Analysis
-
max time kernel
148s -
max time network
161s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 06:27
Static task
static1
Behavioral task
behavioral1
Sample
0ff227e05c6a4c76595aedbee57b09a926a38dde73ff79c11b7babd63a91f938.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0ff227e05c6a4c76595aedbee57b09a926a38dde73ff79c11b7babd63a91f938.exe
Resource
win10v2004-en-20220113
General
-
Target
0ff227e05c6a4c76595aedbee57b09a926a38dde73ff79c11b7babd63a91f938.exe
-
Size
80KB
-
MD5
4efc372bb27e8ab69750a46da05afe0b
-
SHA1
1103f8f85b0f2eb19f29028a20acfb18f32794a9
-
SHA256
0ff227e05c6a4c76595aedbee57b09a926a38dde73ff79c11b7babd63a91f938
-
SHA512
e23b5284d4b84e69f2d8588be8b5f8a25925f0ab25e49de3cea949102618d865cf9015652d6364aba5866be9aa83f13b47d1af85172776136cf0dabcd3d118bb
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1580 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1052 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0ff227e05c6a4c76595aedbee57b09a926a38dde73ff79c11b7babd63a91f938.exepid process 744 0ff227e05c6a4c76595aedbee57b09a926a38dde73ff79c11b7babd63a91f938.exe 744 0ff227e05c6a4c76595aedbee57b09a926a38dde73ff79c11b7babd63a91f938.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0ff227e05c6a4c76595aedbee57b09a926a38dde73ff79c11b7babd63a91f938.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0ff227e05c6a4c76595aedbee57b09a926a38dde73ff79c11b7babd63a91f938.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0ff227e05c6a4c76595aedbee57b09a926a38dde73ff79c11b7babd63a91f938.exedescription pid process Token: SeIncBasePriorityPrivilege 744 0ff227e05c6a4c76595aedbee57b09a926a38dde73ff79c11b7babd63a91f938.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0ff227e05c6a4c76595aedbee57b09a926a38dde73ff79c11b7babd63a91f938.execmd.exedescription pid process target process PID 744 wrote to memory of 1580 744 0ff227e05c6a4c76595aedbee57b09a926a38dde73ff79c11b7babd63a91f938.exe MediaCenter.exe PID 744 wrote to memory of 1580 744 0ff227e05c6a4c76595aedbee57b09a926a38dde73ff79c11b7babd63a91f938.exe MediaCenter.exe PID 744 wrote to memory of 1580 744 0ff227e05c6a4c76595aedbee57b09a926a38dde73ff79c11b7babd63a91f938.exe MediaCenter.exe PID 744 wrote to memory of 1580 744 0ff227e05c6a4c76595aedbee57b09a926a38dde73ff79c11b7babd63a91f938.exe MediaCenter.exe PID 744 wrote to memory of 1052 744 0ff227e05c6a4c76595aedbee57b09a926a38dde73ff79c11b7babd63a91f938.exe cmd.exe PID 744 wrote to memory of 1052 744 0ff227e05c6a4c76595aedbee57b09a926a38dde73ff79c11b7babd63a91f938.exe cmd.exe PID 744 wrote to memory of 1052 744 0ff227e05c6a4c76595aedbee57b09a926a38dde73ff79c11b7babd63a91f938.exe cmd.exe PID 744 wrote to memory of 1052 744 0ff227e05c6a4c76595aedbee57b09a926a38dde73ff79c11b7babd63a91f938.exe cmd.exe PID 1052 wrote to memory of 1340 1052 cmd.exe PING.EXE PID 1052 wrote to memory of 1340 1052 cmd.exe PING.EXE PID 1052 wrote to memory of 1340 1052 cmd.exe PING.EXE PID 1052 wrote to memory of 1340 1052 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0ff227e05c6a4c76595aedbee57b09a926a38dde73ff79c11b7babd63a91f938.exe"C:\Users\Admin\AppData\Local\Temp\0ff227e05c6a4c76595aedbee57b09a926a38dde73ff79c11b7babd63a91f938.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:744 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1580 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0ff227e05c6a4c76595aedbee57b09a926a38dde73ff79c11b7babd63a91f938.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1052 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1340
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
2317da5dc41309b7ac6e467a6cd2d9a8
SHA18b968a4011157107c0c43187af5341c34b6589b8
SHA25626f0f740335f91ee17bc050d87cef063f5c7c3bdcda2e2708457df875c37964c
SHA5129d7dbbfbb720c6734133a1c371ca3f229983914ed482c6cb7393ad664fba9c992b69a1a5f388ae9c90e8581d7f0e04b94c03f4d197cf12410760aece63499716
-
MD5
2317da5dc41309b7ac6e467a6cd2d9a8
SHA18b968a4011157107c0c43187af5341c34b6589b8
SHA25626f0f740335f91ee17bc050d87cef063f5c7c3bdcda2e2708457df875c37964c
SHA5129d7dbbfbb720c6734133a1c371ca3f229983914ed482c6cb7393ad664fba9c992b69a1a5f388ae9c90e8581d7f0e04b94c03f4d197cf12410760aece63499716
-
MD5
2317da5dc41309b7ac6e467a6cd2d9a8
SHA18b968a4011157107c0c43187af5341c34b6589b8
SHA25626f0f740335f91ee17bc050d87cef063f5c7c3bdcda2e2708457df875c37964c
SHA5129d7dbbfbb720c6734133a1c371ca3f229983914ed482c6cb7393ad664fba9c992b69a1a5f388ae9c90e8581d7f0e04b94c03f4d197cf12410760aece63499716