Analysis
-
max time kernel
119s -
max time network
141s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 09:47
Static task
static1
Behavioral task
behavioral1
Sample
0907040be98bb04fe0b7e3df99d7149a5c88944d9ca3c57f7bcd08be16a8f0a3.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0907040be98bb04fe0b7e3df99d7149a5c88944d9ca3c57f7bcd08be16a8f0a3.exe
Resource
win10v2004-en-20220113
General
-
Target
0907040be98bb04fe0b7e3df99d7149a5c88944d9ca3c57f7bcd08be16a8f0a3.exe
-
Size
84KB
-
MD5
e955f6d624d65c0d2f6f928e2377a851
-
SHA1
665338918e48673a29e19f7ec4509ff09653da5f
-
SHA256
0907040be98bb04fe0b7e3df99d7149a5c88944d9ca3c57f7bcd08be16a8f0a3
-
SHA512
1f786ecacc514c81b725387f90b1d43bd49746880aeaf14b71c5f6ba3f02dba260c17f1328c9ae37708a2112cc3b78b4b9c0cd72ccf6afadfd48a65e479b21f1
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 744 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 932 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0907040be98bb04fe0b7e3df99d7149a5c88944d9ca3c57f7bcd08be16a8f0a3.exepid process 1084 0907040be98bb04fe0b7e3df99d7149a5c88944d9ca3c57f7bcd08be16a8f0a3.exe 1084 0907040be98bb04fe0b7e3df99d7149a5c88944d9ca3c57f7bcd08be16a8f0a3.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0907040be98bb04fe0b7e3df99d7149a5c88944d9ca3c57f7bcd08be16a8f0a3.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0907040be98bb04fe0b7e3df99d7149a5c88944d9ca3c57f7bcd08be16a8f0a3.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0907040be98bb04fe0b7e3df99d7149a5c88944d9ca3c57f7bcd08be16a8f0a3.exedescription pid process Token: SeIncBasePriorityPrivilege 1084 0907040be98bb04fe0b7e3df99d7149a5c88944d9ca3c57f7bcd08be16a8f0a3.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0907040be98bb04fe0b7e3df99d7149a5c88944d9ca3c57f7bcd08be16a8f0a3.execmd.exedescription pid process target process PID 1084 wrote to memory of 744 1084 0907040be98bb04fe0b7e3df99d7149a5c88944d9ca3c57f7bcd08be16a8f0a3.exe MediaCenter.exe PID 1084 wrote to memory of 744 1084 0907040be98bb04fe0b7e3df99d7149a5c88944d9ca3c57f7bcd08be16a8f0a3.exe MediaCenter.exe PID 1084 wrote to memory of 744 1084 0907040be98bb04fe0b7e3df99d7149a5c88944d9ca3c57f7bcd08be16a8f0a3.exe MediaCenter.exe PID 1084 wrote to memory of 744 1084 0907040be98bb04fe0b7e3df99d7149a5c88944d9ca3c57f7bcd08be16a8f0a3.exe MediaCenter.exe PID 1084 wrote to memory of 932 1084 0907040be98bb04fe0b7e3df99d7149a5c88944d9ca3c57f7bcd08be16a8f0a3.exe cmd.exe PID 1084 wrote to memory of 932 1084 0907040be98bb04fe0b7e3df99d7149a5c88944d9ca3c57f7bcd08be16a8f0a3.exe cmd.exe PID 1084 wrote to memory of 932 1084 0907040be98bb04fe0b7e3df99d7149a5c88944d9ca3c57f7bcd08be16a8f0a3.exe cmd.exe PID 1084 wrote to memory of 932 1084 0907040be98bb04fe0b7e3df99d7149a5c88944d9ca3c57f7bcd08be16a8f0a3.exe cmd.exe PID 932 wrote to memory of 1980 932 cmd.exe PING.EXE PID 932 wrote to memory of 1980 932 cmd.exe PING.EXE PID 932 wrote to memory of 1980 932 cmd.exe PING.EXE PID 932 wrote to memory of 1980 932 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0907040be98bb04fe0b7e3df99d7149a5c88944d9ca3c57f7bcd08be16a8f0a3.exe"C:\Users\Admin\AppData\Local\Temp\0907040be98bb04fe0b7e3df99d7149a5c88944d9ca3c57f7bcd08be16a8f0a3.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1084 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:744 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0907040be98bb04fe0b7e3df99d7149a5c88944d9ca3c57f7bcd08be16a8f0a3.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:932 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1980
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
5b8f56c47d4db072076f90bd7c4b3463
SHA1f2e69f0cce85b22c79b106101578387f7e75c5c9
SHA256ff5080757a1615ae81b3999e41501f9a8215c526b8eca3dc3db03d55c9cd3610
SHA5126272622a2b4bc17ee3fcb673b6520a89a24d829b960ad9c75cdf3b42f804510749117f9b42ebaea55f115f368b3a52a97485380cf4da166332727ea0a61f7501
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
5b8f56c47d4db072076f90bd7c4b3463
SHA1f2e69f0cce85b22c79b106101578387f7e75c5c9
SHA256ff5080757a1615ae81b3999e41501f9a8215c526b8eca3dc3db03d55c9cd3610
SHA5126272622a2b4bc17ee3fcb673b6520a89a24d829b960ad9c75cdf3b42f804510749117f9b42ebaea55f115f368b3a52a97485380cf4da166332727ea0a61f7501
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
5b8f56c47d4db072076f90bd7c4b3463
SHA1f2e69f0cce85b22c79b106101578387f7e75c5c9
SHA256ff5080757a1615ae81b3999e41501f9a8215c526b8eca3dc3db03d55c9cd3610
SHA5126272622a2b4bc17ee3fcb673b6520a89a24d829b960ad9c75cdf3b42f804510749117f9b42ebaea55f115f368b3a52a97485380cf4da166332727ea0a61f7501
-
memory/1084-54-0x0000000075341000-0x0000000075343000-memory.dmpFilesize
8KB