Analysis
-
max time kernel
123s -
max time network
137s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 10:49
Static task
static1
Behavioral task
behavioral1
Sample
060be812b970b16c9f0a60fd6090055abbc00f4e3279aaeb806e337652c568f2.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
060be812b970b16c9f0a60fd6090055abbc00f4e3279aaeb806e337652c568f2.exe
Resource
win10v2004-en-20220113
General
-
Target
060be812b970b16c9f0a60fd6090055abbc00f4e3279aaeb806e337652c568f2.exe
-
Size
80KB
-
MD5
86f36cd392a8c5ec211750c14a1c01f5
-
SHA1
dc3c94eb8d49a4fff0490730ba1fa3985b64cf45
-
SHA256
060be812b970b16c9f0a60fd6090055abbc00f4e3279aaeb806e337652c568f2
-
SHA512
919c0bedce3a47cbdc659c958e2414a1deed690b35c86c91b342e694c4340ef707ddb8c9785a869135d2dc716d0705288b818eb299a76d6185687fc3a967003e
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 656 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 764 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
060be812b970b16c9f0a60fd6090055abbc00f4e3279aaeb806e337652c568f2.exepid process 1500 060be812b970b16c9f0a60fd6090055abbc00f4e3279aaeb806e337652c568f2.exe 1500 060be812b970b16c9f0a60fd6090055abbc00f4e3279aaeb806e337652c568f2.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
060be812b970b16c9f0a60fd6090055abbc00f4e3279aaeb806e337652c568f2.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 060be812b970b16c9f0a60fd6090055abbc00f4e3279aaeb806e337652c568f2.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
060be812b970b16c9f0a60fd6090055abbc00f4e3279aaeb806e337652c568f2.exedescription pid process Token: SeIncBasePriorityPrivilege 1500 060be812b970b16c9f0a60fd6090055abbc00f4e3279aaeb806e337652c568f2.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
060be812b970b16c9f0a60fd6090055abbc00f4e3279aaeb806e337652c568f2.execmd.exedescription pid process target process PID 1500 wrote to memory of 656 1500 060be812b970b16c9f0a60fd6090055abbc00f4e3279aaeb806e337652c568f2.exe MediaCenter.exe PID 1500 wrote to memory of 656 1500 060be812b970b16c9f0a60fd6090055abbc00f4e3279aaeb806e337652c568f2.exe MediaCenter.exe PID 1500 wrote to memory of 656 1500 060be812b970b16c9f0a60fd6090055abbc00f4e3279aaeb806e337652c568f2.exe MediaCenter.exe PID 1500 wrote to memory of 656 1500 060be812b970b16c9f0a60fd6090055abbc00f4e3279aaeb806e337652c568f2.exe MediaCenter.exe PID 1500 wrote to memory of 764 1500 060be812b970b16c9f0a60fd6090055abbc00f4e3279aaeb806e337652c568f2.exe cmd.exe PID 1500 wrote to memory of 764 1500 060be812b970b16c9f0a60fd6090055abbc00f4e3279aaeb806e337652c568f2.exe cmd.exe PID 1500 wrote to memory of 764 1500 060be812b970b16c9f0a60fd6090055abbc00f4e3279aaeb806e337652c568f2.exe cmd.exe PID 1500 wrote to memory of 764 1500 060be812b970b16c9f0a60fd6090055abbc00f4e3279aaeb806e337652c568f2.exe cmd.exe PID 764 wrote to memory of 1596 764 cmd.exe PING.EXE PID 764 wrote to memory of 1596 764 cmd.exe PING.EXE PID 764 wrote to memory of 1596 764 cmd.exe PING.EXE PID 764 wrote to memory of 1596 764 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\060be812b970b16c9f0a60fd6090055abbc00f4e3279aaeb806e337652c568f2.exe"C:\Users\Admin\AppData\Local\Temp\060be812b970b16c9f0a60fd6090055abbc00f4e3279aaeb806e337652c568f2.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1500 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:656 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\060be812b970b16c9f0a60fd6090055abbc00f4e3279aaeb806e337652c568f2.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:764 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1596
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
4c8ffc72b3b828619e0a5863ed08027b
SHA1dede23bce25babe6039d3efcf63640ff5898c4e5
SHA256361140f48430e5120b0467d9349b49253ef00fc93eb15bd541535052a0501152
SHA51258a551b44387f830d01eb4d18378ed9e44d1191baab1fdd3778ab5e70885c057cf9debc4c843b1494aeca74f9503687559f1739100a18ccbe7442830d5529603
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
4c8ffc72b3b828619e0a5863ed08027b
SHA1dede23bce25babe6039d3efcf63640ff5898c4e5
SHA256361140f48430e5120b0467d9349b49253ef00fc93eb15bd541535052a0501152
SHA51258a551b44387f830d01eb4d18378ed9e44d1191baab1fdd3778ab5e70885c057cf9debc4c843b1494aeca74f9503687559f1739100a18ccbe7442830d5529603
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
4c8ffc72b3b828619e0a5863ed08027b
SHA1dede23bce25babe6039d3efcf63640ff5898c4e5
SHA256361140f48430e5120b0467d9349b49253ef00fc93eb15bd541535052a0501152
SHA51258a551b44387f830d01eb4d18378ed9e44d1191baab1fdd3778ab5e70885c057cf9debc4c843b1494aeca74f9503687559f1739100a18ccbe7442830d5529603
-
memory/1500-54-0x0000000074F01000-0x0000000074F03000-memory.dmpFilesize
8KB