Analysis
-
max time kernel
144s -
max time network
152s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 10:36
Static task
static1
Behavioral task
behavioral1
Sample
06bdb8d0027d7ca6ed907ae1fb276255afed5991b5c427181cd24075eca32396.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
06bdb8d0027d7ca6ed907ae1fb276255afed5991b5c427181cd24075eca32396.exe
Resource
win10v2004-en-20220113
General
-
Target
06bdb8d0027d7ca6ed907ae1fb276255afed5991b5c427181cd24075eca32396.exe
-
Size
89KB
-
MD5
2a1588ddc7fc49512810c778c354316a
-
SHA1
dbf2d1e3a4f84b04b06afba4a1e610a746fd3be8
-
SHA256
06bdb8d0027d7ca6ed907ae1fb276255afed5991b5c427181cd24075eca32396
-
SHA512
5b940dd16f9889ec32bcde0e550e64c43af148f2e932447394009cf0435e9193f62dc69514b770ac249425fa9350880d1f4978978866d2b1beee49901abba50d
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1684 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1244 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
06bdb8d0027d7ca6ed907ae1fb276255afed5991b5c427181cd24075eca32396.exepid process 1212 06bdb8d0027d7ca6ed907ae1fb276255afed5991b5c427181cd24075eca32396.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
06bdb8d0027d7ca6ed907ae1fb276255afed5991b5c427181cd24075eca32396.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 06bdb8d0027d7ca6ed907ae1fb276255afed5991b5c427181cd24075eca32396.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
06bdb8d0027d7ca6ed907ae1fb276255afed5991b5c427181cd24075eca32396.exedescription pid process Token: SeIncBasePriorityPrivilege 1212 06bdb8d0027d7ca6ed907ae1fb276255afed5991b5c427181cd24075eca32396.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
06bdb8d0027d7ca6ed907ae1fb276255afed5991b5c427181cd24075eca32396.execmd.exedescription pid process target process PID 1212 wrote to memory of 1684 1212 06bdb8d0027d7ca6ed907ae1fb276255afed5991b5c427181cd24075eca32396.exe MediaCenter.exe PID 1212 wrote to memory of 1684 1212 06bdb8d0027d7ca6ed907ae1fb276255afed5991b5c427181cd24075eca32396.exe MediaCenter.exe PID 1212 wrote to memory of 1684 1212 06bdb8d0027d7ca6ed907ae1fb276255afed5991b5c427181cd24075eca32396.exe MediaCenter.exe PID 1212 wrote to memory of 1684 1212 06bdb8d0027d7ca6ed907ae1fb276255afed5991b5c427181cd24075eca32396.exe MediaCenter.exe PID 1212 wrote to memory of 1244 1212 06bdb8d0027d7ca6ed907ae1fb276255afed5991b5c427181cd24075eca32396.exe cmd.exe PID 1212 wrote to memory of 1244 1212 06bdb8d0027d7ca6ed907ae1fb276255afed5991b5c427181cd24075eca32396.exe cmd.exe PID 1212 wrote to memory of 1244 1212 06bdb8d0027d7ca6ed907ae1fb276255afed5991b5c427181cd24075eca32396.exe cmd.exe PID 1212 wrote to memory of 1244 1212 06bdb8d0027d7ca6ed907ae1fb276255afed5991b5c427181cd24075eca32396.exe cmd.exe PID 1244 wrote to memory of 1996 1244 cmd.exe PING.EXE PID 1244 wrote to memory of 1996 1244 cmd.exe PING.EXE PID 1244 wrote to memory of 1996 1244 cmd.exe PING.EXE PID 1244 wrote to memory of 1996 1244 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\06bdb8d0027d7ca6ed907ae1fb276255afed5991b5c427181cd24075eca32396.exe"C:\Users\Admin\AppData\Local\Temp\06bdb8d0027d7ca6ed907ae1fb276255afed5991b5c427181cd24075eca32396.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1212 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1684 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\06bdb8d0027d7ca6ed907ae1fb276255afed5991b5c427181cd24075eca32396.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1244 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1996
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
f56195739191cbe9d5e476b34628ff48
SHA17b39eefe79dc2f4b7e4722aa62df481453b163c1
SHA256b884f1ae7a1ec1ed6525358f3deb07a32af79322186de74c5cb50c8e41c3bab9
SHA512dd6fe99c57196cbca47b8432138351d6048178830a0b265c461b0390b5c82e913f5335078b86204b1edc93fa4ae896e2887a15f890c5781867d599e721de9b1f
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
f56195739191cbe9d5e476b34628ff48
SHA17b39eefe79dc2f4b7e4722aa62df481453b163c1
SHA256b884f1ae7a1ec1ed6525358f3deb07a32af79322186de74c5cb50c8e41c3bab9
SHA512dd6fe99c57196cbca47b8432138351d6048178830a0b265c461b0390b5c82e913f5335078b86204b1edc93fa4ae896e2887a15f890c5781867d599e721de9b1f
-
memory/1212-54-0x0000000075891000-0x0000000075893000-memory.dmpFilesize
8KB