Analysis
-
max time kernel
150s -
max time network
166s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 07:12
Static task
static1
Behavioral task
behavioral1
Sample
0e2d20e15406a0356fa418f2350bcda0bca4d93263d6b8c9630733204b2e8f1b.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0e2d20e15406a0356fa418f2350bcda0bca4d93263d6b8c9630733204b2e8f1b.exe
Resource
win10v2004-en-20220113
General
-
Target
0e2d20e15406a0356fa418f2350bcda0bca4d93263d6b8c9630733204b2e8f1b.exe
-
Size
152KB
-
MD5
ed40af3be32e583e483e4d2e93b0fb03
-
SHA1
e24f7d6d43a8f429884c767c853df5b6ccfb9992
-
SHA256
0e2d20e15406a0356fa418f2350bcda0bca4d93263d6b8c9630733204b2e8f1b
-
SHA512
918d488714263db7e702c667fef31da252c1333e7c6eb1b4b7220538f8b84a2e4dc8cb55b4999840bb552d9d7b48238491f7af43f4bc292d97b3f7cc28d1b64c
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1680 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 960 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
0e2d20e15406a0356fa418f2350bcda0bca4d93263d6b8c9630733204b2e8f1b.exepid process 1592 0e2d20e15406a0356fa418f2350bcda0bca4d93263d6b8c9630733204b2e8f1b.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0e2d20e15406a0356fa418f2350bcda0bca4d93263d6b8c9630733204b2e8f1b.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0e2d20e15406a0356fa418f2350bcda0bca4d93263d6b8c9630733204b2e8f1b.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0e2d20e15406a0356fa418f2350bcda0bca4d93263d6b8c9630733204b2e8f1b.exedescription pid process Token: SeIncBasePriorityPrivilege 1592 0e2d20e15406a0356fa418f2350bcda0bca4d93263d6b8c9630733204b2e8f1b.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0e2d20e15406a0356fa418f2350bcda0bca4d93263d6b8c9630733204b2e8f1b.execmd.exedescription pid process target process PID 1592 wrote to memory of 1680 1592 0e2d20e15406a0356fa418f2350bcda0bca4d93263d6b8c9630733204b2e8f1b.exe MediaCenter.exe PID 1592 wrote to memory of 1680 1592 0e2d20e15406a0356fa418f2350bcda0bca4d93263d6b8c9630733204b2e8f1b.exe MediaCenter.exe PID 1592 wrote to memory of 1680 1592 0e2d20e15406a0356fa418f2350bcda0bca4d93263d6b8c9630733204b2e8f1b.exe MediaCenter.exe PID 1592 wrote to memory of 1680 1592 0e2d20e15406a0356fa418f2350bcda0bca4d93263d6b8c9630733204b2e8f1b.exe MediaCenter.exe PID 1592 wrote to memory of 960 1592 0e2d20e15406a0356fa418f2350bcda0bca4d93263d6b8c9630733204b2e8f1b.exe cmd.exe PID 1592 wrote to memory of 960 1592 0e2d20e15406a0356fa418f2350bcda0bca4d93263d6b8c9630733204b2e8f1b.exe cmd.exe PID 1592 wrote to memory of 960 1592 0e2d20e15406a0356fa418f2350bcda0bca4d93263d6b8c9630733204b2e8f1b.exe cmd.exe PID 1592 wrote to memory of 960 1592 0e2d20e15406a0356fa418f2350bcda0bca4d93263d6b8c9630733204b2e8f1b.exe cmd.exe PID 960 wrote to memory of 792 960 cmd.exe PING.EXE PID 960 wrote to memory of 792 960 cmd.exe PING.EXE PID 960 wrote to memory of 792 960 cmd.exe PING.EXE PID 960 wrote to memory of 792 960 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0e2d20e15406a0356fa418f2350bcda0bca4d93263d6b8c9630733204b2e8f1b.exe"C:\Users\Admin\AppData\Local\Temp\0e2d20e15406a0356fa418f2350bcda0bca4d93263d6b8c9630733204b2e8f1b.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1592 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1680 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0e2d20e15406a0356fa418f2350bcda0bca4d93263d6b8c9630733204b2e8f1b.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:960 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:792
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
3b456b69818d0be8ca4fd1ae1e38fb3b
SHA1d8305c5301b13728019cc56f25325eea055be2b1
SHA256b4fb3cc739a0075b13915d3c0e92ae2b68e5e34b54d5c4b7989398dc30d20981
SHA5127e76ab8400611507024914732ac9c97c362e12a7e8d707109f3b89b649e3cb401fb2995e4229ba294b3f4c8e8fb371f8539c20db466cae03eca536da38d71a1e
-
MD5
3b456b69818d0be8ca4fd1ae1e38fb3b
SHA1d8305c5301b13728019cc56f25325eea055be2b1
SHA256b4fb3cc739a0075b13915d3c0e92ae2b68e5e34b54d5c4b7989398dc30d20981
SHA5127e76ab8400611507024914732ac9c97c362e12a7e8d707109f3b89b649e3cb401fb2995e4229ba294b3f4c8e8fb371f8539c20db466cae03eca536da38d71a1e