Analysis
-
max time kernel
149s -
max time network
166s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 11:23
Static task
static1
Behavioral task
behavioral1
Sample
0481f34f7667cb4af4d586aca643aa1a4dcd3166c336141d1bb2e498c4df61ed.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0481f34f7667cb4af4d586aca643aa1a4dcd3166c336141d1bb2e498c4df61ed.exe
Resource
win10v2004-en-20220113
General
-
Target
0481f34f7667cb4af4d586aca643aa1a4dcd3166c336141d1bb2e498c4df61ed.exe
-
Size
216KB
-
MD5
34f659c8058e53f21f8081f0e3b9f250
-
SHA1
d860be813183971f7710455a40a7544501974705
-
SHA256
0481f34f7667cb4af4d586aca643aa1a4dcd3166c336141d1bb2e498c4df61ed
-
SHA512
2dddb891b6845295570ec80922b2139d8dd5dc1035005898182e10eeb412aef2944404aac956e13bbaf4c6e58ef515b39592a131153248a1234ae070efde32ca
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral1/memory/1680-58-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral1/memory/1364-59-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1364 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2008 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
0481f34f7667cb4af4d586aca643aa1a4dcd3166c336141d1bb2e498c4df61ed.exepid process 1680 0481f34f7667cb4af4d586aca643aa1a4dcd3166c336141d1bb2e498c4df61ed.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0481f34f7667cb4af4d586aca643aa1a4dcd3166c336141d1bb2e498c4df61ed.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0481f34f7667cb4af4d586aca643aa1a4dcd3166c336141d1bb2e498c4df61ed.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0481f34f7667cb4af4d586aca643aa1a4dcd3166c336141d1bb2e498c4df61ed.exedescription pid process Token: SeIncBasePriorityPrivilege 1680 0481f34f7667cb4af4d586aca643aa1a4dcd3166c336141d1bb2e498c4df61ed.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0481f34f7667cb4af4d586aca643aa1a4dcd3166c336141d1bb2e498c4df61ed.execmd.exedescription pid process target process PID 1680 wrote to memory of 1364 1680 0481f34f7667cb4af4d586aca643aa1a4dcd3166c336141d1bb2e498c4df61ed.exe MediaCenter.exe PID 1680 wrote to memory of 1364 1680 0481f34f7667cb4af4d586aca643aa1a4dcd3166c336141d1bb2e498c4df61ed.exe MediaCenter.exe PID 1680 wrote to memory of 1364 1680 0481f34f7667cb4af4d586aca643aa1a4dcd3166c336141d1bb2e498c4df61ed.exe MediaCenter.exe PID 1680 wrote to memory of 1364 1680 0481f34f7667cb4af4d586aca643aa1a4dcd3166c336141d1bb2e498c4df61ed.exe MediaCenter.exe PID 1680 wrote to memory of 2008 1680 0481f34f7667cb4af4d586aca643aa1a4dcd3166c336141d1bb2e498c4df61ed.exe cmd.exe PID 1680 wrote to memory of 2008 1680 0481f34f7667cb4af4d586aca643aa1a4dcd3166c336141d1bb2e498c4df61ed.exe cmd.exe PID 1680 wrote to memory of 2008 1680 0481f34f7667cb4af4d586aca643aa1a4dcd3166c336141d1bb2e498c4df61ed.exe cmd.exe PID 1680 wrote to memory of 2008 1680 0481f34f7667cb4af4d586aca643aa1a4dcd3166c336141d1bb2e498c4df61ed.exe cmd.exe PID 2008 wrote to memory of 1096 2008 cmd.exe PING.EXE PID 2008 wrote to memory of 1096 2008 cmd.exe PING.EXE PID 2008 wrote to memory of 1096 2008 cmd.exe PING.EXE PID 2008 wrote to memory of 1096 2008 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0481f34f7667cb4af4d586aca643aa1a4dcd3166c336141d1bb2e498c4df61ed.exe"C:\Users\Admin\AppData\Local\Temp\0481f34f7667cb4af4d586aca643aa1a4dcd3166c336141d1bb2e498c4df61ed.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1364 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0481f34f7667cb4af4d586aca643aa1a4dcd3166c336141d1bb2e498c4df61ed.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1096
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
2bbeb7b8330aa52ee36a1df7f3b63803
SHA188e3f905379e8b55664de29e76e0941e2bf809d2
SHA256ec6e54ad295148d5349685e2ec22ab37c1b1afe6334b6b8d7523dcccbabe86a7
SHA5127a89a59a4dad01bb66c5b8e50c894bc85133ea6efbb121a7e90c9644522b462f8a836e3d0625a2df4ad150c4247e25488803238a43c0438606d75c9610ba5352
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
2bbeb7b8330aa52ee36a1df7f3b63803
SHA188e3f905379e8b55664de29e76e0941e2bf809d2
SHA256ec6e54ad295148d5349685e2ec22ab37c1b1afe6334b6b8d7523dcccbabe86a7
SHA5127a89a59a4dad01bb66c5b8e50c894bc85133ea6efbb121a7e90c9644522b462f8a836e3d0625a2df4ad150c4247e25488803238a43c0438606d75c9610ba5352
-
memory/1364-59-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1680-54-0x00000000766D1000-0x00000000766D3000-memory.dmpFilesize
8KB
-
memory/1680-58-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB