Analysis
-
max time kernel
150s -
max time network
162s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 10:31
Static task
static1
Behavioral task
behavioral1
Sample
06eaff19e4cf53f65908be6e2fb7cd79f04ffb471a7d45d6c7686b77414363ba.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
06eaff19e4cf53f65908be6e2fb7cd79f04ffb471a7d45d6c7686b77414363ba.exe
Resource
win10v2004-en-20220112
General
-
Target
06eaff19e4cf53f65908be6e2fb7cd79f04ffb471a7d45d6c7686b77414363ba.exe
-
Size
200KB
-
MD5
cc730862f06bc3554660bcff94c78047
-
SHA1
bc857b68028dbe836b9452f5a0de36de2bab382f
-
SHA256
06eaff19e4cf53f65908be6e2fb7cd79f04ffb471a7d45d6c7686b77414363ba
-
SHA512
f874b9afb9b483fe013aff7636d1234a928eed6c5b072fd712977c85107ced809fef1ed38fdd567872239d81d27584710a94e270b1c639e19f3e97528f3839c6
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral1/memory/848-58-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral1/memory/1068-59-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1068 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1768 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
06eaff19e4cf53f65908be6e2fb7cd79f04ffb471a7d45d6c7686b77414363ba.exepid process 848 06eaff19e4cf53f65908be6e2fb7cd79f04ffb471a7d45d6c7686b77414363ba.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
06eaff19e4cf53f65908be6e2fb7cd79f04ffb471a7d45d6c7686b77414363ba.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 06eaff19e4cf53f65908be6e2fb7cd79f04ffb471a7d45d6c7686b77414363ba.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
06eaff19e4cf53f65908be6e2fb7cd79f04ffb471a7d45d6c7686b77414363ba.exedescription pid process Token: SeIncBasePriorityPrivilege 848 06eaff19e4cf53f65908be6e2fb7cd79f04ffb471a7d45d6c7686b77414363ba.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
06eaff19e4cf53f65908be6e2fb7cd79f04ffb471a7d45d6c7686b77414363ba.execmd.exedescription pid process target process PID 848 wrote to memory of 1068 848 06eaff19e4cf53f65908be6e2fb7cd79f04ffb471a7d45d6c7686b77414363ba.exe MediaCenter.exe PID 848 wrote to memory of 1068 848 06eaff19e4cf53f65908be6e2fb7cd79f04ffb471a7d45d6c7686b77414363ba.exe MediaCenter.exe PID 848 wrote to memory of 1068 848 06eaff19e4cf53f65908be6e2fb7cd79f04ffb471a7d45d6c7686b77414363ba.exe MediaCenter.exe PID 848 wrote to memory of 1068 848 06eaff19e4cf53f65908be6e2fb7cd79f04ffb471a7d45d6c7686b77414363ba.exe MediaCenter.exe PID 848 wrote to memory of 1768 848 06eaff19e4cf53f65908be6e2fb7cd79f04ffb471a7d45d6c7686b77414363ba.exe cmd.exe PID 848 wrote to memory of 1768 848 06eaff19e4cf53f65908be6e2fb7cd79f04ffb471a7d45d6c7686b77414363ba.exe cmd.exe PID 848 wrote to memory of 1768 848 06eaff19e4cf53f65908be6e2fb7cd79f04ffb471a7d45d6c7686b77414363ba.exe cmd.exe PID 848 wrote to memory of 1768 848 06eaff19e4cf53f65908be6e2fb7cd79f04ffb471a7d45d6c7686b77414363ba.exe cmd.exe PID 1768 wrote to memory of 1512 1768 cmd.exe PING.EXE PID 1768 wrote to memory of 1512 1768 cmd.exe PING.EXE PID 1768 wrote to memory of 1512 1768 cmd.exe PING.EXE PID 1768 wrote to memory of 1512 1768 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\06eaff19e4cf53f65908be6e2fb7cd79f04ffb471a7d45d6c7686b77414363ba.exe"C:\Users\Admin\AppData\Local\Temp\06eaff19e4cf53f65908be6e2fb7cd79f04ffb471a7d45d6c7686b77414363ba.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:848 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1068 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\06eaff19e4cf53f65908be6e2fb7cd79f04ffb471a7d45d6c7686b77414363ba.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1768 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1512
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
ce0f266e46dd6e39acb3e94551afd92d
SHA1c3cfd8694baaa4768b3b134a2f46acda22eabfb1
SHA256b81bbd1cf1ddab36ac58f3fce150d4bf9300b1353846d33cd205a536ad7d2d07
SHA512853659de1f15f3f11e97727f5137a2637349f3a93e7919fb8c852cd7f56a4e2d307dc17e7c92c1cb0977eaef235f40c5dac6a552a02589c2108c581201635a93
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
ce0f266e46dd6e39acb3e94551afd92d
SHA1c3cfd8694baaa4768b3b134a2f46acda22eabfb1
SHA256b81bbd1cf1ddab36ac58f3fce150d4bf9300b1353846d33cd205a536ad7d2d07
SHA512853659de1f15f3f11e97727f5137a2637349f3a93e7919fb8c852cd7f56a4e2d307dc17e7c92c1cb0977eaef235f40c5dac6a552a02589c2108c581201635a93
-
memory/848-54-0x0000000075AE1000-0x0000000075AE3000-memory.dmpFilesize
8KB
-
memory/848-58-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1068-59-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB