Analysis
-
max time kernel
4294194s -
max time network
135s -
platform
windows7_x64 -
resource
win7-20220223-en -
submitted
24-02-2022 11:08
Static task
static1
Behavioral task
behavioral1
Sample
c0064a70b0d297c43ccc230f852c1ffac7534d58251dec497bab0e7e82f79143.exe
Resource
win7-20220223-en
Behavioral task
behavioral2
Sample
c0064a70b0d297c43ccc230f852c1ffac7534d58251dec497bab0e7e82f79143.exe
Resource
win10-en-20211208
Behavioral task
behavioral3
Sample
c0064a70b0d297c43ccc230f852c1ffac7534d58251dec497bab0e7e82f79143.exe
Resource
win10v2004-en-20220113
General
-
Target
c0064a70b0d297c43ccc230f852c1ffac7534d58251dec497bab0e7e82f79143.exe
-
Size
216KB
-
MD5
dab5f66a4c8f6bcbcdeb2a83c21769c5
-
SHA1
06e8c2999917c6bc5d4b6359de3222d4379acbb9
-
SHA256
c0064a70b0d297c43ccc230f852c1ffac7534d58251dec497bab0e7e82f79143
-
SHA512
3a02669cd6390e5c6b5e1dd8711c300790cd78419a512830325c497fad7a5864aeaac6e0622dd39ab3bd3bafad49f5ad968d0d6c24c961adb9cafb7b64869854
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral1/memory/1204-58-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral1/memory/476-59-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 476 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 392 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
c0064a70b0d297c43ccc230f852c1ffac7534d58251dec497bab0e7e82f79143.exepid process 1204 c0064a70b0d297c43ccc230f852c1ffac7534d58251dec497bab0e7e82f79143.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
c0064a70b0d297c43ccc230f852c1ffac7534d58251dec497bab0e7e82f79143.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" c0064a70b0d297c43ccc230f852c1ffac7534d58251dec497bab0e7e82f79143.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
c0064a70b0d297c43ccc230f852c1ffac7534d58251dec497bab0e7e82f79143.exedescription pid process Token: SeIncBasePriorityPrivilege 1204 c0064a70b0d297c43ccc230f852c1ffac7534d58251dec497bab0e7e82f79143.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
c0064a70b0d297c43ccc230f852c1ffac7534d58251dec497bab0e7e82f79143.execmd.exedescription pid process target process PID 1204 wrote to memory of 476 1204 c0064a70b0d297c43ccc230f852c1ffac7534d58251dec497bab0e7e82f79143.exe MediaCenter.exe PID 1204 wrote to memory of 476 1204 c0064a70b0d297c43ccc230f852c1ffac7534d58251dec497bab0e7e82f79143.exe MediaCenter.exe PID 1204 wrote to memory of 476 1204 c0064a70b0d297c43ccc230f852c1ffac7534d58251dec497bab0e7e82f79143.exe MediaCenter.exe PID 1204 wrote to memory of 476 1204 c0064a70b0d297c43ccc230f852c1ffac7534d58251dec497bab0e7e82f79143.exe MediaCenter.exe PID 1204 wrote to memory of 392 1204 c0064a70b0d297c43ccc230f852c1ffac7534d58251dec497bab0e7e82f79143.exe cmd.exe PID 1204 wrote to memory of 392 1204 c0064a70b0d297c43ccc230f852c1ffac7534d58251dec497bab0e7e82f79143.exe cmd.exe PID 1204 wrote to memory of 392 1204 c0064a70b0d297c43ccc230f852c1ffac7534d58251dec497bab0e7e82f79143.exe cmd.exe PID 1204 wrote to memory of 392 1204 c0064a70b0d297c43ccc230f852c1ffac7534d58251dec497bab0e7e82f79143.exe cmd.exe PID 392 wrote to memory of 1916 392 cmd.exe PING.EXE PID 392 wrote to memory of 1916 392 cmd.exe PING.EXE PID 392 wrote to memory of 1916 392 cmd.exe PING.EXE PID 392 wrote to memory of 1916 392 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\c0064a70b0d297c43ccc230f852c1ffac7534d58251dec497bab0e7e82f79143.exe"C:\Users\Admin\AppData\Local\Temp\c0064a70b0d297c43ccc230f852c1ffac7534d58251dec497bab0e7e82f79143.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\c0064a70b0d297c43ccc230f852c1ffac7534d58251dec497bab0e7e82f79143.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
eba26bb075a47deb69c50651936b1854
SHA101b1ed1857cf0a618ed074b74562b4b6e48f9a39
SHA2569e2e358064c3ff4d30d4c99c95254f4763bbab8141213f2d67902dff41f3ac72
SHA51218298ac13571b4953ee046f426f16c96d6ff7a4eb783a57c64cb3fc26569b0a660f6b3a3e39237c4f48362a64075d193dee551c89ebcbfc3d541836592a0bfd0
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
eba26bb075a47deb69c50651936b1854
SHA101b1ed1857cf0a618ed074b74562b4b6e48f9a39
SHA2569e2e358064c3ff4d30d4c99c95254f4763bbab8141213f2d67902dff41f3ac72
SHA51218298ac13571b4953ee046f426f16c96d6ff7a4eb783a57c64cb3fc26569b0a660f6b3a3e39237c4f48362a64075d193dee551c89ebcbfc3d541836592a0bfd0
-
memory/476-59-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1204-54-0x0000000075CC1000-0x0000000075CC3000-memory.dmpFilesize
8KB
-
memory/1204-58-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB