Analysis
-
max time kernel
151s -
max time network
152s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
22-01-2022 00:03
Static task
static1
Behavioral task
behavioral1
Sample
0077d0dd944fa58b096712a8736906ce84f1bd11c368dcceb51333de51ba7ab4.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0077d0dd944fa58b096712a8736906ce84f1bd11c368dcceb51333de51ba7ab4.exe
Resource
win10-en-20211208
General
-
Target
0077d0dd944fa58b096712a8736906ce84f1bd11c368dcceb51333de51ba7ab4.exe
-
Size
89KB
-
MD5
f06b0ee07daa7f914dec27f98a6d8850
-
SHA1
abd40af6745f6cfa51210f88beafa6e0d4340b99
-
SHA256
0077d0dd944fa58b096712a8736906ce84f1bd11c368dcceb51333de51ba7ab4
-
SHA512
fdb0a5adb5331aa6f482440c77b8a4e61333f6e08fe358247a3570084aebe66f742630bd4fde126368577149e0a51181956d37162cae09528b984ae3e8b9962d
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1888 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 684 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
0077d0dd944fa58b096712a8736906ce84f1bd11c368dcceb51333de51ba7ab4.exepid process 1416 0077d0dd944fa58b096712a8736906ce84f1bd11c368dcceb51333de51ba7ab4.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0077d0dd944fa58b096712a8736906ce84f1bd11c368dcceb51333de51ba7ab4.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0077d0dd944fa58b096712a8736906ce84f1bd11c368dcceb51333de51ba7ab4.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0077d0dd944fa58b096712a8736906ce84f1bd11c368dcceb51333de51ba7ab4.exedescription pid process Token: SeIncBasePriorityPrivilege 1416 0077d0dd944fa58b096712a8736906ce84f1bd11c368dcceb51333de51ba7ab4.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0077d0dd944fa58b096712a8736906ce84f1bd11c368dcceb51333de51ba7ab4.execmd.exedescription pid process target process PID 1416 wrote to memory of 1888 1416 0077d0dd944fa58b096712a8736906ce84f1bd11c368dcceb51333de51ba7ab4.exe MediaCenter.exe PID 1416 wrote to memory of 1888 1416 0077d0dd944fa58b096712a8736906ce84f1bd11c368dcceb51333de51ba7ab4.exe MediaCenter.exe PID 1416 wrote to memory of 1888 1416 0077d0dd944fa58b096712a8736906ce84f1bd11c368dcceb51333de51ba7ab4.exe MediaCenter.exe PID 1416 wrote to memory of 1888 1416 0077d0dd944fa58b096712a8736906ce84f1bd11c368dcceb51333de51ba7ab4.exe MediaCenter.exe PID 1416 wrote to memory of 684 1416 0077d0dd944fa58b096712a8736906ce84f1bd11c368dcceb51333de51ba7ab4.exe cmd.exe PID 1416 wrote to memory of 684 1416 0077d0dd944fa58b096712a8736906ce84f1bd11c368dcceb51333de51ba7ab4.exe cmd.exe PID 1416 wrote to memory of 684 1416 0077d0dd944fa58b096712a8736906ce84f1bd11c368dcceb51333de51ba7ab4.exe cmd.exe PID 1416 wrote to memory of 684 1416 0077d0dd944fa58b096712a8736906ce84f1bd11c368dcceb51333de51ba7ab4.exe cmd.exe PID 684 wrote to memory of 1080 684 cmd.exe PING.EXE PID 684 wrote to memory of 1080 684 cmd.exe PING.EXE PID 684 wrote to memory of 1080 684 cmd.exe PING.EXE PID 684 wrote to memory of 1080 684 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0077d0dd944fa58b096712a8736906ce84f1bd11c368dcceb51333de51ba7ab4.exe"C:\Users\Admin\AppData\Local\Temp\0077d0dd944fa58b096712a8736906ce84f1bd11c368dcceb51333de51ba7ab4.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1416 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1888 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0077d0dd944fa58b096712a8736906ce84f1bd11c368dcceb51333de51ba7ab4.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:684 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1080
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
071a95c9a76b8740112d0556822789ff
SHA14ff852a37f6a0d0b1f38d9e133b50f37620cfc61
SHA25633541bd0fd6896190f85f3fd4cded99dcd3247077c1100f3a49c581345eed6e1
SHA512ce23e5c3b84c04b925060d73c156e91dc7854cdf6c5fc4bd0996dfbe06457d3e57cf8709f2841815b0d4ad253f7543b8bb188fd9be5c7499223e2037f46ee936
-
MD5
071a95c9a76b8740112d0556822789ff
SHA14ff852a37f6a0d0b1f38d9e133b50f37620cfc61
SHA25633541bd0fd6896190f85f3fd4cded99dcd3247077c1100f3a49c581345eed6e1
SHA512ce23e5c3b84c04b925060d73c156e91dc7854cdf6c5fc4bd0996dfbe06457d3e57cf8709f2841815b0d4ad253f7543b8bb188fd9be5c7499223e2037f46ee936