Analysis
-
max time kernel
154s -
max time network
167s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 09:51
Static task
static1
Behavioral task
behavioral1
Sample
08e1fa4701532e1c1b1fda7e5bbbdea0ab35710e9ac0d2bb075afa51c2f29f9e.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
08e1fa4701532e1c1b1fda7e5bbbdea0ab35710e9ac0d2bb075afa51c2f29f9e.exe
Resource
win10v2004-en-20220113
General
-
Target
08e1fa4701532e1c1b1fda7e5bbbdea0ab35710e9ac0d2bb075afa51c2f29f9e.exe
-
Size
100KB
-
MD5
334ff728f1935d8607c2b32b67727f41
-
SHA1
b35e95df0b965103f672e3b7fb33a39ba82990a2
-
SHA256
08e1fa4701532e1c1b1fda7e5bbbdea0ab35710e9ac0d2bb075afa51c2f29f9e
-
SHA512
42a61f8f692a9410421c581a5649c4f3d1929bf27fdc1ccc33ca3c6e39bec4ad5b4d7f1f0de16958af63269a4cf3dda2ddb3ecd67b3253937ff6d4c54f0d2e23
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 516 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1664 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
08e1fa4701532e1c1b1fda7e5bbbdea0ab35710e9ac0d2bb075afa51c2f29f9e.exepid process 956 08e1fa4701532e1c1b1fda7e5bbbdea0ab35710e9ac0d2bb075afa51c2f29f9e.exe 956 08e1fa4701532e1c1b1fda7e5bbbdea0ab35710e9ac0d2bb075afa51c2f29f9e.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
08e1fa4701532e1c1b1fda7e5bbbdea0ab35710e9ac0d2bb075afa51c2f29f9e.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 08e1fa4701532e1c1b1fda7e5bbbdea0ab35710e9ac0d2bb075afa51c2f29f9e.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
08e1fa4701532e1c1b1fda7e5bbbdea0ab35710e9ac0d2bb075afa51c2f29f9e.exedescription pid process Token: SeIncBasePriorityPrivilege 956 08e1fa4701532e1c1b1fda7e5bbbdea0ab35710e9ac0d2bb075afa51c2f29f9e.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
08e1fa4701532e1c1b1fda7e5bbbdea0ab35710e9ac0d2bb075afa51c2f29f9e.execmd.exedescription pid process target process PID 956 wrote to memory of 516 956 08e1fa4701532e1c1b1fda7e5bbbdea0ab35710e9ac0d2bb075afa51c2f29f9e.exe MediaCenter.exe PID 956 wrote to memory of 516 956 08e1fa4701532e1c1b1fda7e5bbbdea0ab35710e9ac0d2bb075afa51c2f29f9e.exe MediaCenter.exe PID 956 wrote to memory of 516 956 08e1fa4701532e1c1b1fda7e5bbbdea0ab35710e9ac0d2bb075afa51c2f29f9e.exe MediaCenter.exe PID 956 wrote to memory of 516 956 08e1fa4701532e1c1b1fda7e5bbbdea0ab35710e9ac0d2bb075afa51c2f29f9e.exe MediaCenter.exe PID 956 wrote to memory of 1664 956 08e1fa4701532e1c1b1fda7e5bbbdea0ab35710e9ac0d2bb075afa51c2f29f9e.exe cmd.exe PID 956 wrote to memory of 1664 956 08e1fa4701532e1c1b1fda7e5bbbdea0ab35710e9ac0d2bb075afa51c2f29f9e.exe cmd.exe PID 956 wrote to memory of 1664 956 08e1fa4701532e1c1b1fda7e5bbbdea0ab35710e9ac0d2bb075afa51c2f29f9e.exe cmd.exe PID 956 wrote to memory of 1664 956 08e1fa4701532e1c1b1fda7e5bbbdea0ab35710e9ac0d2bb075afa51c2f29f9e.exe cmd.exe PID 1664 wrote to memory of 1200 1664 cmd.exe PING.EXE PID 1664 wrote to memory of 1200 1664 cmd.exe PING.EXE PID 1664 wrote to memory of 1200 1664 cmd.exe PING.EXE PID 1664 wrote to memory of 1200 1664 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\08e1fa4701532e1c1b1fda7e5bbbdea0ab35710e9ac0d2bb075afa51c2f29f9e.exe"C:\Users\Admin\AppData\Local\Temp\08e1fa4701532e1c1b1fda7e5bbbdea0ab35710e9ac0d2bb075afa51c2f29f9e.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:956 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:516 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\08e1fa4701532e1c1b1fda7e5bbbdea0ab35710e9ac0d2bb075afa51c2f29f9e.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1200
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
26190c9ea822f78a62882a7a6ca03d0c
SHA11fe9958e20d95e8203ccb2db9a03fcd52dd6b657
SHA25606464bbfe6a3085ecfeb1451dfbedb275efbc48632cc300d69af7d3a05c3c73f
SHA5120664d636e68dfd76f3012d9b498dae2468f7c342f02eb8bc806af13bad9645483a620b583803319283a1bf819003a855c99651022a7368ccd7c0e44897172928
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
26190c9ea822f78a62882a7a6ca03d0c
SHA11fe9958e20d95e8203ccb2db9a03fcd52dd6b657
SHA25606464bbfe6a3085ecfeb1451dfbedb275efbc48632cc300d69af7d3a05c3c73f
SHA5120664d636e68dfd76f3012d9b498dae2468f7c342f02eb8bc806af13bad9645483a620b583803319283a1bf819003a855c99651022a7368ccd7c0e44897172928
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
26190c9ea822f78a62882a7a6ca03d0c
SHA11fe9958e20d95e8203ccb2db9a03fcd52dd6b657
SHA25606464bbfe6a3085ecfeb1451dfbedb275efbc48632cc300d69af7d3a05c3c73f
SHA5120664d636e68dfd76f3012d9b498dae2468f7c342f02eb8bc806af13bad9645483a620b583803319283a1bf819003a855c99651022a7368ccd7c0e44897172928
-
memory/956-54-0x0000000075AB1000-0x0000000075AB3000-memory.dmpFilesize
8KB