Analysis
-
max time kernel
120s -
max time network
136s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 09:46
Static task
static1
Behavioral task
behavioral1
Sample
0912a2740e33df0fa94767d2c0edb83a6c2b3d7056736a239deb24551c76640d.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0912a2740e33df0fa94767d2c0edb83a6c2b3d7056736a239deb24551c76640d.exe
Resource
win10v2004-en-20220112
General
-
Target
0912a2740e33df0fa94767d2c0edb83a6c2b3d7056736a239deb24551c76640d.exe
-
Size
101KB
-
MD5
be5a680d4457f2544a48ec7e75a17fd5
-
SHA1
9fdfd2fbc8c4d312c5ae40faa3ee7f92ee0abb8e
-
SHA256
0912a2740e33df0fa94767d2c0edb83a6c2b3d7056736a239deb24551c76640d
-
SHA512
22e368e689ba5a370b9e028f219d4df2a8805e867673cd9d0cbe2f356a420a5b25779ac7b9bec06c564962d51a35771ef243053388e6843a9f4282909834a3c6
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1428 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 776 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0912a2740e33df0fa94767d2c0edb83a6c2b3d7056736a239deb24551c76640d.exepid process 1448 0912a2740e33df0fa94767d2c0edb83a6c2b3d7056736a239deb24551c76640d.exe 1448 0912a2740e33df0fa94767d2c0edb83a6c2b3d7056736a239deb24551c76640d.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0912a2740e33df0fa94767d2c0edb83a6c2b3d7056736a239deb24551c76640d.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0912a2740e33df0fa94767d2c0edb83a6c2b3d7056736a239deb24551c76640d.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0912a2740e33df0fa94767d2c0edb83a6c2b3d7056736a239deb24551c76640d.exedescription pid process Token: SeIncBasePriorityPrivilege 1448 0912a2740e33df0fa94767d2c0edb83a6c2b3d7056736a239deb24551c76640d.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0912a2740e33df0fa94767d2c0edb83a6c2b3d7056736a239deb24551c76640d.execmd.exedescription pid process target process PID 1448 wrote to memory of 1428 1448 0912a2740e33df0fa94767d2c0edb83a6c2b3d7056736a239deb24551c76640d.exe MediaCenter.exe PID 1448 wrote to memory of 1428 1448 0912a2740e33df0fa94767d2c0edb83a6c2b3d7056736a239deb24551c76640d.exe MediaCenter.exe PID 1448 wrote to memory of 1428 1448 0912a2740e33df0fa94767d2c0edb83a6c2b3d7056736a239deb24551c76640d.exe MediaCenter.exe PID 1448 wrote to memory of 1428 1448 0912a2740e33df0fa94767d2c0edb83a6c2b3d7056736a239deb24551c76640d.exe MediaCenter.exe PID 1448 wrote to memory of 776 1448 0912a2740e33df0fa94767d2c0edb83a6c2b3d7056736a239deb24551c76640d.exe cmd.exe PID 1448 wrote to memory of 776 1448 0912a2740e33df0fa94767d2c0edb83a6c2b3d7056736a239deb24551c76640d.exe cmd.exe PID 1448 wrote to memory of 776 1448 0912a2740e33df0fa94767d2c0edb83a6c2b3d7056736a239deb24551c76640d.exe cmd.exe PID 1448 wrote to memory of 776 1448 0912a2740e33df0fa94767d2c0edb83a6c2b3d7056736a239deb24551c76640d.exe cmd.exe PID 776 wrote to memory of 1984 776 cmd.exe PING.EXE PID 776 wrote to memory of 1984 776 cmd.exe PING.EXE PID 776 wrote to memory of 1984 776 cmd.exe PING.EXE PID 776 wrote to memory of 1984 776 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0912a2740e33df0fa94767d2c0edb83a6c2b3d7056736a239deb24551c76640d.exe"C:\Users\Admin\AppData\Local\Temp\0912a2740e33df0fa94767d2c0edb83a6c2b3d7056736a239deb24551c76640d.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1448 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1428 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0912a2740e33df0fa94767d2c0edb83a6c2b3d7056736a239deb24551c76640d.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:776 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1984
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
43dc9c4e060c0d7c61a80bfbbbc82cfd
SHA15bedb4127b7cbfd09c63ab50aa29f197144bab80
SHA256e8b841bfba968032f0be5bb2fa731e74c48c86d77ad594e78399c3153b533e69
SHA512e51b335f5f400ca429d9eee135b43942dd1032219bfa8fc32c1a9e3a4c15a392383c0af1e31cd260681bc5a8cd72220bf7e56ca37b42aaac068958f1563c4d74
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
43dc9c4e060c0d7c61a80bfbbbc82cfd
SHA15bedb4127b7cbfd09c63ab50aa29f197144bab80
SHA256e8b841bfba968032f0be5bb2fa731e74c48c86d77ad594e78399c3153b533e69
SHA512e51b335f5f400ca429d9eee135b43942dd1032219bfa8fc32c1a9e3a4c15a392383c0af1e31cd260681bc5a8cd72220bf7e56ca37b42aaac068958f1563c4d74
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
43dc9c4e060c0d7c61a80bfbbbc82cfd
SHA15bedb4127b7cbfd09c63ab50aa29f197144bab80
SHA256e8b841bfba968032f0be5bb2fa731e74c48c86d77ad594e78399c3153b533e69
SHA512e51b335f5f400ca429d9eee135b43942dd1032219bfa8fc32c1a9e3a4c15a392383c0af1e31cd260681bc5a8cd72220bf7e56ca37b42aaac068958f1563c4d74
-
memory/1448-54-0x0000000076421000-0x0000000076423000-memory.dmpFilesize
8KB