Analysis
-
max time kernel
153s -
max time network
170s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 09:46
Static task
static1
Behavioral task
behavioral1
Sample
0913fb0f15766f114260988ca4ea9dfff0f5397103cff7e840e909371d236c7c.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0913fb0f15766f114260988ca4ea9dfff0f5397103cff7e840e909371d236c7c.exe
Resource
win10v2004-en-20220112
General
-
Target
0913fb0f15766f114260988ca4ea9dfff0f5397103cff7e840e909371d236c7c.exe
-
Size
99KB
-
MD5
29e53ba3bd4a5f2e084072c7ff9b976b
-
SHA1
165a3de449d833cc993f54accb2f4cdd67b4bcb4
-
SHA256
0913fb0f15766f114260988ca4ea9dfff0f5397103cff7e840e909371d236c7c
-
SHA512
0f599813b470eaa96397667b6bd81c79c1d58aa8de37be3fb48cac2f68b93b3f8a77175a62fdf2093631dee1294083019bfd540a1b2bd3c9e2211db94d7f8380
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1380 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1788 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0913fb0f15766f114260988ca4ea9dfff0f5397103cff7e840e909371d236c7c.exepid process 1672 0913fb0f15766f114260988ca4ea9dfff0f5397103cff7e840e909371d236c7c.exe 1672 0913fb0f15766f114260988ca4ea9dfff0f5397103cff7e840e909371d236c7c.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0913fb0f15766f114260988ca4ea9dfff0f5397103cff7e840e909371d236c7c.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0913fb0f15766f114260988ca4ea9dfff0f5397103cff7e840e909371d236c7c.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0913fb0f15766f114260988ca4ea9dfff0f5397103cff7e840e909371d236c7c.exedescription pid process Token: SeIncBasePriorityPrivilege 1672 0913fb0f15766f114260988ca4ea9dfff0f5397103cff7e840e909371d236c7c.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0913fb0f15766f114260988ca4ea9dfff0f5397103cff7e840e909371d236c7c.execmd.exedescription pid process target process PID 1672 wrote to memory of 1380 1672 0913fb0f15766f114260988ca4ea9dfff0f5397103cff7e840e909371d236c7c.exe MediaCenter.exe PID 1672 wrote to memory of 1380 1672 0913fb0f15766f114260988ca4ea9dfff0f5397103cff7e840e909371d236c7c.exe MediaCenter.exe PID 1672 wrote to memory of 1380 1672 0913fb0f15766f114260988ca4ea9dfff0f5397103cff7e840e909371d236c7c.exe MediaCenter.exe PID 1672 wrote to memory of 1380 1672 0913fb0f15766f114260988ca4ea9dfff0f5397103cff7e840e909371d236c7c.exe MediaCenter.exe PID 1672 wrote to memory of 1788 1672 0913fb0f15766f114260988ca4ea9dfff0f5397103cff7e840e909371d236c7c.exe cmd.exe PID 1672 wrote to memory of 1788 1672 0913fb0f15766f114260988ca4ea9dfff0f5397103cff7e840e909371d236c7c.exe cmd.exe PID 1672 wrote to memory of 1788 1672 0913fb0f15766f114260988ca4ea9dfff0f5397103cff7e840e909371d236c7c.exe cmd.exe PID 1672 wrote to memory of 1788 1672 0913fb0f15766f114260988ca4ea9dfff0f5397103cff7e840e909371d236c7c.exe cmd.exe PID 1788 wrote to memory of 1956 1788 cmd.exe PING.EXE PID 1788 wrote to memory of 1956 1788 cmd.exe PING.EXE PID 1788 wrote to memory of 1956 1788 cmd.exe PING.EXE PID 1788 wrote to memory of 1956 1788 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0913fb0f15766f114260988ca4ea9dfff0f5397103cff7e840e909371d236c7c.exe"C:\Users\Admin\AppData\Local\Temp\0913fb0f15766f114260988ca4ea9dfff0f5397103cff7e840e909371d236c7c.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1672 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1380 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0913fb0f15766f114260988ca4ea9dfff0f5397103cff7e840e909371d236c7c.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1788 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1956
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
13d5665eb3d07a5688ffc8046727eefb
SHA13049c1894774d434712f410f91f01f68591cc992
SHA256d0dd0fb29c12bd4dda46c8aa26d44c766eebc0bab68f973defc2850d0f3d9459
SHA512858417d735d4219c59c92e5fee2bd8c3110fc754f9da88f9b52acc29ab6c8ea4054748756edb565d1f2003bd014934bdf7b464b71ae51222b5d3bbc22696c46b
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
13d5665eb3d07a5688ffc8046727eefb
SHA13049c1894774d434712f410f91f01f68591cc992
SHA256d0dd0fb29c12bd4dda46c8aa26d44c766eebc0bab68f973defc2850d0f3d9459
SHA512858417d735d4219c59c92e5fee2bd8c3110fc754f9da88f9b52acc29ab6c8ea4054748756edb565d1f2003bd014934bdf7b464b71ae51222b5d3bbc22696c46b
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
13d5665eb3d07a5688ffc8046727eefb
SHA13049c1894774d434712f410f91f01f68591cc992
SHA256d0dd0fb29c12bd4dda46c8aa26d44c766eebc0bab68f973defc2850d0f3d9459
SHA512858417d735d4219c59c92e5fee2bd8c3110fc754f9da88f9b52acc29ab6c8ea4054748756edb565d1f2003bd014934bdf7b464b71ae51222b5d3bbc22696c46b
-
memory/1672-55-0x0000000075DF1000-0x0000000075DF3000-memory.dmpFilesize
8KB