Analysis
-
max time kernel
129s -
max time network
152s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 07:16
Static task
static1
Behavioral task
behavioral1
Sample
0e16a4d136a1cea4a4f8f8335ea29b3c2cf1dbbbb7fc2a8834d2530d6de11ab2.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0e16a4d136a1cea4a4f8f8335ea29b3c2cf1dbbbb7fc2a8834d2530d6de11ab2.exe
Resource
win10v2004-en-20220112
General
-
Target
0e16a4d136a1cea4a4f8f8335ea29b3c2cf1dbbbb7fc2a8834d2530d6de11ab2.exe
-
Size
191KB
-
MD5
0bb48908995c9f392e739f17ac9f0d4b
-
SHA1
3d84ac44a86d792961ee820ea4f98145fa3c23d1
-
SHA256
0e16a4d136a1cea4a4f8f8335ea29b3c2cf1dbbbb7fc2a8834d2530d6de11ab2
-
SHA512
c9be127d783962e46c1edf1174b4ebff42488b44752bece64c520d306883ea6ff218ce36b55ae5dfda38ab0872a52b498457a634b579151243b483349656e575
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1516 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1032 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0e16a4d136a1cea4a4f8f8335ea29b3c2cf1dbbbb7fc2a8834d2530d6de11ab2.exepid process 1568 0e16a4d136a1cea4a4f8f8335ea29b3c2cf1dbbbb7fc2a8834d2530d6de11ab2.exe 1568 0e16a4d136a1cea4a4f8f8335ea29b3c2cf1dbbbb7fc2a8834d2530d6de11ab2.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0e16a4d136a1cea4a4f8f8335ea29b3c2cf1dbbbb7fc2a8834d2530d6de11ab2.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0e16a4d136a1cea4a4f8f8335ea29b3c2cf1dbbbb7fc2a8834d2530d6de11ab2.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0e16a4d136a1cea4a4f8f8335ea29b3c2cf1dbbbb7fc2a8834d2530d6de11ab2.exedescription pid process Token: SeIncBasePriorityPrivilege 1568 0e16a4d136a1cea4a4f8f8335ea29b3c2cf1dbbbb7fc2a8834d2530d6de11ab2.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0e16a4d136a1cea4a4f8f8335ea29b3c2cf1dbbbb7fc2a8834d2530d6de11ab2.execmd.exedescription pid process target process PID 1568 wrote to memory of 1516 1568 0e16a4d136a1cea4a4f8f8335ea29b3c2cf1dbbbb7fc2a8834d2530d6de11ab2.exe MediaCenter.exe PID 1568 wrote to memory of 1516 1568 0e16a4d136a1cea4a4f8f8335ea29b3c2cf1dbbbb7fc2a8834d2530d6de11ab2.exe MediaCenter.exe PID 1568 wrote to memory of 1516 1568 0e16a4d136a1cea4a4f8f8335ea29b3c2cf1dbbbb7fc2a8834d2530d6de11ab2.exe MediaCenter.exe PID 1568 wrote to memory of 1516 1568 0e16a4d136a1cea4a4f8f8335ea29b3c2cf1dbbbb7fc2a8834d2530d6de11ab2.exe MediaCenter.exe PID 1568 wrote to memory of 1032 1568 0e16a4d136a1cea4a4f8f8335ea29b3c2cf1dbbbb7fc2a8834d2530d6de11ab2.exe cmd.exe PID 1568 wrote to memory of 1032 1568 0e16a4d136a1cea4a4f8f8335ea29b3c2cf1dbbbb7fc2a8834d2530d6de11ab2.exe cmd.exe PID 1568 wrote to memory of 1032 1568 0e16a4d136a1cea4a4f8f8335ea29b3c2cf1dbbbb7fc2a8834d2530d6de11ab2.exe cmd.exe PID 1568 wrote to memory of 1032 1568 0e16a4d136a1cea4a4f8f8335ea29b3c2cf1dbbbb7fc2a8834d2530d6de11ab2.exe cmd.exe PID 1032 wrote to memory of 1328 1032 cmd.exe PING.EXE PID 1032 wrote to memory of 1328 1032 cmd.exe PING.EXE PID 1032 wrote to memory of 1328 1032 cmd.exe PING.EXE PID 1032 wrote to memory of 1328 1032 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0e16a4d136a1cea4a4f8f8335ea29b3c2cf1dbbbb7fc2a8834d2530d6de11ab2.exe"C:\Users\Admin\AppData\Local\Temp\0e16a4d136a1cea4a4f8f8335ea29b3c2cf1dbbbb7fc2a8834d2530d6de11ab2.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1568 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1516 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0e16a4d136a1cea4a4f8f8335ea29b3c2cf1dbbbb7fc2a8834d2530d6de11ab2.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1032 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1328
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
ddf379efaca9995f71a621f875c3e76f
SHA1e7a57ab5a456988285d6005c34f21e80449e4eb7
SHA2566f5de557a32491a8c72e7908a5c6fe6124487e73b737376907efa600fe226f7f
SHA5127f8fb5882c495382be0a71b6e22351912ffeb547b275410c95d9a56f5f773beefd5ff06689e18b237672ee36e501bd7094998f4348649bf654b00848b0d97bc3
-
MD5
ddf379efaca9995f71a621f875c3e76f
SHA1e7a57ab5a456988285d6005c34f21e80449e4eb7
SHA2566f5de557a32491a8c72e7908a5c6fe6124487e73b737376907efa600fe226f7f
SHA5127f8fb5882c495382be0a71b6e22351912ffeb547b275410c95d9a56f5f773beefd5ff06689e18b237672ee36e501bd7094998f4348649bf654b00848b0d97bc3
-
MD5
ddf379efaca9995f71a621f875c3e76f
SHA1e7a57ab5a456988285d6005c34f21e80449e4eb7
SHA2566f5de557a32491a8c72e7908a5c6fe6124487e73b737376907efa600fe226f7f
SHA5127f8fb5882c495382be0a71b6e22351912ffeb547b275410c95d9a56f5f773beefd5ff06689e18b237672ee36e501bd7094998f4348649bf654b00848b0d97bc3