Analysis
-
max time kernel
130s -
max time network
142s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 09:50
Static task
static1
Behavioral task
behavioral1
Sample
08f831b2eaf0b0fc02902687ac6c4089055669909d5a6b5eb47489fb5c31a81e.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
08f831b2eaf0b0fc02902687ac6c4089055669909d5a6b5eb47489fb5c31a81e.exe
Resource
win10v2004-en-20220112
General
-
Target
08f831b2eaf0b0fc02902687ac6c4089055669909d5a6b5eb47489fb5c31a81e.exe
-
Size
150KB
-
MD5
45a59e898618704b66dc0151d444145d
-
SHA1
f532bd7c9eeed0701f2567b98f07d81014d2bbd0
-
SHA256
08f831b2eaf0b0fc02902687ac6c4089055669909d5a6b5eb47489fb5c31a81e
-
SHA512
4cbe37bc3a8e041c352ea77158cd6af27293617d0ec60d3882408d4ba865959997fc35ee06efb8e4c0a4d15b166e3811d073754475852ee915f9dbeea94bd2dc
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 580 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1788 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
08f831b2eaf0b0fc02902687ac6c4089055669909d5a6b5eb47489fb5c31a81e.exepid process 520 08f831b2eaf0b0fc02902687ac6c4089055669909d5a6b5eb47489fb5c31a81e.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
08f831b2eaf0b0fc02902687ac6c4089055669909d5a6b5eb47489fb5c31a81e.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 08f831b2eaf0b0fc02902687ac6c4089055669909d5a6b5eb47489fb5c31a81e.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
08f831b2eaf0b0fc02902687ac6c4089055669909d5a6b5eb47489fb5c31a81e.exedescription pid process Token: SeIncBasePriorityPrivilege 520 08f831b2eaf0b0fc02902687ac6c4089055669909d5a6b5eb47489fb5c31a81e.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
08f831b2eaf0b0fc02902687ac6c4089055669909d5a6b5eb47489fb5c31a81e.execmd.exedescription pid process target process PID 520 wrote to memory of 580 520 08f831b2eaf0b0fc02902687ac6c4089055669909d5a6b5eb47489fb5c31a81e.exe MediaCenter.exe PID 520 wrote to memory of 580 520 08f831b2eaf0b0fc02902687ac6c4089055669909d5a6b5eb47489fb5c31a81e.exe MediaCenter.exe PID 520 wrote to memory of 580 520 08f831b2eaf0b0fc02902687ac6c4089055669909d5a6b5eb47489fb5c31a81e.exe MediaCenter.exe PID 520 wrote to memory of 580 520 08f831b2eaf0b0fc02902687ac6c4089055669909d5a6b5eb47489fb5c31a81e.exe MediaCenter.exe PID 520 wrote to memory of 1788 520 08f831b2eaf0b0fc02902687ac6c4089055669909d5a6b5eb47489fb5c31a81e.exe cmd.exe PID 520 wrote to memory of 1788 520 08f831b2eaf0b0fc02902687ac6c4089055669909d5a6b5eb47489fb5c31a81e.exe cmd.exe PID 520 wrote to memory of 1788 520 08f831b2eaf0b0fc02902687ac6c4089055669909d5a6b5eb47489fb5c31a81e.exe cmd.exe PID 520 wrote to memory of 1788 520 08f831b2eaf0b0fc02902687ac6c4089055669909d5a6b5eb47489fb5c31a81e.exe cmd.exe PID 1788 wrote to memory of 1964 1788 cmd.exe PING.EXE PID 1788 wrote to memory of 1964 1788 cmd.exe PING.EXE PID 1788 wrote to memory of 1964 1788 cmd.exe PING.EXE PID 1788 wrote to memory of 1964 1788 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\08f831b2eaf0b0fc02902687ac6c4089055669909d5a6b5eb47489fb5c31a81e.exe"C:\Users\Admin\AppData\Local\Temp\08f831b2eaf0b0fc02902687ac6c4089055669909d5a6b5eb47489fb5c31a81e.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:520 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:580 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\08f831b2eaf0b0fc02902687ac6c4089055669909d5a6b5eb47489fb5c31a81e.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1788 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1964
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
b5aaebebf215b8fc73a9da0cc331d94e
SHA13e86c5b70e32460438ca94d25264ee6be568b878
SHA256ee555af8cbd1c398ae1128c35fe694ca6c7a67937082af1e77b0a92765d84327
SHA512ef4364e5be72dab2be4787a52be39e1803b24af51daacbc3ff2cd4f8a1419459217c689ee7f42b7369c00ed0ea3e5764681737a135e5c9017286b95395d485ae
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
b5aaebebf215b8fc73a9da0cc331d94e
SHA13e86c5b70e32460438ca94d25264ee6be568b878
SHA256ee555af8cbd1c398ae1128c35fe694ca6c7a67937082af1e77b0a92765d84327
SHA512ef4364e5be72dab2be4787a52be39e1803b24af51daacbc3ff2cd4f8a1419459217c689ee7f42b7369c00ed0ea3e5764681737a135e5c9017286b95395d485ae
-
memory/520-55-0x0000000076731000-0x0000000076733000-memory.dmpFilesize
8KB