Analysis
-
max time kernel
139s -
max time network
164s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 11:22
Static task
static1
Behavioral task
behavioral1
Sample
0488a15f7da4267e73fac962d8327aaf1959ec5cbd7cadb75f9930b4174e65ff.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0488a15f7da4267e73fac962d8327aaf1959ec5cbd7cadb75f9930b4174e65ff.exe
Resource
win10v2004-en-20220113
General
-
Target
0488a15f7da4267e73fac962d8327aaf1959ec5cbd7cadb75f9930b4174e65ff.exe
-
Size
192KB
-
MD5
f0bebb4663d54d3a24f469bbf018422a
-
SHA1
0de4dc37df4b0fcab9690a41c646a12f9afc905f
-
SHA256
0488a15f7da4267e73fac962d8327aaf1959ec5cbd7cadb75f9930b4174e65ff
-
SHA512
68df606b4aa7fe01a32c3997d5af05ce3323df2c9ad6191948805892d672fd6b2c98055b66f7c1bfc310d6203af65b2c8217dabc378d05d992e845ce1336f7a4
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1636 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 748 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0488a15f7da4267e73fac962d8327aaf1959ec5cbd7cadb75f9930b4174e65ff.exepid process 1648 0488a15f7da4267e73fac962d8327aaf1959ec5cbd7cadb75f9930b4174e65ff.exe 1648 0488a15f7da4267e73fac962d8327aaf1959ec5cbd7cadb75f9930b4174e65ff.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0488a15f7da4267e73fac962d8327aaf1959ec5cbd7cadb75f9930b4174e65ff.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0488a15f7da4267e73fac962d8327aaf1959ec5cbd7cadb75f9930b4174e65ff.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0488a15f7da4267e73fac962d8327aaf1959ec5cbd7cadb75f9930b4174e65ff.exedescription pid process Token: SeIncBasePriorityPrivilege 1648 0488a15f7da4267e73fac962d8327aaf1959ec5cbd7cadb75f9930b4174e65ff.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0488a15f7da4267e73fac962d8327aaf1959ec5cbd7cadb75f9930b4174e65ff.execmd.exedescription pid process target process PID 1648 wrote to memory of 1636 1648 0488a15f7da4267e73fac962d8327aaf1959ec5cbd7cadb75f9930b4174e65ff.exe MediaCenter.exe PID 1648 wrote to memory of 1636 1648 0488a15f7da4267e73fac962d8327aaf1959ec5cbd7cadb75f9930b4174e65ff.exe MediaCenter.exe PID 1648 wrote to memory of 1636 1648 0488a15f7da4267e73fac962d8327aaf1959ec5cbd7cadb75f9930b4174e65ff.exe MediaCenter.exe PID 1648 wrote to memory of 1636 1648 0488a15f7da4267e73fac962d8327aaf1959ec5cbd7cadb75f9930b4174e65ff.exe MediaCenter.exe PID 1648 wrote to memory of 748 1648 0488a15f7da4267e73fac962d8327aaf1959ec5cbd7cadb75f9930b4174e65ff.exe cmd.exe PID 1648 wrote to memory of 748 1648 0488a15f7da4267e73fac962d8327aaf1959ec5cbd7cadb75f9930b4174e65ff.exe cmd.exe PID 1648 wrote to memory of 748 1648 0488a15f7da4267e73fac962d8327aaf1959ec5cbd7cadb75f9930b4174e65ff.exe cmd.exe PID 1648 wrote to memory of 748 1648 0488a15f7da4267e73fac962d8327aaf1959ec5cbd7cadb75f9930b4174e65ff.exe cmd.exe PID 748 wrote to memory of 1480 748 cmd.exe PING.EXE PID 748 wrote to memory of 1480 748 cmd.exe PING.EXE PID 748 wrote to memory of 1480 748 cmd.exe PING.EXE PID 748 wrote to memory of 1480 748 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0488a15f7da4267e73fac962d8327aaf1959ec5cbd7cadb75f9930b4174e65ff.exe"C:\Users\Admin\AppData\Local\Temp\0488a15f7da4267e73fac962d8327aaf1959ec5cbd7cadb75f9930b4174e65ff.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1648 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1636 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0488a15f7da4267e73fac962d8327aaf1959ec5cbd7cadb75f9930b4174e65ff.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:748 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1480
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
f4280e12564f97688bc755dc6dd0eb59
SHA13345af4d487b81bb6bf57e03c1be767f7ceb3a1c
SHA256f1d82d4dafc3c9a8fb09109b10d08eb0d305fd7143c6d9a861d2310745147824
SHA512fe4022609f23b5444a2598729e9b9d5887e8391ecb8a6fb85a4522a298f4ea1825703dc7dde00060534934a40b0df190b60a958ea76d87c3cf4b0cda2640ac3a
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
f4280e12564f97688bc755dc6dd0eb59
SHA13345af4d487b81bb6bf57e03c1be767f7ceb3a1c
SHA256f1d82d4dafc3c9a8fb09109b10d08eb0d305fd7143c6d9a861d2310745147824
SHA512fe4022609f23b5444a2598729e9b9d5887e8391ecb8a6fb85a4522a298f4ea1825703dc7dde00060534934a40b0df190b60a958ea76d87c3cf4b0cda2640ac3a
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
f4280e12564f97688bc755dc6dd0eb59
SHA13345af4d487b81bb6bf57e03c1be767f7ceb3a1c
SHA256f1d82d4dafc3c9a8fb09109b10d08eb0d305fd7143c6d9a861d2310745147824
SHA512fe4022609f23b5444a2598729e9b9d5887e8391ecb8a6fb85a4522a298f4ea1825703dc7dde00060534934a40b0df190b60a958ea76d87c3cf4b0cda2640ac3a
-
memory/1648-55-0x0000000075021000-0x0000000075023000-memory.dmpFilesize
8KB