Analysis
-
max time kernel
134s -
max time network
146s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 10:44
Static task
static1
Behavioral task
behavioral1
Sample
0638553617c7dcfe21f3e4f4cebf5dad08fa5c23847ad3a72c40d260fbbe1e26.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0638553617c7dcfe21f3e4f4cebf5dad08fa5c23847ad3a72c40d260fbbe1e26.exe
Resource
win10v2004-en-20220112
General
-
Target
0638553617c7dcfe21f3e4f4cebf5dad08fa5c23847ad3a72c40d260fbbe1e26.exe
-
Size
216KB
-
MD5
0255235f956389bfe52a1234c4fe873a
-
SHA1
c2d76e4c77748738884d3cb619a71c3598fd4ac3
-
SHA256
0638553617c7dcfe21f3e4f4cebf5dad08fa5c23847ad3a72c40d260fbbe1e26
-
SHA512
a1e900ae3d7bd6f0763623924d078ccd9cee1d64519d25dd86b9e86895a45f2164eb9c58ac469c8cf371dba096effd8b8bc4bc892e6358192f6f61bed075dc9b
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral1/memory/1448-58-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral1/memory/1204-59-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1204 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1804 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
0638553617c7dcfe21f3e4f4cebf5dad08fa5c23847ad3a72c40d260fbbe1e26.exepid process 1448 0638553617c7dcfe21f3e4f4cebf5dad08fa5c23847ad3a72c40d260fbbe1e26.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0638553617c7dcfe21f3e4f4cebf5dad08fa5c23847ad3a72c40d260fbbe1e26.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0638553617c7dcfe21f3e4f4cebf5dad08fa5c23847ad3a72c40d260fbbe1e26.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0638553617c7dcfe21f3e4f4cebf5dad08fa5c23847ad3a72c40d260fbbe1e26.exedescription pid process Token: SeIncBasePriorityPrivilege 1448 0638553617c7dcfe21f3e4f4cebf5dad08fa5c23847ad3a72c40d260fbbe1e26.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0638553617c7dcfe21f3e4f4cebf5dad08fa5c23847ad3a72c40d260fbbe1e26.execmd.exedescription pid process target process PID 1448 wrote to memory of 1204 1448 0638553617c7dcfe21f3e4f4cebf5dad08fa5c23847ad3a72c40d260fbbe1e26.exe MediaCenter.exe PID 1448 wrote to memory of 1204 1448 0638553617c7dcfe21f3e4f4cebf5dad08fa5c23847ad3a72c40d260fbbe1e26.exe MediaCenter.exe PID 1448 wrote to memory of 1204 1448 0638553617c7dcfe21f3e4f4cebf5dad08fa5c23847ad3a72c40d260fbbe1e26.exe MediaCenter.exe PID 1448 wrote to memory of 1204 1448 0638553617c7dcfe21f3e4f4cebf5dad08fa5c23847ad3a72c40d260fbbe1e26.exe MediaCenter.exe PID 1448 wrote to memory of 1804 1448 0638553617c7dcfe21f3e4f4cebf5dad08fa5c23847ad3a72c40d260fbbe1e26.exe cmd.exe PID 1448 wrote to memory of 1804 1448 0638553617c7dcfe21f3e4f4cebf5dad08fa5c23847ad3a72c40d260fbbe1e26.exe cmd.exe PID 1448 wrote to memory of 1804 1448 0638553617c7dcfe21f3e4f4cebf5dad08fa5c23847ad3a72c40d260fbbe1e26.exe cmd.exe PID 1448 wrote to memory of 1804 1448 0638553617c7dcfe21f3e4f4cebf5dad08fa5c23847ad3a72c40d260fbbe1e26.exe cmd.exe PID 1804 wrote to memory of 452 1804 cmd.exe PING.EXE PID 1804 wrote to memory of 452 1804 cmd.exe PING.EXE PID 1804 wrote to memory of 452 1804 cmd.exe PING.EXE PID 1804 wrote to memory of 452 1804 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0638553617c7dcfe21f3e4f4cebf5dad08fa5c23847ad3a72c40d260fbbe1e26.exe"C:\Users\Admin\AppData\Local\Temp\0638553617c7dcfe21f3e4f4cebf5dad08fa5c23847ad3a72c40d260fbbe1e26.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1448 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1204 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0638553617c7dcfe21f3e4f4cebf5dad08fa5c23847ad3a72c40d260fbbe1e26.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1804 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:452
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
ba11d7fbcb2807611a21695343a2c21d
SHA1ed1317cda23b020d2b38234621c6b987bc61e5dc
SHA25677a3c6ceefe69abe29d2b829b12f0f55d209a3c1811c90094d61ff65194541f4
SHA5123c0c39696ba9faa4819f8eb82584fbaa7bbc9585d3124df64d0f0f16906109debe7a7ba67533841accb30d33655e6d6989f57fcb6b4adb9c46a95192e8f02639
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
ba11d7fbcb2807611a21695343a2c21d
SHA1ed1317cda23b020d2b38234621c6b987bc61e5dc
SHA25677a3c6ceefe69abe29d2b829b12f0f55d209a3c1811c90094d61ff65194541f4
SHA5123c0c39696ba9faa4819f8eb82584fbaa7bbc9585d3124df64d0f0f16906109debe7a7ba67533841accb30d33655e6d6989f57fcb6b4adb9c46a95192e8f02639
-
memory/1204-59-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1448-54-0x0000000075CE1000-0x0000000075CE3000-memory.dmpFilesize
8KB
-
memory/1448-58-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB