270b50b2c9bbba733b93258e91b.exe MediaCenter.exe PID 1916 wrote to memory of 1660 1916 09366210f77c39cab265fa9433a4f7b2c7e46270b50b2c9bbba733b93258e91b.exe MediaCenter.exe PID 1916 wrote to memory of 1996 1916 09366210f77c39cab265fa9433a4f7b2c7e46270b50b2c9bbba733b93258e91b.exe cmd.exe PID 1916 wrote to memory of 1996 1916 09366210f77c39cab265fa9433a4f7b2c7e46270b50b2c9bbba733b93258e91b.exe cmd.exe PID 1916 wrote to memory of 1996 1916 09366210f77c39cab265fa9433a4f7b2c7e46270b50b2c9bbba733b93258e91b.exe cmd.exe PID 1916 wrote to memory of 1996 1916 09366210f77c39cab265fa9433a4f7b2c7e46270b50b2c9bbba733b93258e91b.exe cmd.exe PID 1996 wrote to memory of 1812 1996 cmd.exe PING.EXE PID 1996 wrote to memory of 1812 1996 cmd.exe PING.EXE PID 1996 wrote to memory of 1812 1996 cmd.exe PING.EXE PID 1996 wrote to memory of 1812 1996 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\09366210f77c39cab265fa9433a4f7b2c7e46270b50b2c9bbba733b93258e91b.exe"C:\Users\Admin\AppData\Local\Temp\09366210f77c39cab265fa9433a4f7b2c7e46270b50b2c9bbba733b93258e91b.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1916 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1660 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\09366210f77c39cab265fa9433a4f7b2c7e46270b50b2c9bbba733b93258e91b.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1812
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
75b9c3f8539b8f537c37664a3b34f827
SHA199534c610312b685757ebe4f762055828b665c08
SHA256ee4bbf1375b9b5b10567822e99c398a6b09cc2e51d0eb79827ad1045c3fd0f55
SHA512d0907ba45956708ee4e61a94d8df81247cca94b4f4257201b947c0c2fa1286ac3aad8f0fd09150b90ab128f5dc24b2cc67dc426bf2c3a3992911c06b0a33cd31
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
75b9c3f8539b8f537c37664a3b34f827
SHA199534c610312b685757ebe4f762055828b665c08
SHA256ee4bbf1375b9b5b10567822e99c398a6b09cc2e51d0eb79827ad1045c3fd0f55
SHA512d0907ba45956708ee4e61a94d8df81247cca94b4f4257201b947c0c2fa1286ac3aad8f0fd09150b90ab128f5dc24b2cc67dc426bf2c3a3992911c06b0a33cd31
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
75b9c3f8539b8f537c37664a3b34f827
SHA199534c610312b685757ebe4f762055828b665c08
SHA256ee4bbf1375b9b5b10567822e99c398a6b09cc2e51d0eb79827ad1045c3fd0f55
SHA512d0907ba45956708ee4e61a94d8df81247cca94b4f4257201b947c0c2fa1286ac3aad8f0fd09150b90ab128f5dc24b2cc67dc426bf2c3a3992911c06b0a33cd31
-
memory/1916-54-0x0000000076041000-0x0000000076043000-memory.dmpFilesize
8KB