Analysis
-
max time kernel
140s -
max time network
162s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 07:15
Static task
static1
Behavioral task
behavioral1
Sample
0e1ddc406a723a60928a3cacee301bb654ef19d48423b797208bed8dfcfeaa97.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0e1ddc406a723a60928a3cacee301bb654ef19d48423b797208bed8dfcfeaa97.exe
Resource
win10v2004-en-20220113
General
-
Target
0e1ddc406a723a60928a3cacee301bb654ef19d48423b797208bed8dfcfeaa97.exe
-
Size
99KB
-
MD5
2b4b5d610d81ffd74e570840f9c3a480
-
SHA1
5d1d70274fd90cdab76ac317a71d4d298e92b64e
-
SHA256
0e1ddc406a723a60928a3cacee301bb654ef19d48423b797208bed8dfcfeaa97
-
SHA512
2cf8783acb0d1d0987dd5a86cef714971d0d48315394034ce41ce215896562a1159bc2d9b996e6d65c3895d3a5831db184bc3a23dca7795a992245e0f071d628
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 516 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1172 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0e1ddc406a723a60928a3cacee301bb654ef19d48423b797208bed8dfcfeaa97.exepid process 952 0e1ddc406a723a60928a3cacee301bb654ef19d48423b797208bed8dfcfeaa97.exe 952 0e1ddc406a723a60928a3cacee301bb654ef19d48423b797208bed8dfcfeaa97.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0e1ddc406a723a60928a3cacee301bb654ef19d48423b797208bed8dfcfeaa97.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0e1ddc406a723a60928a3cacee301bb654ef19d48423b797208bed8dfcfeaa97.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0e1ddc406a723a60928a3cacee301bb654ef19d48423b797208bed8dfcfeaa97.exedescription pid process Token: SeIncBasePriorityPrivilege 952 0e1ddc406a723a60928a3cacee301bb654ef19d48423b797208bed8dfcfeaa97.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0e1ddc406a723a60928a3cacee301bb654ef19d48423b797208bed8dfcfeaa97.execmd.exedescription pid process target process PID 952 wrote to memory of 516 952 0e1ddc406a723a60928a3cacee301bb654ef19d48423b797208bed8dfcfeaa97.exe MediaCenter.exe PID 952 wrote to memory of 516 952 0e1ddc406a723a60928a3cacee301bb654ef19d48423b797208bed8dfcfeaa97.exe MediaCenter.exe PID 952 wrote to memory of 516 952 0e1ddc406a723a60928a3cacee301bb654ef19d48423b797208bed8dfcfeaa97.exe MediaCenter.exe PID 952 wrote to memory of 516 952 0e1ddc406a723a60928a3cacee301bb654ef19d48423b797208bed8dfcfeaa97.exe MediaCenter.exe PID 952 wrote to memory of 1172 952 0e1ddc406a723a60928a3cacee301bb654ef19d48423b797208bed8dfcfeaa97.exe cmd.exe PID 952 wrote to memory of 1172 952 0e1ddc406a723a60928a3cacee301bb654ef19d48423b797208bed8dfcfeaa97.exe cmd.exe PID 952 wrote to memory of 1172 952 0e1ddc406a723a60928a3cacee301bb654ef19d48423b797208bed8dfcfeaa97.exe cmd.exe PID 952 wrote to memory of 1172 952 0e1ddc406a723a60928a3cacee301bb654ef19d48423b797208bed8dfcfeaa97.exe cmd.exe PID 1172 wrote to memory of 1204 1172 cmd.exe PING.EXE PID 1172 wrote to memory of 1204 1172 cmd.exe PING.EXE PID 1172 wrote to memory of 1204 1172 cmd.exe PING.EXE PID 1172 wrote to memory of 1204 1172 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0e1ddc406a723a60928a3cacee301bb654ef19d48423b797208bed8dfcfeaa97.exe"C:\Users\Admin\AppData\Local\Temp\0e1ddc406a723a60928a3cacee301bb654ef19d48423b797208bed8dfcfeaa97.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:952 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:516 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0e1ddc406a723a60928a3cacee301bb654ef19d48423b797208bed8dfcfeaa97.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1172 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1204
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
9bce549ea228b6e23408ca1e4c9c2d17
SHA142b56b60f19c02afc76f628a86e1077b00dfa608
SHA2561e112ddf48fba7086bcb8f259850f1f0ad3821d2d25d451d5da01952a6ed60d0
SHA51286e2c8b7ffb4ea7f7c533edc583744e5a66aa4d1f6fc250442fd94f71e657bb6d638dd28a3f8038614b89d8adcff3c21d6fcf85d14748e775cba0e0bb4793d27
-
MD5
9bce549ea228b6e23408ca1e4c9c2d17
SHA142b56b60f19c02afc76f628a86e1077b00dfa608
SHA2561e112ddf48fba7086bcb8f259850f1f0ad3821d2d25d451d5da01952a6ed60d0
SHA51286e2c8b7ffb4ea7f7c533edc583744e5a66aa4d1f6fc250442fd94f71e657bb6d638dd28a3f8038614b89d8adcff3c21d6fcf85d14748e775cba0e0bb4793d27
-
MD5
9bce549ea228b6e23408ca1e4c9c2d17
SHA142b56b60f19c02afc76f628a86e1077b00dfa608
SHA2561e112ddf48fba7086bcb8f259850f1f0ad3821d2d25d451d5da01952a6ed60d0
SHA51286e2c8b7ffb4ea7f7c533edc583744e5a66aa4d1f6fc250442fd94f71e657bb6d638dd28a3f8038614b89d8adcff3c21d6fcf85d14748e775cba0e0bb4793d27