Analysis
-
max time kernel
143s -
max time network
162s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 09:58
Static task
static1
Behavioral task
behavioral1
Sample
087c68d2a871e38cc18e0f4abf80044259aa40e7177228af5eb1021c53f43419.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
087c68d2a871e38cc18e0f4abf80044259aa40e7177228af5eb1021c53f43419.exe
Resource
win10v2004-en-20220113
General
-
Target
087c68d2a871e38cc18e0f4abf80044259aa40e7177228af5eb1021c53f43419.exe
-
Size
80KB
-
MD5
7235ec89866cbe366bbd311b3f6b42e1
-
SHA1
3a723e25a2e21119d9eadbeff63f0e2f49cafd1a
-
SHA256
087c68d2a871e38cc18e0f4abf80044259aa40e7177228af5eb1021c53f43419
-
SHA512
39eafb2011d27f6cb9cba0224844f1aeae8f3e26f2585474e393476a8e04af9feba81e021ad4109b9548b036fdf3c02e07cb779da873da4af23e9edf7f6e6a86
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 828 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1960 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
087c68d2a871e38cc18e0f4abf80044259aa40e7177228af5eb1021c53f43419.exepid process 836 087c68d2a871e38cc18e0f4abf80044259aa40e7177228af5eb1021c53f43419.exe 836 087c68d2a871e38cc18e0f4abf80044259aa40e7177228af5eb1021c53f43419.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
087c68d2a871e38cc18e0f4abf80044259aa40e7177228af5eb1021c53f43419.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 087c68d2a871e38cc18e0f4abf80044259aa40e7177228af5eb1021c53f43419.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
087c68d2a871e38cc18e0f4abf80044259aa40e7177228af5eb1021c53f43419.exedescription pid process Token: SeIncBasePriorityPrivilege 836 087c68d2a871e38cc18e0f4abf80044259aa40e7177228af5eb1021c53f43419.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
087c68d2a871e38cc18e0f4abf80044259aa40e7177228af5eb1021c53f43419.execmd.exedescription pid process target process PID 836 wrote to memory of 828 836 087c68d2a871e38cc18e0f4abf80044259aa40e7177228af5eb1021c53f43419.exe MediaCenter.exe PID 836 wrote to memory of 828 836 087c68d2a871e38cc18e0f4abf80044259aa40e7177228af5eb1021c53f43419.exe MediaCenter.exe PID 836 wrote to memory of 828 836 087c68d2a871e38cc18e0f4abf80044259aa40e7177228af5eb1021c53f43419.exe MediaCenter.exe PID 836 wrote to memory of 828 836 087c68d2a871e38cc18e0f4abf80044259aa40e7177228af5eb1021c53f43419.exe MediaCenter.exe PID 836 wrote to memory of 1960 836 087c68d2a871e38cc18e0f4abf80044259aa40e7177228af5eb1021c53f43419.exe cmd.exe PID 836 wrote to memory of 1960 836 087c68d2a871e38cc18e0f4abf80044259aa40e7177228af5eb1021c53f43419.exe cmd.exe PID 836 wrote to memory of 1960 836 087c68d2a871e38cc18e0f4abf80044259aa40e7177228af5eb1021c53f43419.exe cmd.exe PID 836 wrote to memory of 1960 836 087c68d2a871e38cc18e0f4abf80044259aa40e7177228af5eb1021c53f43419.exe cmd.exe PID 1960 wrote to memory of 1292 1960 cmd.exe PING.EXE PID 1960 wrote to memory of 1292 1960 cmd.exe PING.EXE PID 1960 wrote to memory of 1292 1960 cmd.exe PING.EXE PID 1960 wrote to memory of 1292 1960 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\087c68d2a871e38cc18e0f4abf80044259aa40e7177228af5eb1021c53f43419.exe"C:\Users\Admin\AppData\Local\Temp\087c68d2a871e38cc18e0f4abf80044259aa40e7177228af5eb1021c53f43419.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:836 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:828 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\087c68d2a871e38cc18e0f4abf80044259aa40e7177228af5eb1021c53f43419.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1960 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1292
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
0b431db05fd0c47afead448ae27176ce
SHA170887688273e69953ce309c26262e312337d5510
SHA2560f9d57d3266a9d8f85a0f4996da978c63b435dd7f59ebf70d691e0ed9987e7ab
SHA5123a8298d1a20ccb894295dc9500c2a8dd02cb84a895d02dbef65e2a3f0f6fc2a04a23c5a56731d6ef4343c77e68d3cefd78033be2001d5db348d1dcf60e51ea9d
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
0b431db05fd0c47afead448ae27176ce
SHA170887688273e69953ce309c26262e312337d5510
SHA2560f9d57d3266a9d8f85a0f4996da978c63b435dd7f59ebf70d691e0ed9987e7ab
SHA5123a8298d1a20ccb894295dc9500c2a8dd02cb84a895d02dbef65e2a3f0f6fc2a04a23c5a56731d6ef4343c77e68d3cefd78033be2001d5db348d1dcf60e51ea9d
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
0b431db05fd0c47afead448ae27176ce
SHA170887688273e69953ce309c26262e312337d5510
SHA2560f9d57d3266a9d8f85a0f4996da978c63b435dd7f59ebf70d691e0ed9987e7ab
SHA5123a8298d1a20ccb894295dc9500c2a8dd02cb84a895d02dbef65e2a3f0f6fc2a04a23c5a56731d6ef4343c77e68d3cefd78033be2001d5db348d1dcf60e51ea9d
-
memory/836-55-0x0000000075D61000-0x0000000075D63000-memory.dmpFilesize
8KB