Analysis
-
max time kernel
125s -
max time network
134s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 06:30
Static task
static1
Behavioral task
behavioral1
Sample
0fcefe7344d262f98db58ffcd4d80b55648b4effbe3f5e67f62ca04e1eb12cc2.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0fcefe7344d262f98db58ffcd4d80b55648b4effbe3f5e67f62ca04e1eb12cc2.exe
Resource
win10v2004-en-20220112
General
-
Target
0fcefe7344d262f98db58ffcd4d80b55648b4effbe3f5e67f62ca04e1eb12cc2.exe
-
Size
216KB
-
MD5
f22170f2ecb803c4f92b46a7e3014616
-
SHA1
8c3781d1ae8dd12a76cd04e6f88a410a3823dcc6
-
SHA256
0fcefe7344d262f98db58ffcd4d80b55648b4effbe3f5e67f62ca04e1eb12cc2
-
SHA512
122e0576a413fbee7008a2281ec4bfd33f729060157c344d16b845814205050105176c2e286e36e3a5fe3532b763be9948b4da221eb8dd7ea1a3b2795fe8c8ff
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral1/memory/1416-58-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral1/memory/1888-59-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1888 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 436 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
0fcefe7344d262f98db58ffcd4d80b55648b4effbe3f5e67f62ca04e1eb12cc2.exepid process 1416 0fcefe7344d262f98db58ffcd4d80b55648b4effbe3f5e67f62ca04e1eb12cc2.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0fcefe7344d262f98db58ffcd4d80b55648b4effbe3f5e67f62ca04e1eb12cc2.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0fcefe7344d262f98db58ffcd4d80b55648b4effbe3f5e67f62ca04e1eb12cc2.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0fcefe7344d262f98db58ffcd4d80b55648b4effbe3f5e67f62ca04e1eb12cc2.exedescription pid process Token: SeIncBasePriorityPrivilege 1416 0fcefe7344d262f98db58ffcd4d80b55648b4effbe3f5e67f62ca04e1eb12cc2.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0fcefe7344d262f98db58ffcd4d80b55648b4effbe3f5e67f62ca04e1eb12cc2.execmd.exedescription pid process target process PID 1416 wrote to memory of 1888 1416 0fcefe7344d262f98db58ffcd4d80b55648b4effbe3f5e67f62ca04e1eb12cc2.exe MediaCenter.exe PID 1416 wrote to memory of 1888 1416 0fcefe7344d262f98db58ffcd4d80b55648b4effbe3f5e67f62ca04e1eb12cc2.exe MediaCenter.exe PID 1416 wrote to memory of 1888 1416 0fcefe7344d262f98db58ffcd4d80b55648b4effbe3f5e67f62ca04e1eb12cc2.exe MediaCenter.exe PID 1416 wrote to memory of 1888 1416 0fcefe7344d262f98db58ffcd4d80b55648b4effbe3f5e67f62ca04e1eb12cc2.exe MediaCenter.exe PID 1416 wrote to memory of 436 1416 0fcefe7344d262f98db58ffcd4d80b55648b4effbe3f5e67f62ca04e1eb12cc2.exe cmd.exe PID 1416 wrote to memory of 436 1416 0fcefe7344d262f98db58ffcd4d80b55648b4effbe3f5e67f62ca04e1eb12cc2.exe cmd.exe PID 1416 wrote to memory of 436 1416 0fcefe7344d262f98db58ffcd4d80b55648b4effbe3f5e67f62ca04e1eb12cc2.exe cmd.exe PID 1416 wrote to memory of 436 1416 0fcefe7344d262f98db58ffcd4d80b55648b4effbe3f5e67f62ca04e1eb12cc2.exe cmd.exe PID 436 wrote to memory of 1104 436 cmd.exe PING.EXE PID 436 wrote to memory of 1104 436 cmd.exe PING.EXE PID 436 wrote to memory of 1104 436 cmd.exe PING.EXE PID 436 wrote to memory of 1104 436 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0fcefe7344d262f98db58ffcd4d80b55648b4effbe3f5e67f62ca04e1eb12cc2.exe"C:\Users\Admin\AppData\Local\Temp\0fcefe7344d262f98db58ffcd4d80b55648b4effbe3f5e67f62ca04e1eb12cc2.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1416 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1888 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0fcefe7344d262f98db58ffcd4d80b55648b4effbe3f5e67f62ca04e1eb12cc2.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:436 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1104
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
03b95e3cd850f51a41c6309cde0b8880
SHA15ca265423def6a303ea3aee1e344eff9da7787ff
SHA256e23e73c62b5443e3b9e98706580018d6dad7c99addc511e60756521cba068caf
SHA5125473adc5f7b1fa28ff7c330ed9bc9b57c054cf766caa574a46947e1dd5ff397edc87d4bbcd94e1022228dbbbb044db7fa2bedf4c71c9058585ac416242db322f
-
MD5
03b95e3cd850f51a41c6309cde0b8880
SHA15ca265423def6a303ea3aee1e344eff9da7787ff
SHA256e23e73c62b5443e3b9e98706580018d6dad7c99addc511e60756521cba068caf
SHA5125473adc5f7b1fa28ff7c330ed9bc9b57c054cf766caa574a46947e1dd5ff397edc87d4bbcd94e1022228dbbbb044db7fa2bedf4c71c9058585ac416242db322f