Analysis
-
max time kernel
145s -
max time network
160s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 12:07
Static task
static1
Behavioral task
behavioral1
Sample
0273ba88e2a095b47a1d6ad432e24414860347a209f4ff3a50d74e80f83eb425.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0273ba88e2a095b47a1d6ad432e24414860347a209f4ff3a50d74e80f83eb425.exe
Resource
win10v2004-en-20220113
General
-
Target
0273ba88e2a095b47a1d6ad432e24414860347a209f4ff3a50d74e80f83eb425.exe
-
Size
216KB
-
MD5
f8f0560a499459d9c92605a08e8ec6a9
-
SHA1
7e11931757735d1b6e352c32efc8c5b5f32d3e61
-
SHA256
0273ba88e2a095b47a1d6ad432e24414860347a209f4ff3a50d74e80f83eb425
-
SHA512
9b2cf92121de613ed7d13a72ffc6a2e262ba7e52460e98758b9a73a99d4efb005b209f6b9b31a16d539b96c5ae3ae4a6c3c89dfccebc96aa9e79a29df9f65e8f
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral1/memory/1624-58-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral1/memory/1220-59-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1220 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 392 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
0273ba88e2a095b47a1d6ad432e24414860347a209f4ff3a50d74e80f83eb425.exepid process 1624 0273ba88e2a095b47a1d6ad432e24414860347a209f4ff3a50d74e80f83eb425.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0273ba88e2a095b47a1d6ad432e24414860347a209f4ff3a50d74e80f83eb425.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0273ba88e2a095b47a1d6ad432e24414860347a209f4ff3a50d74e80f83eb425.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0273ba88e2a095b47a1d6ad432e24414860347a209f4ff3a50d74e80f83eb425.exedescription pid process Token: SeIncBasePriorityPrivilege 1624 0273ba88e2a095b47a1d6ad432e24414860347a209f4ff3a50d74e80f83eb425.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0273ba88e2a095b47a1d6ad432e24414860347a209f4ff3a50d74e80f83eb425.execmd.exedescription pid process target process PID 1624 wrote to memory of 1220 1624 0273ba88e2a095b47a1d6ad432e24414860347a209f4ff3a50d74e80f83eb425.exe MediaCenter.exe PID 1624 wrote to memory of 1220 1624 0273ba88e2a095b47a1d6ad432e24414860347a209f4ff3a50d74e80f83eb425.exe MediaCenter.exe PID 1624 wrote to memory of 1220 1624 0273ba88e2a095b47a1d6ad432e24414860347a209f4ff3a50d74e80f83eb425.exe MediaCenter.exe PID 1624 wrote to memory of 1220 1624 0273ba88e2a095b47a1d6ad432e24414860347a209f4ff3a50d74e80f83eb425.exe MediaCenter.exe PID 1624 wrote to memory of 392 1624 0273ba88e2a095b47a1d6ad432e24414860347a209f4ff3a50d74e80f83eb425.exe cmd.exe PID 1624 wrote to memory of 392 1624 0273ba88e2a095b47a1d6ad432e24414860347a209f4ff3a50d74e80f83eb425.exe cmd.exe PID 1624 wrote to memory of 392 1624 0273ba88e2a095b47a1d6ad432e24414860347a209f4ff3a50d74e80f83eb425.exe cmd.exe PID 1624 wrote to memory of 392 1624 0273ba88e2a095b47a1d6ad432e24414860347a209f4ff3a50d74e80f83eb425.exe cmd.exe PID 392 wrote to memory of 1844 392 cmd.exe PING.EXE PID 392 wrote to memory of 1844 392 cmd.exe PING.EXE PID 392 wrote to memory of 1844 392 cmd.exe PING.EXE PID 392 wrote to memory of 1844 392 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0273ba88e2a095b47a1d6ad432e24414860347a209f4ff3a50d74e80f83eb425.exe"C:\Users\Admin\AppData\Local\Temp\0273ba88e2a095b47a1d6ad432e24414860347a209f4ff3a50d74e80f83eb425.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1624 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1220 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0273ba88e2a095b47a1d6ad432e24414860347a209f4ff3a50d74e80f83eb425.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:392 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1844
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
9b49a1db65443ee098faae28b1d716b3
SHA16b798c6126cfd8f2b40c6122a92ed57074030cd7
SHA2568a5815b32deb3f13679eb1b885b3226603e77cbafc10b3be82b1126acc41413b
SHA5128495bb6b1e530d332ebad1509cae4171e7f930223c709ccb722ee0f2eb21c8413153c5b9ebcf03a049e915d6b5a95537974289e7f799ce67295a458c77f5e53d
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
9b49a1db65443ee098faae28b1d716b3
SHA16b798c6126cfd8f2b40c6122a92ed57074030cd7
SHA2568a5815b32deb3f13679eb1b885b3226603e77cbafc10b3be82b1126acc41413b
SHA5128495bb6b1e530d332ebad1509cae4171e7f930223c709ccb722ee0f2eb21c8413153c5b9ebcf03a049e915d6b5a95537974289e7f799ce67295a458c77f5e53d
-
memory/1220-59-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1624-54-0x0000000076C61000-0x0000000076C63000-memory.dmpFilesize
8KB
-
memory/1624-58-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB