Analysis
-
max time kernel
138s -
max time network
150s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 07:17
Static task
static1
Behavioral task
behavioral1
Sample
0e021cae6d9ed016c897b100badf70a6c327fd25d6be25ac2449e05bfb656745.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0e021cae6d9ed016c897b100badf70a6c327fd25d6be25ac2449e05bfb656745.exe
Resource
win10v2004-en-20220112
General
-
Target
0e021cae6d9ed016c897b100badf70a6c327fd25d6be25ac2449e05bfb656745.exe
-
Size
216KB
-
MD5
e7b0ca14caf8ab85e8ab124be76e59c2
-
SHA1
87aa844541260d76b8745304a798a420a89299e8
-
SHA256
0e021cae6d9ed016c897b100badf70a6c327fd25d6be25ac2449e05bfb656745
-
SHA512
af736803f50fef7f24d530a311a8dfb247f2c2d3c7c92678449389943a2c0180fe9c805f3440e77cc33111af776abce16efec4007b35c5104d692c2cbe1cfcf3
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral1/memory/1212-58-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral1/memory/1724-59-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1724 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 736 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
0e021cae6d9ed016c897b100badf70a6c327fd25d6be25ac2449e05bfb656745.exepid process 1212 0e021cae6d9ed016c897b100badf70a6c327fd25d6be25ac2449e05bfb656745.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0e021cae6d9ed016c897b100badf70a6c327fd25d6be25ac2449e05bfb656745.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0e021cae6d9ed016c897b100badf70a6c327fd25d6be25ac2449e05bfb656745.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0e021cae6d9ed016c897b100badf70a6c327fd25d6be25ac2449e05bfb656745.exedescription pid process Token: SeIncBasePriorityPrivilege 1212 0e021cae6d9ed016c897b100badf70a6c327fd25d6be25ac2449e05bfb656745.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0e021cae6d9ed016c897b100badf70a6c327fd25d6be25ac2449e05bfb656745.execmd.exedescription pid process target process PID 1212 wrote to memory of 1724 1212 0e021cae6d9ed016c897b100badf70a6c327fd25d6be25ac2449e05bfb656745.exe MediaCenter.exe PID 1212 wrote to memory of 1724 1212 0e021cae6d9ed016c897b100badf70a6c327fd25d6be25ac2449e05bfb656745.exe MediaCenter.exe PID 1212 wrote to memory of 1724 1212 0e021cae6d9ed016c897b100badf70a6c327fd25d6be25ac2449e05bfb656745.exe MediaCenter.exe PID 1212 wrote to memory of 1724 1212 0e021cae6d9ed016c897b100badf70a6c327fd25d6be25ac2449e05bfb656745.exe MediaCenter.exe PID 1212 wrote to memory of 736 1212 0e021cae6d9ed016c897b100badf70a6c327fd25d6be25ac2449e05bfb656745.exe cmd.exe PID 1212 wrote to memory of 736 1212 0e021cae6d9ed016c897b100badf70a6c327fd25d6be25ac2449e05bfb656745.exe cmd.exe PID 1212 wrote to memory of 736 1212 0e021cae6d9ed016c897b100badf70a6c327fd25d6be25ac2449e05bfb656745.exe cmd.exe PID 1212 wrote to memory of 736 1212 0e021cae6d9ed016c897b100badf70a6c327fd25d6be25ac2449e05bfb656745.exe cmd.exe PID 736 wrote to memory of 1404 736 cmd.exe PING.EXE PID 736 wrote to memory of 1404 736 cmd.exe PING.EXE PID 736 wrote to memory of 1404 736 cmd.exe PING.EXE PID 736 wrote to memory of 1404 736 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0e021cae6d9ed016c897b100badf70a6c327fd25d6be25ac2449e05bfb656745.exe"C:\Users\Admin\AppData\Local\Temp\0e021cae6d9ed016c897b100badf70a6c327fd25d6be25ac2449e05bfb656745.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1212 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1724 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0e021cae6d9ed016c897b100badf70a6c327fd25d6be25ac2449e05bfb656745.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:736 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1404
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
7577768561ccfae348d207fdac0a4835
SHA1cc78a89b6b8d2bbfa3d1055910c829baf8cafc87
SHA25616fb65019cdbe18c1203c61ef28d0094dc2cfdb15e620816393481dd8b338045
SHA5126662bd2a90134f4e8dcd66ec168c2474e82ab07d285fd08e2740548dd54b50d8c65bfed0e0820e2d5e0158bff580a4178bdb1950dfd2e7df36968867b90c383a
-
MD5
7577768561ccfae348d207fdac0a4835
SHA1cc78a89b6b8d2bbfa3d1055910c829baf8cafc87
SHA25616fb65019cdbe18c1203c61ef28d0094dc2cfdb15e620816393481dd8b338045
SHA5126662bd2a90134f4e8dcd66ec168c2474e82ab07d285fd08e2740548dd54b50d8c65bfed0e0820e2d5e0158bff580a4178bdb1950dfd2e7df36968867b90c383a