Analysis
-
max time kernel
150s -
max time network
168s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 11:07
Static task
static1
Behavioral task
behavioral1
Sample
0549360beb19a7bee35d618bb4d2256b8838ad5222c70d739b0768260f19aff6.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0549360beb19a7bee35d618bb4d2256b8838ad5222c70d739b0768260f19aff6.exe
Resource
win10v2004-en-20220112
General
-
Target
0549360beb19a7bee35d618bb4d2256b8838ad5222c70d739b0768260f19aff6.exe
-
Size
216KB
-
MD5
064ff695be99c3cdad645ab8a6199669
-
SHA1
51d91f486dca11aced49d419f6a5bcf1d30fd7eb
-
SHA256
0549360beb19a7bee35d618bb4d2256b8838ad5222c70d739b0768260f19aff6
-
SHA512
b4f34cd4d05633bc4e6aecf8f1cfda7c726367e1525b1aed00acd714119aa2a8b5e115a78c65be9bb24a48b881524278316146f33cfd7573b6717ed877e02a40
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral1/memory/1272-59-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral1/memory/1552-60-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1552 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 608 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
0549360beb19a7bee35d618bb4d2256b8838ad5222c70d739b0768260f19aff6.exepid process 1272 0549360beb19a7bee35d618bb4d2256b8838ad5222c70d739b0768260f19aff6.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0549360beb19a7bee35d618bb4d2256b8838ad5222c70d739b0768260f19aff6.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0549360beb19a7bee35d618bb4d2256b8838ad5222c70d739b0768260f19aff6.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0549360beb19a7bee35d618bb4d2256b8838ad5222c70d739b0768260f19aff6.exedescription pid process Token: SeIncBasePriorityPrivilege 1272 0549360beb19a7bee35d618bb4d2256b8838ad5222c70d739b0768260f19aff6.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0549360beb19a7bee35d618bb4d2256b8838ad5222c70d739b0768260f19aff6.execmd.exedescription pid process target process PID 1272 wrote to memory of 1552 1272 0549360beb19a7bee35d618bb4d2256b8838ad5222c70d739b0768260f19aff6.exe MediaCenter.exe PID 1272 wrote to memory of 1552 1272 0549360beb19a7bee35d618bb4d2256b8838ad5222c70d739b0768260f19aff6.exe MediaCenter.exe PID 1272 wrote to memory of 1552 1272 0549360beb19a7bee35d618bb4d2256b8838ad5222c70d739b0768260f19aff6.exe MediaCenter.exe PID 1272 wrote to memory of 1552 1272 0549360beb19a7bee35d618bb4d2256b8838ad5222c70d739b0768260f19aff6.exe MediaCenter.exe PID 1272 wrote to memory of 608 1272 0549360beb19a7bee35d618bb4d2256b8838ad5222c70d739b0768260f19aff6.exe cmd.exe PID 1272 wrote to memory of 608 1272 0549360beb19a7bee35d618bb4d2256b8838ad5222c70d739b0768260f19aff6.exe cmd.exe PID 1272 wrote to memory of 608 1272 0549360beb19a7bee35d618bb4d2256b8838ad5222c70d739b0768260f19aff6.exe cmd.exe PID 1272 wrote to memory of 608 1272 0549360beb19a7bee35d618bb4d2256b8838ad5222c70d739b0768260f19aff6.exe cmd.exe PID 608 wrote to memory of 360 608 cmd.exe PING.EXE PID 608 wrote to memory of 360 608 cmd.exe PING.EXE PID 608 wrote to memory of 360 608 cmd.exe PING.EXE PID 608 wrote to memory of 360 608 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0549360beb19a7bee35d618bb4d2256b8838ad5222c70d739b0768260f19aff6.exe"C:\Users\Admin\AppData\Local\Temp\0549360beb19a7bee35d618bb4d2256b8838ad5222c70d739b0768260f19aff6.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1272 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1552 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0549360beb19a7bee35d618bb4d2256b8838ad5222c70d739b0768260f19aff6.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:608 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:360
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
0b43ee0d1c337cec17a44d642afc36fe
SHA12c107ab94bd3821860f115c45e9fc089b77ab2b4
SHA25698e19d821e85fb52a1a5ecbcaa506e8f4da276f415fe52b7b3e9d982b00e0b87
SHA51295f94dc3129005410b29621080d7a3a8424667c7ca8c2f0692b128266700d4d54ab3cbb1718b56e4f1fb466c522f2d30d1811d29ea3f716cc87c2a3dc26e748f
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
0b43ee0d1c337cec17a44d642afc36fe
SHA12c107ab94bd3821860f115c45e9fc089b77ab2b4
SHA25698e19d821e85fb52a1a5ecbcaa506e8f4da276f415fe52b7b3e9d982b00e0b87
SHA51295f94dc3129005410b29621080d7a3a8424667c7ca8c2f0692b128266700d4d54ab3cbb1718b56e4f1fb466c522f2d30d1811d29ea3f716cc87c2a3dc26e748f
-
memory/1272-55-0x00000000756C1000-0x00000000756C3000-memory.dmpFilesize
8KB
-
memory/1272-59-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1552-60-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB