Analysis
-
max time kernel
146s -
max time network
167s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 09:52
Static task
static1
Behavioral task
behavioral1
Sample
08cb659a94d0ef1425c3a46af2a72eb6783b672004d3a446fb9d99214df668d7.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
08cb659a94d0ef1425c3a46af2a72eb6783b672004d3a446fb9d99214df668d7.exe
Resource
win10v2004-en-20220113
General
-
Target
08cb659a94d0ef1425c3a46af2a72eb6783b672004d3a446fb9d99214df668d7.exe
-
Size
79KB
-
MD5
962d625c66161b45615cd4ee10802093
-
SHA1
7e63e89462bd805482bcffd8dab89d7d62500b1f
-
SHA256
08cb659a94d0ef1425c3a46af2a72eb6783b672004d3a446fb9d99214df668d7
-
SHA512
dd205bdd9e27ce1f527d7a47ca22b623b31f45459f08ceda38018d29daad4c5bae4d4d51deb0ac25e73ffa843702dc704c60f4e11c19ad3f0423a1561d7712e9
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1324 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 396 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
08cb659a94d0ef1425c3a46af2a72eb6783b672004d3a446fb9d99214df668d7.exepid process 892 08cb659a94d0ef1425c3a46af2a72eb6783b672004d3a446fb9d99214df668d7.exe 892 08cb659a94d0ef1425c3a46af2a72eb6783b672004d3a446fb9d99214df668d7.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
08cb659a94d0ef1425c3a46af2a72eb6783b672004d3a446fb9d99214df668d7.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 08cb659a94d0ef1425c3a46af2a72eb6783b672004d3a446fb9d99214df668d7.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
08cb659a94d0ef1425c3a46af2a72eb6783b672004d3a446fb9d99214df668d7.exedescription pid process Token: SeIncBasePriorityPrivilege 892 08cb659a94d0ef1425c3a46af2a72eb6783b672004d3a446fb9d99214df668d7.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
08cb659a94d0ef1425c3a46af2a72eb6783b672004d3a446fb9d99214df668d7.execmd.exedescription pid process target process PID 892 wrote to memory of 1324 892 08cb659a94d0ef1425c3a46af2a72eb6783b672004d3a446fb9d99214df668d7.exe MediaCenter.exe PID 892 wrote to memory of 1324 892 08cb659a94d0ef1425c3a46af2a72eb6783b672004d3a446fb9d99214df668d7.exe MediaCenter.exe PID 892 wrote to memory of 1324 892 08cb659a94d0ef1425c3a46af2a72eb6783b672004d3a446fb9d99214df668d7.exe MediaCenter.exe PID 892 wrote to memory of 1324 892 08cb659a94d0ef1425c3a46af2a72eb6783b672004d3a446fb9d99214df668d7.exe MediaCenter.exe PID 892 wrote to memory of 396 892 08cb659a94d0ef1425c3a46af2a72eb6783b672004d3a446fb9d99214df668d7.exe cmd.exe PID 892 wrote to memory of 396 892 08cb659a94d0ef1425c3a46af2a72eb6783b672004d3a446fb9d99214df668d7.exe cmd.exe PID 892 wrote to memory of 396 892 08cb659a94d0ef1425c3a46af2a72eb6783b672004d3a446fb9d99214df668d7.exe cmd.exe PID 892 wrote to memory of 396 892 08cb659a94d0ef1425c3a46af2a72eb6783b672004d3a446fb9d99214df668d7.exe cmd.exe PID 396 wrote to memory of 1672 396 cmd.exe PING.EXE PID 396 wrote to memory of 1672 396 cmd.exe PING.EXE PID 396 wrote to memory of 1672 396 cmd.exe PING.EXE PID 396 wrote to memory of 1672 396 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\08cb659a94d0ef1425c3a46af2a72eb6783b672004d3a446fb9d99214df668d7.exe"C:\Users\Admin\AppData\Local\Temp\08cb659a94d0ef1425c3a46af2a72eb6783b672004d3a446fb9d99214df668d7.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:892 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1324 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\08cb659a94d0ef1425c3a46af2a72eb6783b672004d3a446fb9d99214df668d7.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:396 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1672
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
8b81d37b7c9bfbe3a1fbd355215fc3f9
SHA1ba849c19d3e22075c309991a9d4f1c563838cecc
SHA256cf98423175ad6720e99ce6fc9abd05d823261aab59d29e8705db422ccd681495
SHA5127f97f716c6fee3fdae69d9effdda46fb1531ad42865ee50365b77fbf69803ff416015f9057c7ac7b5d5a36bfb08534a1a40f49bd5431ccdf00017c26dd760297
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
8b81d37b7c9bfbe3a1fbd355215fc3f9
SHA1ba849c19d3e22075c309991a9d4f1c563838cecc
SHA256cf98423175ad6720e99ce6fc9abd05d823261aab59d29e8705db422ccd681495
SHA5127f97f716c6fee3fdae69d9effdda46fb1531ad42865ee50365b77fbf69803ff416015f9057c7ac7b5d5a36bfb08534a1a40f49bd5431ccdf00017c26dd760297
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
8b81d37b7c9bfbe3a1fbd355215fc3f9
SHA1ba849c19d3e22075c309991a9d4f1c563838cecc
SHA256cf98423175ad6720e99ce6fc9abd05d823261aab59d29e8705db422ccd681495
SHA5127f97f716c6fee3fdae69d9effdda46fb1531ad42865ee50365b77fbf69803ff416015f9057c7ac7b5d5a36bfb08534a1a40f49bd5431ccdf00017c26dd760297
-
memory/892-54-0x0000000076451000-0x0000000076453000-memory.dmpFilesize
8KB