Analysis
-
max time kernel
143s -
max time network
165s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 12:18
Static task
static1
Behavioral task
behavioral1
Sample
01ec9fd8625be6f43ef086441d1e08ba6fd0ddf093383e4488287bc8c1cad2c2.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
01ec9fd8625be6f43ef086441d1e08ba6fd0ddf093383e4488287bc8c1cad2c2.exe
Resource
win10v2004-en-20220112
General
-
Target
01ec9fd8625be6f43ef086441d1e08ba6fd0ddf093383e4488287bc8c1cad2c2.exe
-
Size
80KB
-
MD5
c81e526c5c1fda71c660d65519ab2732
-
SHA1
a79a683ac5df1b0a43bf5b41a31b78a6de9e27ae
-
SHA256
01ec9fd8625be6f43ef086441d1e08ba6fd0ddf093383e4488287bc8c1cad2c2
-
SHA512
b80f220beaaec6061223026d3ba3a68932fcd2aaf1d3d65710c5d9130e63b7e1ea6bed65339ff7a925d210e529698bb1e7aecf4a105369e40c33cedb2285fad6
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1736 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 928 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
01ec9fd8625be6f43ef086441d1e08ba6fd0ddf093383e4488287bc8c1cad2c2.exepid process 1548 01ec9fd8625be6f43ef086441d1e08ba6fd0ddf093383e4488287bc8c1cad2c2.exe 1548 01ec9fd8625be6f43ef086441d1e08ba6fd0ddf093383e4488287bc8c1cad2c2.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
01ec9fd8625be6f43ef086441d1e08ba6fd0ddf093383e4488287bc8c1cad2c2.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 01ec9fd8625be6f43ef086441d1e08ba6fd0ddf093383e4488287bc8c1cad2c2.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
01ec9fd8625be6f43ef086441d1e08ba6fd0ddf093383e4488287bc8c1cad2c2.exedescription pid process Token: SeIncBasePriorityPrivilege 1548 01ec9fd8625be6f43ef086441d1e08ba6fd0ddf093383e4488287bc8c1cad2c2.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
01ec9fd8625be6f43ef086441d1e08ba6fd0ddf093383e4488287bc8c1cad2c2.execmd.exedescription pid process target process PID 1548 wrote to memory of 1736 1548 01ec9fd8625be6f43ef086441d1e08ba6fd0ddf093383e4488287bc8c1cad2c2.exe MediaCenter.exe PID 1548 wrote to memory of 1736 1548 01ec9fd8625be6f43ef086441d1e08ba6fd0ddf093383e4488287bc8c1cad2c2.exe MediaCenter.exe PID 1548 wrote to memory of 1736 1548 01ec9fd8625be6f43ef086441d1e08ba6fd0ddf093383e4488287bc8c1cad2c2.exe MediaCenter.exe PID 1548 wrote to memory of 1736 1548 01ec9fd8625be6f43ef086441d1e08ba6fd0ddf093383e4488287bc8c1cad2c2.exe MediaCenter.exe PID 1548 wrote to memory of 928 1548 01ec9fd8625be6f43ef086441d1e08ba6fd0ddf093383e4488287bc8c1cad2c2.exe cmd.exe PID 1548 wrote to memory of 928 1548 01ec9fd8625be6f43ef086441d1e08ba6fd0ddf093383e4488287bc8c1cad2c2.exe cmd.exe PID 1548 wrote to memory of 928 1548 01ec9fd8625be6f43ef086441d1e08ba6fd0ddf093383e4488287bc8c1cad2c2.exe cmd.exe PID 1548 wrote to memory of 928 1548 01ec9fd8625be6f43ef086441d1e08ba6fd0ddf093383e4488287bc8c1cad2c2.exe cmd.exe PID 928 wrote to memory of 1696 928 cmd.exe PING.EXE PID 928 wrote to memory of 1696 928 cmd.exe PING.EXE PID 928 wrote to memory of 1696 928 cmd.exe PING.EXE PID 928 wrote to memory of 1696 928 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\01ec9fd8625be6f43ef086441d1e08ba6fd0ddf093383e4488287bc8c1cad2c2.exe"C:\Users\Admin\AppData\Local\Temp\01ec9fd8625be6f43ef086441d1e08ba6fd0ddf093383e4488287bc8c1cad2c2.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1548 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1736 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\01ec9fd8625be6f43ef086441d1e08ba6fd0ddf093383e4488287bc8c1cad2c2.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:928 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1696
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
0d3fd81df0dfb9c55bcb105bf088cc75
SHA16319856e713c5dc3ab03ffd0b12ef6ff2b7fae6a
SHA2563e22de460c5abdaee370bc98a36c94cbd03176609a8625916f06a88aa96d4fb4
SHA5123f31f415766a02c4e9517f5f77c405c52c0041d0d852690fb4b9463e170b1bbf1870f60005fdb312e9a6b310d2e719187424d3dd97151c86e7be16b2a8352903
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
0d3fd81df0dfb9c55bcb105bf088cc75
SHA16319856e713c5dc3ab03ffd0b12ef6ff2b7fae6a
SHA2563e22de460c5abdaee370bc98a36c94cbd03176609a8625916f06a88aa96d4fb4
SHA5123f31f415766a02c4e9517f5f77c405c52c0041d0d852690fb4b9463e170b1bbf1870f60005fdb312e9a6b310d2e719187424d3dd97151c86e7be16b2a8352903
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
0d3fd81df0dfb9c55bcb105bf088cc75
SHA16319856e713c5dc3ab03ffd0b12ef6ff2b7fae6a
SHA2563e22de460c5abdaee370bc98a36c94cbd03176609a8625916f06a88aa96d4fb4
SHA5123f31f415766a02c4e9517f5f77c405c52c0041d0d852690fb4b9463e170b1bbf1870f60005fdb312e9a6b310d2e719187424d3dd97151c86e7be16b2a8352903
-
memory/1548-55-0x00000000762C1000-0x00000000762C3000-memory.dmpFilesize
8KB