Analysis
-
max time kernel
144s -
max time network
160s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 10:43
Static task
static1
Behavioral task
behavioral1
Sample
0643f3bf97ea3496de7a9aa618d702a321501e9d82b5df2bb6f9a92d03ffdca4.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0643f3bf97ea3496de7a9aa618d702a321501e9d82b5df2bb6f9a92d03ffdca4.exe
Resource
win10v2004-en-20220112
General
-
Target
0643f3bf97ea3496de7a9aa618d702a321501e9d82b5df2bb6f9a92d03ffdca4.exe
-
Size
216KB
-
MD5
67b816ea23e04f014d7f4b6afb0c9107
-
SHA1
531feb9b55592d797cd59fd19810195792c52c2f
-
SHA256
0643f3bf97ea3496de7a9aa618d702a321501e9d82b5df2bb6f9a92d03ffdca4
-
SHA512
e41db54fee4b1c709dcb24192af22fc6f1dceed7ea3509372063c635e21516783df31d9540ca9d410d6f7d7700b245a226f0cfc8e75f30af6e5c7a4e6fb498f0
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral1/memory/880-58-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral1/memory/1612-59-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1612 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1616 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
0643f3bf97ea3496de7a9aa618d702a321501e9d82b5df2bb6f9a92d03ffdca4.exepid process 880 0643f3bf97ea3496de7a9aa618d702a321501e9d82b5df2bb6f9a92d03ffdca4.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0643f3bf97ea3496de7a9aa618d702a321501e9d82b5df2bb6f9a92d03ffdca4.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0643f3bf97ea3496de7a9aa618d702a321501e9d82b5df2bb6f9a92d03ffdca4.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0643f3bf97ea3496de7a9aa618d702a321501e9d82b5df2bb6f9a92d03ffdca4.exedescription pid process Token: SeIncBasePriorityPrivilege 880 0643f3bf97ea3496de7a9aa618d702a321501e9d82b5df2bb6f9a92d03ffdca4.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0643f3bf97ea3496de7a9aa618d702a321501e9d82b5df2bb6f9a92d03ffdca4.execmd.exedescription pid process target process PID 880 wrote to memory of 1612 880 0643f3bf97ea3496de7a9aa618d702a321501e9d82b5df2bb6f9a92d03ffdca4.exe MediaCenter.exe PID 880 wrote to memory of 1612 880 0643f3bf97ea3496de7a9aa618d702a321501e9d82b5df2bb6f9a92d03ffdca4.exe MediaCenter.exe PID 880 wrote to memory of 1612 880 0643f3bf97ea3496de7a9aa618d702a321501e9d82b5df2bb6f9a92d03ffdca4.exe MediaCenter.exe PID 880 wrote to memory of 1612 880 0643f3bf97ea3496de7a9aa618d702a321501e9d82b5df2bb6f9a92d03ffdca4.exe MediaCenter.exe PID 880 wrote to memory of 1616 880 0643f3bf97ea3496de7a9aa618d702a321501e9d82b5df2bb6f9a92d03ffdca4.exe cmd.exe PID 880 wrote to memory of 1616 880 0643f3bf97ea3496de7a9aa618d702a321501e9d82b5df2bb6f9a92d03ffdca4.exe cmd.exe PID 880 wrote to memory of 1616 880 0643f3bf97ea3496de7a9aa618d702a321501e9d82b5df2bb6f9a92d03ffdca4.exe cmd.exe PID 880 wrote to memory of 1616 880 0643f3bf97ea3496de7a9aa618d702a321501e9d82b5df2bb6f9a92d03ffdca4.exe cmd.exe PID 1616 wrote to memory of 1072 1616 cmd.exe PING.EXE PID 1616 wrote to memory of 1072 1616 cmd.exe PING.EXE PID 1616 wrote to memory of 1072 1616 cmd.exe PING.EXE PID 1616 wrote to memory of 1072 1616 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0643f3bf97ea3496de7a9aa618d702a321501e9d82b5df2bb6f9a92d03ffdca4.exe"C:\Users\Admin\AppData\Local\Temp\0643f3bf97ea3496de7a9aa618d702a321501e9d82b5df2bb6f9a92d03ffdca4.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:880 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1612 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0643f3bf97ea3496de7a9aa618d702a321501e9d82b5df2bb6f9a92d03ffdca4.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1616 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1072
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
7f8112cc700698112ff0d08619f80fc9
SHA196573d5bea99e8f6194e0323dd875bc4359c20a8
SHA2561e2a45dea14d724a16e4b727d2c52d988e56aa0aae047c2d91c2db7da43c9703
SHA512e67a9e72106cbe43b1f0d49e516e2c9a32fc1c74055820beccbea25e00cb4d35866cd5afc4ec487ac2b3e6c2ad1a7b0234916f9e93a5e419277946c766e1252c
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
7f8112cc700698112ff0d08619f80fc9
SHA196573d5bea99e8f6194e0323dd875bc4359c20a8
SHA2561e2a45dea14d724a16e4b727d2c52d988e56aa0aae047c2d91c2db7da43c9703
SHA512e67a9e72106cbe43b1f0d49e516e2c9a32fc1c74055820beccbea25e00cb4d35866cd5afc4ec487ac2b3e6c2ad1a7b0234916f9e93a5e419277946c766e1252c
-
memory/880-54-0x0000000075B11000-0x0000000075B13000-memory.dmpFilesize
8KB
-
memory/880-58-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1612-59-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB