Analysis
-
max time kernel
159s -
max time network
179s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 12:01
Static task
static1
Behavioral task
behavioral1
Sample
02b6c469beb54da5b11b79eec986acc3b655a9ae707a6083f050d936aca616f6.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
02b6c469beb54da5b11b79eec986acc3b655a9ae707a6083f050d936aca616f6.exe
Resource
win10v2004-en-20220112
General
-
Target
02b6c469beb54da5b11b79eec986acc3b655a9ae707a6083f050d936aca616f6.exe
-
Size
101KB
-
MD5
d9357e182a74334b615526d2f6c43ee8
-
SHA1
9c25ae62bb48651eff70a58dab1ad4b8dc063c63
-
SHA256
02b6c469beb54da5b11b79eec986acc3b655a9ae707a6083f050d936aca616f6
-
SHA512
f157ddb438a1e8eab764d8c0a80afd7c5262e3586c18780b7a0a007f1e48ad10c40f7978a8f259714b5d5eccbecf36e38cb118c578634e5fcc3f898233ccb96a
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1668 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1060 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
02b6c469beb54da5b11b79eec986acc3b655a9ae707a6083f050d936aca616f6.exepid process 1484 02b6c469beb54da5b11b79eec986acc3b655a9ae707a6083f050d936aca616f6.exe 1484 02b6c469beb54da5b11b79eec986acc3b655a9ae707a6083f050d936aca616f6.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
02b6c469beb54da5b11b79eec986acc3b655a9ae707a6083f050d936aca616f6.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 02b6c469beb54da5b11b79eec986acc3b655a9ae707a6083f050d936aca616f6.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
02b6c469beb54da5b11b79eec986acc3b655a9ae707a6083f050d936aca616f6.exedescription pid process Token: SeIncBasePriorityPrivilege 1484 02b6c469beb54da5b11b79eec986acc3b655a9ae707a6083f050d936aca616f6.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
02b6c469beb54da5b11b79eec986acc3b655a9ae707a6083f050d936aca616f6.execmd.exedescription pid process target process PID 1484 wrote to memory of 1668 1484 02b6c469beb54da5b11b79eec986acc3b655a9ae707a6083f050d936aca616f6.exe MediaCenter.exe PID 1484 wrote to memory of 1668 1484 02b6c469beb54da5b11b79eec986acc3b655a9ae707a6083f050d936aca616f6.exe MediaCenter.exe PID 1484 wrote to memory of 1668 1484 02b6c469beb54da5b11b79eec986acc3b655a9ae707a6083f050d936aca616f6.exe MediaCenter.exe PID 1484 wrote to memory of 1668 1484 02b6c469beb54da5b11b79eec986acc3b655a9ae707a6083f050d936aca616f6.exe MediaCenter.exe PID 1484 wrote to memory of 1060 1484 02b6c469beb54da5b11b79eec986acc3b655a9ae707a6083f050d936aca616f6.exe cmd.exe PID 1484 wrote to memory of 1060 1484 02b6c469beb54da5b11b79eec986acc3b655a9ae707a6083f050d936aca616f6.exe cmd.exe PID 1484 wrote to memory of 1060 1484 02b6c469beb54da5b11b79eec986acc3b655a9ae707a6083f050d936aca616f6.exe cmd.exe PID 1484 wrote to memory of 1060 1484 02b6c469beb54da5b11b79eec986acc3b655a9ae707a6083f050d936aca616f6.exe cmd.exe PID 1060 wrote to memory of 1488 1060 cmd.exe PING.EXE PID 1060 wrote to memory of 1488 1060 cmd.exe PING.EXE PID 1060 wrote to memory of 1488 1060 cmd.exe PING.EXE PID 1060 wrote to memory of 1488 1060 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\02b6c469beb54da5b11b79eec986acc3b655a9ae707a6083f050d936aca616f6.exe"C:\Users\Admin\AppData\Local\Temp\02b6c469beb54da5b11b79eec986acc3b655a9ae707a6083f050d936aca616f6.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1484 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1668 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\02b6c469beb54da5b11b79eec986acc3b655a9ae707a6083f050d936aca616f6.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1060 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1488
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
0f0b47ee966f18ffe5c03be457deaa1d
SHA1f86899dd8fac2aed0ac117ca775a63d0c388d8b9
SHA2563090383f176bd5a32d053047385bf8784c3f3def4fdb1ee9ce131f3df168e61b
SHA512e27c3947594d1121c0c38fba5222d7ef26085163c5b13c3260fb154240cc7f84eff8ff59cb3254111770d7bd1655a3552d3ba027b6cf764a8ea4147fc7553179
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
0f0b47ee966f18ffe5c03be457deaa1d
SHA1f86899dd8fac2aed0ac117ca775a63d0c388d8b9
SHA2563090383f176bd5a32d053047385bf8784c3f3def4fdb1ee9ce131f3df168e61b
SHA512e27c3947594d1121c0c38fba5222d7ef26085163c5b13c3260fb154240cc7f84eff8ff59cb3254111770d7bd1655a3552d3ba027b6cf764a8ea4147fc7553179
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
0f0b47ee966f18ffe5c03be457deaa1d
SHA1f86899dd8fac2aed0ac117ca775a63d0c388d8b9
SHA2563090383f176bd5a32d053047385bf8784c3f3def4fdb1ee9ce131f3df168e61b
SHA512e27c3947594d1121c0c38fba5222d7ef26085163c5b13c3260fb154240cc7f84eff8ff59cb3254111770d7bd1655a3552d3ba027b6cf764a8ea4147fc7553179
-
memory/1484-55-0x0000000074B21000-0x0000000074B23000-memory.dmpFilesize
8KB