Analysis
-
max time kernel
150s -
max time network
167s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 11:06
Static task
static1
Behavioral task
behavioral1
Sample
0550a2981201529a4bac85007af3c421a306510e32afe55776aa1bb212f7f9f1.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0550a2981201529a4bac85007af3c421a306510e32afe55776aa1bb212f7f9f1.exe
Resource
win10v2004-en-20220113
General
-
Target
0550a2981201529a4bac85007af3c421a306510e32afe55776aa1bb212f7f9f1.exe
-
Size
216KB
-
MD5
0e62bc7335757cdcd3ccaa2e6e1cbd3d
-
SHA1
13a67e46a2824ae6166a7d935c84c43687afe950
-
SHA256
0550a2981201529a4bac85007af3c421a306510e32afe55776aa1bb212f7f9f1
-
SHA512
2e27c8aaebbad7f1770141f07abc0306f46fe7ab1974fd3c07a90def2a0bb80f366b7c78aa5054558671a97b318427608ccadde9d06348d5099ef3d958700380
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral1/memory/1096-58-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral1/memory/1084-59-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1084 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 964 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
0550a2981201529a4bac85007af3c421a306510e32afe55776aa1bb212f7f9f1.exepid process 1096 0550a2981201529a4bac85007af3c421a306510e32afe55776aa1bb212f7f9f1.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0550a2981201529a4bac85007af3c421a306510e32afe55776aa1bb212f7f9f1.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0550a2981201529a4bac85007af3c421a306510e32afe55776aa1bb212f7f9f1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0550a2981201529a4bac85007af3c421a306510e32afe55776aa1bb212f7f9f1.exedescription pid process Token: SeIncBasePriorityPrivilege 1096 0550a2981201529a4bac85007af3c421a306510e32afe55776aa1bb212f7f9f1.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0550a2981201529a4bac85007af3c421a306510e32afe55776aa1bb212f7f9f1.execmd.exedescription pid process target process PID 1096 wrote to memory of 1084 1096 0550a2981201529a4bac85007af3c421a306510e32afe55776aa1bb212f7f9f1.exe MediaCenter.exe PID 1096 wrote to memory of 1084 1096 0550a2981201529a4bac85007af3c421a306510e32afe55776aa1bb212f7f9f1.exe MediaCenter.exe PID 1096 wrote to memory of 1084 1096 0550a2981201529a4bac85007af3c421a306510e32afe55776aa1bb212f7f9f1.exe MediaCenter.exe PID 1096 wrote to memory of 1084 1096 0550a2981201529a4bac85007af3c421a306510e32afe55776aa1bb212f7f9f1.exe MediaCenter.exe PID 1096 wrote to memory of 964 1096 0550a2981201529a4bac85007af3c421a306510e32afe55776aa1bb212f7f9f1.exe cmd.exe PID 1096 wrote to memory of 964 1096 0550a2981201529a4bac85007af3c421a306510e32afe55776aa1bb212f7f9f1.exe cmd.exe PID 1096 wrote to memory of 964 1096 0550a2981201529a4bac85007af3c421a306510e32afe55776aa1bb212f7f9f1.exe cmd.exe PID 1096 wrote to memory of 964 1096 0550a2981201529a4bac85007af3c421a306510e32afe55776aa1bb212f7f9f1.exe cmd.exe PID 964 wrote to memory of 1628 964 cmd.exe PING.EXE PID 964 wrote to memory of 1628 964 cmd.exe PING.EXE PID 964 wrote to memory of 1628 964 cmd.exe PING.EXE PID 964 wrote to memory of 1628 964 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0550a2981201529a4bac85007af3c421a306510e32afe55776aa1bb212f7f9f1.exe"C:\Users\Admin\AppData\Local\Temp\0550a2981201529a4bac85007af3c421a306510e32afe55776aa1bb212f7f9f1.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1096 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1084 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0550a2981201529a4bac85007af3c421a306510e32afe55776aa1bb212f7f9f1.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:964 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1628
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
d85ecf4c421fb9220bc1b12fcb0576fb
SHA167e0d1b09c5d9914b50f96f4f8fe09ad75c54e5a
SHA256739bfddc8a2a383b86398a1851d3d6cab0220da8ff2ff24668427b0602514383
SHA51256eb20396d2a231fadf46e19ac16ecb4e0b8b4cdadc7886bf69921da61ea1ee4001eede89902ea307f08cbcbf929183856b34d87bd19edf804e5638d7c89d6d8
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
d85ecf4c421fb9220bc1b12fcb0576fb
SHA167e0d1b09c5d9914b50f96f4f8fe09ad75c54e5a
SHA256739bfddc8a2a383b86398a1851d3d6cab0220da8ff2ff24668427b0602514383
SHA51256eb20396d2a231fadf46e19ac16ecb4e0b8b4cdadc7886bf69921da61ea1ee4001eede89902ea307f08cbcbf929183856b34d87bd19edf804e5638d7c89d6d8
-
memory/1084-59-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1096-54-0x0000000076121000-0x0000000076123000-memory.dmpFilesize
8KB
-
memory/1096-58-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB