Analysis
-
max time kernel
120s -
max time network
146s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 09:43
Static task
static1
Behavioral task
behavioral1
Sample
09341c9e794c78e3e03d6075b50780065bd51f4528ceb83ea7949e4b746ee656.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
09341c9e794c78e3e03d6075b50780065bd51f4528ceb83ea7949e4b746ee656.exe
Resource
win10v2004-en-20220113
General
-
Target
09341c9e794c78e3e03d6075b50780065bd51f4528ceb83ea7949e4b746ee656.exe
-
Size
192KB
-
MD5
260745d98ce7d543a15a9cf827bafe3d
-
SHA1
00bc7b4c4d052d69e81072923e51e9479b801f79
-
SHA256
09341c9e794c78e3e03d6075b50780065bd51f4528ceb83ea7949e4b746ee656
-
SHA512
dd21f92900559371fcbe0dfde71fef660d9c9282c982e9b1c5d023a4b4064be7175725bcde04f1ff113c70a1b4870a99ee0c5e950e821cf7d37919b69429ee60
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1096 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1780 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
09341c9e794c78e3e03d6075b50780065bd51f4528ceb83ea7949e4b746ee656.exepid process 964 09341c9e794c78e3e03d6075b50780065bd51f4528ceb83ea7949e4b746ee656.exe 964 09341c9e794c78e3e03d6075b50780065bd51f4528ceb83ea7949e4b746ee656.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
09341c9e794c78e3e03d6075b50780065bd51f4528ceb83ea7949e4b746ee656.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 09341c9e794c78e3e03d6075b50780065bd51f4528ceb83ea7949e4b746ee656.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
09341c9e794c78e3e03d6075b50780065bd51f4528ceb83ea7949e4b746ee656.exedescription pid process Token: SeIncBasePriorityPrivilege 964 09341c9e794c78e3e03d6075b50780065bd51f4528ceb83ea7949e4b746ee656.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
09341c9e794c78e3e03d6075b50780065bd51f4528ceb83ea7949e4b746ee656.execmd.exedescription pid process target process PID 964 wrote to memory of 1096 964 09341c9e794c78e3e03d6075b50780065bd51f4528ceb83ea7949e4b746ee656.exe MediaCenter.exe PID 964 wrote to memory of 1096 964 09341c9e794c78e3e03d6075b50780065bd51f4528ceb83ea7949e4b746ee656.exe MediaCenter.exe PID 964 wrote to memory of 1096 964 09341c9e794c78e3e03d6075b50780065bd51f4528ceb83ea7949e4b746ee656.exe MediaCenter.exe PID 964 wrote to memory of 1096 964 09341c9e794c78e3e03d6075b50780065bd51f4528ceb83ea7949e4b746ee656.exe MediaCenter.exe PID 964 wrote to memory of 1780 964 09341c9e794c78e3e03d6075b50780065bd51f4528ceb83ea7949e4b746ee656.exe cmd.exe PID 964 wrote to memory of 1780 964 09341c9e794c78e3e03d6075b50780065bd51f4528ceb83ea7949e4b746ee656.exe cmd.exe PID 964 wrote to memory of 1780 964 09341c9e794c78e3e03d6075b50780065bd51f4528ceb83ea7949e4b746ee656.exe cmd.exe PID 964 wrote to memory of 1780 964 09341c9e794c78e3e03d6075b50780065bd51f4528ceb83ea7949e4b746ee656.exe cmd.exe PID 1780 wrote to memory of 672 1780 cmd.exe PING.EXE PID 1780 wrote to memory of 672 1780 cmd.exe PING.EXE PID 1780 wrote to memory of 672 1780 cmd.exe PING.EXE PID 1780 wrote to memory of 672 1780 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\09341c9e794c78e3e03d6075b50780065bd51f4528ceb83ea7949e4b746ee656.exe"C:\Users\Admin\AppData\Local\Temp\09341c9e794c78e3e03d6075b50780065bd51f4528ceb83ea7949e4b746ee656.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:964 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1096 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\09341c9e794c78e3e03d6075b50780065bd51f4528ceb83ea7949e4b746ee656.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1780 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:672
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
0bc6220920cc86802da8d038b2a29696
SHA17778da48d110585da886feb9e63ba4988da4714b
SHA256dddf677ab71995ec375fdd16b40295c052cdd5c7a303be55a0da23c397a7d5be
SHA512ea65af9222bd6cec98e166300e91f5819189116afe0ea5676c62598de3522edaf73689acfdcba0a0dc9eaea94655faf592e38d0f1b860e187b47aadc1435318e
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
0bc6220920cc86802da8d038b2a29696
SHA17778da48d110585da886feb9e63ba4988da4714b
SHA256dddf677ab71995ec375fdd16b40295c052cdd5c7a303be55a0da23c397a7d5be
SHA512ea65af9222bd6cec98e166300e91f5819189116afe0ea5676c62598de3522edaf73689acfdcba0a0dc9eaea94655faf592e38d0f1b860e187b47aadc1435318e
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
0bc6220920cc86802da8d038b2a29696
SHA17778da48d110585da886feb9e63ba4988da4714b
SHA256dddf677ab71995ec375fdd16b40295c052cdd5c7a303be55a0da23c397a7d5be
SHA512ea65af9222bd6cec98e166300e91f5819189116afe0ea5676c62598de3522edaf73689acfdcba0a0dc9eaea94655faf592e38d0f1b860e187b47aadc1435318e
-
memory/964-54-0x0000000075D11000-0x0000000075D13000-memory.dmpFilesize
8KB