Analysis
-
max time kernel
156s -
max time network
171s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 10:43
Static task
static1
Behavioral task
behavioral1
Sample
0648b67b0b609aa59833ecb7782c6deea369ca9308b187ec10dcee090a082682.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0648b67b0b609aa59833ecb7782c6deea369ca9308b187ec10dcee090a082682.exe
Resource
win10v2004-en-20220113
General
-
Target
0648b67b0b609aa59833ecb7782c6deea369ca9308b187ec10dcee090a082682.exe
-
Size
152KB
-
MD5
1fa46620429d954ddb80dbe4cd6c40c6
-
SHA1
26eb440812d5cdc59b28bd1c3650fb855d79cbca
-
SHA256
0648b67b0b609aa59833ecb7782c6deea369ca9308b187ec10dcee090a082682
-
SHA512
dad29c160d0643a31c21d008e59899fc56e1ce084fe267a049d945e3330432c800d4668a8349ef11253175183f8b8fed8c4e09596ff75f5d6ebc6e8695d51134
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 516 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1664 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
0648b67b0b609aa59833ecb7782c6deea369ca9308b187ec10dcee090a082682.exepid process 956 0648b67b0b609aa59833ecb7782c6deea369ca9308b187ec10dcee090a082682.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0648b67b0b609aa59833ecb7782c6deea369ca9308b187ec10dcee090a082682.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0648b67b0b609aa59833ecb7782c6deea369ca9308b187ec10dcee090a082682.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0648b67b0b609aa59833ecb7782c6deea369ca9308b187ec10dcee090a082682.exedescription pid process Token: SeIncBasePriorityPrivilege 956 0648b67b0b609aa59833ecb7782c6deea369ca9308b187ec10dcee090a082682.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0648b67b0b609aa59833ecb7782c6deea369ca9308b187ec10dcee090a082682.execmd.exedescription pid process target process PID 956 wrote to memory of 516 956 0648b67b0b609aa59833ecb7782c6deea369ca9308b187ec10dcee090a082682.exe MediaCenter.exe PID 956 wrote to memory of 516 956 0648b67b0b609aa59833ecb7782c6deea369ca9308b187ec10dcee090a082682.exe MediaCenter.exe PID 956 wrote to memory of 516 956 0648b67b0b609aa59833ecb7782c6deea369ca9308b187ec10dcee090a082682.exe MediaCenter.exe PID 956 wrote to memory of 516 956 0648b67b0b609aa59833ecb7782c6deea369ca9308b187ec10dcee090a082682.exe MediaCenter.exe PID 956 wrote to memory of 1664 956 0648b67b0b609aa59833ecb7782c6deea369ca9308b187ec10dcee090a082682.exe cmd.exe PID 956 wrote to memory of 1664 956 0648b67b0b609aa59833ecb7782c6deea369ca9308b187ec10dcee090a082682.exe cmd.exe PID 956 wrote to memory of 1664 956 0648b67b0b609aa59833ecb7782c6deea369ca9308b187ec10dcee090a082682.exe cmd.exe PID 956 wrote to memory of 1664 956 0648b67b0b609aa59833ecb7782c6deea369ca9308b187ec10dcee090a082682.exe cmd.exe PID 1664 wrote to memory of 1200 1664 cmd.exe PING.EXE PID 1664 wrote to memory of 1200 1664 cmd.exe PING.EXE PID 1664 wrote to memory of 1200 1664 cmd.exe PING.EXE PID 1664 wrote to memory of 1200 1664 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0648b67b0b609aa59833ecb7782c6deea369ca9308b187ec10dcee090a082682.exe"C:\Users\Admin\AppData\Local\Temp\0648b67b0b609aa59833ecb7782c6deea369ca9308b187ec10dcee090a082682.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:956 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:516 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0648b67b0b609aa59833ecb7782c6deea369ca9308b187ec10dcee090a082682.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1200
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
8832b0d42f67a89be0997ae965e220b2
SHA1ecc9fa75aed9c9f5aa6ddb0ce7e92f54ba44d81f
SHA2562f3d14fb9be6f3d64eb7dc06f5539048c9391850fe26e7eb67f51489e81a56c1
SHA5122b369ae02047404862903d36642172962ab2290e085955b5631adcfa35aedabcf079fd4776c11d4fefd46d5ab9cab59a9f0ec2aeebbd9aae1a012e07196ae185
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
8832b0d42f67a89be0997ae965e220b2
SHA1ecc9fa75aed9c9f5aa6ddb0ce7e92f54ba44d81f
SHA2562f3d14fb9be6f3d64eb7dc06f5539048c9391850fe26e7eb67f51489e81a56c1
SHA5122b369ae02047404862903d36642172962ab2290e085955b5631adcfa35aedabcf079fd4776c11d4fefd46d5ab9cab59a9f0ec2aeebbd9aae1a012e07196ae185
-
memory/956-54-0x0000000075AB1000-0x0000000075AB3000-memory.dmpFilesize
8KB