Analysis
-
max time kernel
119s -
max time network
135s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 10:47
Static task
static1
Behavioral task
behavioral1
Sample
062114e6ac851f45b277f0f6b6981335b2e73490d48b3e4c1137dbbb9a2a2b93.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
062114e6ac851f45b277f0f6b6981335b2e73490d48b3e4c1137dbbb9a2a2b93.exe
Resource
win10v2004-en-20220112
General
-
Target
062114e6ac851f45b277f0f6b6981335b2e73490d48b3e4c1137dbbb9a2a2b93.exe
-
Size
192KB
-
MD5
88ffe508793e8d4fc06e5b44260b4089
-
SHA1
5c51e3f0cbf684076b8a8b0f130c304f09db2bef
-
SHA256
062114e6ac851f45b277f0f6b6981335b2e73490d48b3e4c1137dbbb9a2a2b93
-
SHA512
8b108bee07828b344ce4d69c2d9c6dcf9c8fe21db8ce6f5cb7276b9efd0e64de8e75b07268f7bb18a749e3b5ef9395f8672ff3a8fd0b36c01cad7396da2a3dd0
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1848 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2016 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
062114e6ac851f45b277f0f6b6981335b2e73490d48b3e4c1137dbbb9a2a2b93.exepid process 832 062114e6ac851f45b277f0f6b6981335b2e73490d48b3e4c1137dbbb9a2a2b93.exe 832 062114e6ac851f45b277f0f6b6981335b2e73490d48b3e4c1137dbbb9a2a2b93.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
062114e6ac851f45b277f0f6b6981335b2e73490d48b3e4c1137dbbb9a2a2b93.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 062114e6ac851f45b277f0f6b6981335b2e73490d48b3e4c1137dbbb9a2a2b93.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
062114e6ac851f45b277f0f6b6981335b2e73490d48b3e4c1137dbbb9a2a2b93.exedescription pid process Token: SeIncBasePriorityPrivilege 832 062114e6ac851f45b277f0f6b6981335b2e73490d48b3e4c1137dbbb9a2a2b93.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
062114e6ac851f45b277f0f6b6981335b2e73490d48b3e4c1137dbbb9a2a2b93.execmd.exedescription pid process target process PID 832 wrote to memory of 1848 832 062114e6ac851f45b277f0f6b6981335b2e73490d48b3e4c1137dbbb9a2a2b93.exe MediaCenter.exe PID 832 wrote to memory of 1848 832 062114e6ac851f45b277f0f6b6981335b2e73490d48b3e4c1137dbbb9a2a2b93.exe MediaCenter.exe PID 832 wrote to memory of 1848 832 062114e6ac851f45b277f0f6b6981335b2e73490d48b3e4c1137dbbb9a2a2b93.exe MediaCenter.exe PID 832 wrote to memory of 1848 832 062114e6ac851f45b277f0f6b6981335b2e73490d48b3e4c1137dbbb9a2a2b93.exe MediaCenter.exe PID 832 wrote to memory of 2016 832 062114e6ac851f45b277f0f6b6981335b2e73490d48b3e4c1137dbbb9a2a2b93.exe cmd.exe PID 832 wrote to memory of 2016 832 062114e6ac851f45b277f0f6b6981335b2e73490d48b3e4c1137dbbb9a2a2b93.exe cmd.exe PID 832 wrote to memory of 2016 832 062114e6ac851f45b277f0f6b6981335b2e73490d48b3e4c1137dbbb9a2a2b93.exe cmd.exe PID 832 wrote to memory of 2016 832 062114e6ac851f45b277f0f6b6981335b2e73490d48b3e4c1137dbbb9a2a2b93.exe cmd.exe PID 2016 wrote to memory of 1968 2016 cmd.exe PING.EXE PID 2016 wrote to memory of 1968 2016 cmd.exe PING.EXE PID 2016 wrote to memory of 1968 2016 cmd.exe PING.EXE PID 2016 wrote to memory of 1968 2016 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\062114e6ac851f45b277f0f6b6981335b2e73490d48b3e4c1137dbbb9a2a2b93.exe"C:\Users\Admin\AppData\Local\Temp\062114e6ac851f45b277f0f6b6981335b2e73490d48b3e4c1137dbbb9a2a2b93.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:832 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1848 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\062114e6ac851f45b277f0f6b6981335b2e73490d48b3e4c1137dbbb9a2a2b93.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1968
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
a98df60680f377f64199ff7b1d5d53c7
SHA12745f5e545eef0a9440fcefaadd0e760fb12c2de
SHA256fa9c6fe5ab04d89616bddbf52dd3ac012b52189a967db53d16859eccfc8b0726
SHA5125e431cb090c9c71d3da6f5d01ce35c526559e21baed227a9c7e761f0fbf21902cb5334bf101dd8bd576f043aa54e60f43642a2c0fb489b11cb4f09e001d326f9
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
a98df60680f377f64199ff7b1d5d53c7
SHA12745f5e545eef0a9440fcefaadd0e760fb12c2de
SHA256fa9c6fe5ab04d89616bddbf52dd3ac012b52189a967db53d16859eccfc8b0726
SHA5125e431cb090c9c71d3da6f5d01ce35c526559e21baed227a9c7e761f0fbf21902cb5334bf101dd8bd576f043aa54e60f43642a2c0fb489b11cb4f09e001d326f9
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
a98df60680f377f64199ff7b1d5d53c7
SHA12745f5e545eef0a9440fcefaadd0e760fb12c2de
SHA256fa9c6fe5ab04d89616bddbf52dd3ac012b52189a967db53d16859eccfc8b0726
SHA5125e431cb090c9c71d3da6f5d01ce35c526559e21baed227a9c7e761f0fbf21902cb5334bf101dd8bd576f043aa54e60f43642a2c0fb489b11cb4f09e001d326f9
-
memory/832-54-0x0000000075891000-0x0000000075893000-memory.dmpFilesize
8KB