Analysis
-
max time kernel
122s -
max time network
131s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 09:46
Static task
static1
Behavioral task
behavioral1
Sample
0914eb6a2c82d84b007d46546cf0c6c6b2469c649f8211063a9788975a690d03.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0914eb6a2c82d84b007d46546cf0c6c6b2469c649f8211063a9788975a690d03.exe
Resource
win10v2004-en-20220113
General
-
Target
0914eb6a2c82d84b007d46546cf0c6c6b2469c649f8211063a9788975a690d03.exe
-
Size
99KB
-
MD5
437ba52f4638aef000ee5027e6edf1ab
-
SHA1
c9835ba1565b1ee19f9cfb2cd674c9c5a1abe2fc
-
SHA256
0914eb6a2c82d84b007d46546cf0c6c6b2469c649f8211063a9788975a690d03
-
SHA512
06529d56b7e4311b31a60db428e4916b381bbebb079e30dc7ff4d3671024af07438214f6c4ea46c52ae45bc5ee2f0611fae13ae2d95dac14825cdae6f484371c
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1928 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1984 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0914eb6a2c82d84b007d46546cf0c6c6b2469c649f8211063a9788975a690d03.exepid process 288 0914eb6a2c82d84b007d46546cf0c6c6b2469c649f8211063a9788975a690d03.exe 288 0914eb6a2c82d84b007d46546cf0c6c6b2469c649f8211063a9788975a690d03.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0914eb6a2c82d84b007d46546cf0c6c6b2469c649f8211063a9788975a690d03.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0914eb6a2c82d84b007d46546cf0c6c6b2469c649f8211063a9788975a690d03.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0914eb6a2c82d84b007d46546cf0c6c6b2469c649f8211063a9788975a690d03.exedescription pid process Token: SeIncBasePriorityPrivilege 288 0914eb6a2c82d84b007d46546cf0c6c6b2469c649f8211063a9788975a690d03.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0914eb6a2c82d84b007d46546cf0c6c6b2469c649f8211063a9788975a690d03.execmd.exedescription pid process target process PID 288 wrote to memory of 1928 288 0914eb6a2c82d84b007d46546cf0c6c6b2469c649f8211063a9788975a690d03.exe MediaCenter.exe PID 288 wrote to memory of 1928 288 0914eb6a2c82d84b007d46546cf0c6c6b2469c649f8211063a9788975a690d03.exe MediaCenter.exe PID 288 wrote to memory of 1928 288 0914eb6a2c82d84b007d46546cf0c6c6b2469c649f8211063a9788975a690d03.exe MediaCenter.exe PID 288 wrote to memory of 1928 288 0914eb6a2c82d84b007d46546cf0c6c6b2469c649f8211063a9788975a690d03.exe MediaCenter.exe PID 288 wrote to memory of 1984 288 0914eb6a2c82d84b007d46546cf0c6c6b2469c649f8211063a9788975a690d03.exe cmd.exe PID 288 wrote to memory of 1984 288 0914eb6a2c82d84b007d46546cf0c6c6b2469c649f8211063a9788975a690d03.exe cmd.exe PID 288 wrote to memory of 1984 288 0914eb6a2c82d84b007d46546cf0c6c6b2469c649f8211063a9788975a690d03.exe cmd.exe PID 288 wrote to memory of 1984 288 0914eb6a2c82d84b007d46546cf0c6c6b2469c649f8211063a9788975a690d03.exe cmd.exe PID 1984 wrote to memory of 1460 1984 cmd.exe PING.EXE PID 1984 wrote to memory of 1460 1984 cmd.exe PING.EXE PID 1984 wrote to memory of 1460 1984 cmd.exe PING.EXE PID 1984 wrote to memory of 1460 1984 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0914eb6a2c82d84b007d46546cf0c6c6b2469c649f8211063a9788975a690d03.exe"C:\Users\Admin\AppData\Local\Temp\0914eb6a2c82d84b007d46546cf0c6c6b2469c649f8211063a9788975a690d03.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:288 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1928 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0914eb6a2c82d84b007d46546cf0c6c6b2469c649f8211063a9788975a690d03.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1984 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1460
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
414c71bc9b0f46e233a35fe7dd3d3a49
SHA146a57109d35f164572256eaa9f15881f19fb2084
SHA2568b4fc0fc6de39d9f0699727a63dd27877a7cab84d0e8ffbdf8c372b84a2b2b65
SHA51245868e89e9c83c1ac787e74a10b0606cf12e7227f19c7cbeaa5f8abed8f5a6797a585a3868951971c664d2469d1bad7cdb9138037b7bdb672ff2a344c46f6d6c
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
414c71bc9b0f46e233a35fe7dd3d3a49
SHA146a57109d35f164572256eaa9f15881f19fb2084
SHA2568b4fc0fc6de39d9f0699727a63dd27877a7cab84d0e8ffbdf8c372b84a2b2b65
SHA51245868e89e9c83c1ac787e74a10b0606cf12e7227f19c7cbeaa5f8abed8f5a6797a585a3868951971c664d2469d1bad7cdb9138037b7bdb672ff2a344c46f6d6c
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
414c71bc9b0f46e233a35fe7dd3d3a49
SHA146a57109d35f164572256eaa9f15881f19fb2084
SHA2568b4fc0fc6de39d9f0699727a63dd27877a7cab84d0e8ffbdf8c372b84a2b2b65
SHA51245868e89e9c83c1ac787e74a10b0606cf12e7227f19c7cbeaa5f8abed8f5a6797a585a3868951971c664d2469d1bad7cdb9138037b7bdb672ff2a344c46f6d6c
-
memory/288-54-0x0000000076041000-0x0000000076043000-memory.dmpFilesize
8KB