Analysis
-
max time kernel
124s -
max time network
134s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 12:04
Static task
static1
Behavioral task
behavioral1
Sample
0286e7e74d7c0582c8598a1362b8ac28c405df15d13ba884aff1ee4ea9adbfc7.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0286e7e74d7c0582c8598a1362b8ac28c405df15d13ba884aff1ee4ea9adbfc7.exe
Resource
win10v2004-en-20220113
General
-
Target
0286e7e74d7c0582c8598a1362b8ac28c405df15d13ba884aff1ee4ea9adbfc7.exe
-
Size
176KB
-
MD5
a51367d956722fc111b5ed10b25525b1
-
SHA1
19c08a35442046b8e8d5bb7d79d17715002a1455
-
SHA256
0286e7e74d7c0582c8598a1362b8ac28c405df15d13ba884aff1ee4ea9adbfc7
-
SHA512
a8144c3d4f10a4257f86014134165ac075c6d9015507ad05636a538996f086fdcac251249697a5a057fdd51ef093cd187de69df8b219b5dfd94ff2b82ff36f99
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral1/memory/1364-58-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral1/memory/588-59-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 588 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2008 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
0286e7e74d7c0582c8598a1362b8ac28c405df15d13ba884aff1ee4ea9adbfc7.exepid process 1364 0286e7e74d7c0582c8598a1362b8ac28c405df15d13ba884aff1ee4ea9adbfc7.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0286e7e74d7c0582c8598a1362b8ac28c405df15d13ba884aff1ee4ea9adbfc7.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0286e7e74d7c0582c8598a1362b8ac28c405df15d13ba884aff1ee4ea9adbfc7.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0286e7e74d7c0582c8598a1362b8ac28c405df15d13ba884aff1ee4ea9adbfc7.exedescription pid process Token: SeIncBasePriorityPrivilege 1364 0286e7e74d7c0582c8598a1362b8ac28c405df15d13ba884aff1ee4ea9adbfc7.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0286e7e74d7c0582c8598a1362b8ac28c405df15d13ba884aff1ee4ea9adbfc7.execmd.exedescription pid process target process PID 1364 wrote to memory of 588 1364 0286e7e74d7c0582c8598a1362b8ac28c405df15d13ba884aff1ee4ea9adbfc7.exe MediaCenter.exe PID 1364 wrote to memory of 588 1364 0286e7e74d7c0582c8598a1362b8ac28c405df15d13ba884aff1ee4ea9adbfc7.exe MediaCenter.exe PID 1364 wrote to memory of 588 1364 0286e7e74d7c0582c8598a1362b8ac28c405df15d13ba884aff1ee4ea9adbfc7.exe MediaCenter.exe PID 1364 wrote to memory of 588 1364 0286e7e74d7c0582c8598a1362b8ac28c405df15d13ba884aff1ee4ea9adbfc7.exe MediaCenter.exe PID 1364 wrote to memory of 2008 1364 0286e7e74d7c0582c8598a1362b8ac28c405df15d13ba884aff1ee4ea9adbfc7.exe cmd.exe PID 1364 wrote to memory of 2008 1364 0286e7e74d7c0582c8598a1362b8ac28c405df15d13ba884aff1ee4ea9adbfc7.exe cmd.exe PID 1364 wrote to memory of 2008 1364 0286e7e74d7c0582c8598a1362b8ac28c405df15d13ba884aff1ee4ea9adbfc7.exe cmd.exe PID 1364 wrote to memory of 2008 1364 0286e7e74d7c0582c8598a1362b8ac28c405df15d13ba884aff1ee4ea9adbfc7.exe cmd.exe PID 2008 wrote to memory of 1096 2008 cmd.exe PING.EXE PID 2008 wrote to memory of 1096 2008 cmd.exe PING.EXE PID 2008 wrote to memory of 1096 2008 cmd.exe PING.EXE PID 2008 wrote to memory of 1096 2008 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0286e7e74d7c0582c8598a1362b8ac28c405df15d13ba884aff1ee4ea9adbfc7.exe"C:\Users\Admin\AppData\Local\Temp\0286e7e74d7c0582c8598a1362b8ac28c405df15d13ba884aff1ee4ea9adbfc7.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1364 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:588 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0286e7e74d7c0582c8598a1362b8ac28c405df15d13ba884aff1ee4ea9adbfc7.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1096
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
527c57d3946c1435cfe647854d944515
SHA17f9ff3836693c17cc00c62c9bd130ab2087ba81c
SHA256605f7befe561b22ec6f1b856aa4297df9df8eeeaa77ba2c054d81d45558b7fd2
SHA51213b8d69c79d2c713725f2a69fa27609d546f78f3ea262b1601cc15af0f9a9625de47f3aac8fb8ce31d1cd68544da14a32d2087cc2a0929f97f8e55cdf201355f
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
527c57d3946c1435cfe647854d944515
SHA17f9ff3836693c17cc00c62c9bd130ab2087ba81c
SHA256605f7befe561b22ec6f1b856aa4297df9df8eeeaa77ba2c054d81d45558b7fd2
SHA51213b8d69c79d2c713725f2a69fa27609d546f78f3ea262b1601cc15af0f9a9625de47f3aac8fb8ce31d1cd68544da14a32d2087cc2a0929f97f8e55cdf201355f
-
memory/588-59-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1364-54-0x00000000766D1000-0x00000000766D3000-memory.dmpFilesize
8KB
-
memory/1364-58-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB