Analysis
-
max time kernel
137s -
max time network
159s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 09:44
Static task
static1
Behavioral task
behavioral1
Sample
092e78a8f5e97146cdd929f71d8f290605a3d7978395edb55d99b6fac239995b.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
092e78a8f5e97146cdd929f71d8f290605a3d7978395edb55d99b6fac239995b.exe
Resource
win10v2004-en-20220112
General
-
Target
092e78a8f5e97146cdd929f71d8f290605a3d7978395edb55d99b6fac239995b.exe
-
Size
220KB
-
MD5
f5c15cc4889cdd4d31820200d681e4d9
-
SHA1
cb806b39e46c8d09087046c6c12e758ee31bc7c2
-
SHA256
092e78a8f5e97146cdd929f71d8f290605a3d7978395edb55d99b6fac239995b
-
SHA512
c9da5e090954a92044858d9cbbb1d424414273b26ca70fc882769eba666f40b78f461d121962fe18e08cb1d86acb4fa3996ecc43a5211124fc1bcb55e66a2d9c
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral1/memory/1740-58-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral1/memory/1608-59-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1608 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1980 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
092e78a8f5e97146cdd929f71d8f290605a3d7978395edb55d99b6fac239995b.exepid process 1740 092e78a8f5e97146cdd929f71d8f290605a3d7978395edb55d99b6fac239995b.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
092e78a8f5e97146cdd929f71d8f290605a3d7978395edb55d99b6fac239995b.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 092e78a8f5e97146cdd929f71d8f290605a3d7978395edb55d99b6fac239995b.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
092e78a8f5e97146cdd929f71d8f290605a3d7978395edb55d99b6fac239995b.exedescription pid process Token: SeIncBasePriorityPrivilege 1740 092e78a8f5e97146cdd929f71d8f290605a3d7978395edb55d99b6fac239995b.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
092e78a8f5e97146cdd929f71d8f290605a3d7978395edb55d99b6fac239995b.execmd.exedescription pid process target process PID 1740 wrote to memory of 1608 1740 092e78a8f5e97146cdd929f71d8f290605a3d7978395edb55d99b6fac239995b.exe MediaCenter.exe PID 1740 wrote to memory of 1608 1740 092e78a8f5e97146cdd929f71d8f290605a3d7978395edb55d99b6fac239995b.exe MediaCenter.exe PID 1740 wrote to memory of 1608 1740 092e78a8f5e97146cdd929f71d8f290605a3d7978395edb55d99b6fac239995b.exe MediaCenter.exe PID 1740 wrote to memory of 1608 1740 092e78a8f5e97146cdd929f71d8f290605a3d7978395edb55d99b6fac239995b.exe MediaCenter.exe PID 1740 wrote to memory of 1980 1740 092e78a8f5e97146cdd929f71d8f290605a3d7978395edb55d99b6fac239995b.exe cmd.exe PID 1740 wrote to memory of 1980 1740 092e78a8f5e97146cdd929f71d8f290605a3d7978395edb55d99b6fac239995b.exe cmd.exe PID 1740 wrote to memory of 1980 1740 092e78a8f5e97146cdd929f71d8f290605a3d7978395edb55d99b6fac239995b.exe cmd.exe PID 1740 wrote to memory of 1980 1740 092e78a8f5e97146cdd929f71d8f290605a3d7978395edb55d99b6fac239995b.exe cmd.exe PID 1980 wrote to memory of 1968 1980 cmd.exe PING.EXE PID 1980 wrote to memory of 1968 1980 cmd.exe PING.EXE PID 1980 wrote to memory of 1968 1980 cmd.exe PING.EXE PID 1980 wrote to memory of 1968 1980 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\092e78a8f5e97146cdd929f71d8f290605a3d7978395edb55d99b6fac239995b.exe"C:\Users\Admin\AppData\Local\Temp\092e78a8f5e97146cdd929f71d8f290605a3d7978395edb55d99b6fac239995b.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1740 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1608 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\092e78a8f5e97146cdd929f71d8f290605a3d7978395edb55d99b6fac239995b.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1968
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
0f2b9d163f07cad2d5d0db43866f65b4
SHA11d435fa8edf9f2fd63ba2006808226da8cc9c761
SHA2568e5698cad056623bb0777d3e6478692154e9653966e509f25ac9972435ea2397
SHA5123a46ab3095cf9b331444ad1bf2c923f2bd92bef70a4c41820fa62bb20d9460d339078ea6118992b1c9b9c2d49376aca935d28aa432507dc6f729e93db2d9c0a1
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
0f2b9d163f07cad2d5d0db43866f65b4
SHA11d435fa8edf9f2fd63ba2006808226da8cc9c761
SHA2568e5698cad056623bb0777d3e6478692154e9653966e509f25ac9972435ea2397
SHA5123a46ab3095cf9b331444ad1bf2c923f2bd92bef70a4c41820fa62bb20d9460d339078ea6118992b1c9b9c2d49376aca935d28aa432507dc6f729e93db2d9c0a1
-
memory/1608-59-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1740-54-0x0000000075D61000-0x0000000075D63000-memory.dmpFilesize
8KB
-
memory/1740-58-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB