Analysis
-
max time kernel
120s -
max time network
125s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 10:37
Static task
static1
Behavioral task
behavioral1
Sample
06b0c4340beefc65ae38863aaa65e762e5631eb57ab384c7e6c7191db82b6345.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
06b0c4340beefc65ae38863aaa65e762e5631eb57ab384c7e6c7191db82b6345.exe
Resource
win10v2004-en-20220113
General
-
Target
06b0c4340beefc65ae38863aaa65e762e5631eb57ab384c7e6c7191db82b6345.exe
-
Size
108KB
-
MD5
cea627589a0385370789953ff8a9d341
-
SHA1
9f75c2713786b030cb083bfa37af8a7ed7f90457
-
SHA256
06b0c4340beefc65ae38863aaa65e762e5631eb57ab384c7e6c7191db82b6345
-
SHA512
f19497b97d4d7c675672daa2ad7d5cd44730936606b93a2ae897d724611aa4464eaaeab14656566fb9f0d27efd60f6810542e72d0b0eb5426d2cd9bcc9cefa83
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 648 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 812 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
06b0c4340beefc65ae38863aaa65e762e5631eb57ab384c7e6c7191db82b6345.exepid process 1212 06b0c4340beefc65ae38863aaa65e762e5631eb57ab384c7e6c7191db82b6345.exe 1212 06b0c4340beefc65ae38863aaa65e762e5631eb57ab384c7e6c7191db82b6345.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
06b0c4340beefc65ae38863aaa65e762e5631eb57ab384c7e6c7191db82b6345.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 06b0c4340beefc65ae38863aaa65e762e5631eb57ab384c7e6c7191db82b6345.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
06b0c4340beefc65ae38863aaa65e762e5631eb57ab384c7e6c7191db82b6345.exedescription pid process Token: SeIncBasePriorityPrivilege 1212 06b0c4340beefc65ae38863aaa65e762e5631eb57ab384c7e6c7191db82b6345.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
06b0c4340beefc65ae38863aaa65e762e5631eb57ab384c7e6c7191db82b6345.execmd.exedescription pid process target process PID 1212 wrote to memory of 648 1212 06b0c4340beefc65ae38863aaa65e762e5631eb57ab384c7e6c7191db82b6345.exe MediaCenter.exe PID 1212 wrote to memory of 648 1212 06b0c4340beefc65ae38863aaa65e762e5631eb57ab384c7e6c7191db82b6345.exe MediaCenter.exe PID 1212 wrote to memory of 648 1212 06b0c4340beefc65ae38863aaa65e762e5631eb57ab384c7e6c7191db82b6345.exe MediaCenter.exe PID 1212 wrote to memory of 648 1212 06b0c4340beefc65ae38863aaa65e762e5631eb57ab384c7e6c7191db82b6345.exe MediaCenter.exe PID 1212 wrote to memory of 812 1212 06b0c4340beefc65ae38863aaa65e762e5631eb57ab384c7e6c7191db82b6345.exe cmd.exe PID 1212 wrote to memory of 812 1212 06b0c4340beefc65ae38863aaa65e762e5631eb57ab384c7e6c7191db82b6345.exe cmd.exe PID 1212 wrote to memory of 812 1212 06b0c4340beefc65ae38863aaa65e762e5631eb57ab384c7e6c7191db82b6345.exe cmd.exe PID 1212 wrote to memory of 812 1212 06b0c4340beefc65ae38863aaa65e762e5631eb57ab384c7e6c7191db82b6345.exe cmd.exe PID 812 wrote to memory of 1792 812 cmd.exe PING.EXE PID 812 wrote to memory of 1792 812 cmd.exe PING.EXE PID 812 wrote to memory of 1792 812 cmd.exe PING.EXE PID 812 wrote to memory of 1792 812 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\06b0c4340beefc65ae38863aaa65e762e5631eb57ab384c7e6c7191db82b6345.exe"C:\Users\Admin\AppData\Local\Temp\06b0c4340beefc65ae38863aaa65e762e5631eb57ab384c7e6c7191db82b6345.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1212 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:648 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\06b0c4340beefc65ae38863aaa65e762e5631eb57ab384c7e6c7191db82b6345.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:812 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1792
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
34c29e5985859af8d7f14a2d40426476
SHA115072a41bfbd54e7fa154caf195fbc08c0b2edb9
SHA256849a99453d2c5827dd7ddfe1f5013d871e2ab73aeccd3bd9dad1863ab208699f
SHA512a6415df038b5549110d4d007549c9774fa039de4c4c3270ba1ca56662a5bdd1c763171c7edc15f0f28cc7ba5716d52754c9b8c2117e51b316e77119530a57fda
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
34c29e5985859af8d7f14a2d40426476
SHA115072a41bfbd54e7fa154caf195fbc08c0b2edb9
SHA256849a99453d2c5827dd7ddfe1f5013d871e2ab73aeccd3bd9dad1863ab208699f
SHA512a6415df038b5549110d4d007549c9774fa039de4c4c3270ba1ca56662a5bdd1c763171c7edc15f0f28cc7ba5716d52754c9b8c2117e51b316e77119530a57fda
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
34c29e5985859af8d7f14a2d40426476
SHA115072a41bfbd54e7fa154caf195fbc08c0b2edb9
SHA256849a99453d2c5827dd7ddfe1f5013d871e2ab73aeccd3bd9dad1863ab208699f
SHA512a6415df038b5549110d4d007549c9774fa039de4c4c3270ba1ca56662a5bdd1c763171c7edc15f0f28cc7ba5716d52754c9b8c2117e51b316e77119530a57fda
-
memory/1212-54-0x0000000075AB1000-0x0000000075AB3000-memory.dmpFilesize
8KB