Analysis
-
max time kernel
155s -
max time network
172s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 12:01
Static task
static1
Behavioral task
behavioral1
Sample
02b9fbe0d78c55e16267e00629f4767621a2002e4b5df376713bee32a378e891.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
02b9fbe0d78c55e16267e00629f4767621a2002e4b5df376713bee32a378e891.exe
Resource
win10v2004-en-20220113
General
-
Target
02b9fbe0d78c55e16267e00629f4767621a2002e4b5df376713bee32a378e891.exe
-
Size
150KB
-
MD5
2a927eb565852a9750df62d1a0154e96
-
SHA1
55530ef0e3622ee62a4b60f6d1f3231f82a094cc
-
SHA256
02b9fbe0d78c55e16267e00629f4767621a2002e4b5df376713bee32a378e891
-
SHA512
d94f3e613923d6799afb7ef75b6e7311dd020e5d8b0517711de89c42bc6d0a3de6379c9230ff96ca9233a27787df99b3af8bdf5178edd70311ab85c309bb2533
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1528 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1652 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
02b9fbe0d78c55e16267e00629f4767621a2002e4b5df376713bee32a378e891.exepid process 1552 02b9fbe0d78c55e16267e00629f4767621a2002e4b5df376713bee32a378e891.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
02b9fbe0d78c55e16267e00629f4767621a2002e4b5df376713bee32a378e891.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 02b9fbe0d78c55e16267e00629f4767621a2002e4b5df376713bee32a378e891.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
02b9fbe0d78c55e16267e00629f4767621a2002e4b5df376713bee32a378e891.exedescription pid process Token: SeIncBasePriorityPrivilege 1552 02b9fbe0d78c55e16267e00629f4767621a2002e4b5df376713bee32a378e891.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
02b9fbe0d78c55e16267e00629f4767621a2002e4b5df376713bee32a378e891.execmd.exedescription pid process target process PID 1552 wrote to memory of 1528 1552 02b9fbe0d78c55e16267e00629f4767621a2002e4b5df376713bee32a378e891.exe MediaCenter.exe PID 1552 wrote to memory of 1528 1552 02b9fbe0d78c55e16267e00629f4767621a2002e4b5df376713bee32a378e891.exe MediaCenter.exe PID 1552 wrote to memory of 1528 1552 02b9fbe0d78c55e16267e00629f4767621a2002e4b5df376713bee32a378e891.exe MediaCenter.exe PID 1552 wrote to memory of 1528 1552 02b9fbe0d78c55e16267e00629f4767621a2002e4b5df376713bee32a378e891.exe MediaCenter.exe PID 1552 wrote to memory of 1652 1552 02b9fbe0d78c55e16267e00629f4767621a2002e4b5df376713bee32a378e891.exe cmd.exe PID 1552 wrote to memory of 1652 1552 02b9fbe0d78c55e16267e00629f4767621a2002e4b5df376713bee32a378e891.exe cmd.exe PID 1552 wrote to memory of 1652 1552 02b9fbe0d78c55e16267e00629f4767621a2002e4b5df376713bee32a378e891.exe cmd.exe PID 1552 wrote to memory of 1652 1552 02b9fbe0d78c55e16267e00629f4767621a2002e4b5df376713bee32a378e891.exe cmd.exe PID 1652 wrote to memory of 2024 1652 cmd.exe PING.EXE PID 1652 wrote to memory of 2024 1652 cmd.exe PING.EXE PID 1652 wrote to memory of 2024 1652 cmd.exe PING.EXE PID 1652 wrote to memory of 2024 1652 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\02b9fbe0d78c55e16267e00629f4767621a2002e4b5df376713bee32a378e891.exe"C:\Users\Admin\AppData\Local\Temp\02b9fbe0d78c55e16267e00629f4767621a2002e4b5df376713bee32a378e891.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1552 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1528 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\02b9fbe0d78c55e16267e00629f4767621a2002e4b5df376713bee32a378e891.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1652 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:2024
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
e3e30680754bc8fc01e3cefd98578818
SHA172ab564108cfe700c52992dccb219b69542cf34a
SHA256aa27a9d0b52b484d0db3c32ca3b12ee53ed7c040fff3736e4171f0f2da762d3f
SHA512381dc0b1c253b228196ecd6b818d496f87ec19df91480178a33939bf6a61c94e8a19c09782fc6daa29d97846c6b6ce3e4f649b21a77b6a1c3458cd5b672cce7a
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
e3e30680754bc8fc01e3cefd98578818
SHA172ab564108cfe700c52992dccb219b69542cf34a
SHA256aa27a9d0b52b484d0db3c32ca3b12ee53ed7c040fff3736e4171f0f2da762d3f
SHA512381dc0b1c253b228196ecd6b818d496f87ec19df91480178a33939bf6a61c94e8a19c09782fc6daa29d97846c6b6ce3e4f649b21a77b6a1c3458cd5b672cce7a
-
memory/1552-55-0x0000000075B11000-0x0000000075B13000-memory.dmpFilesize
8KB