Analysis
-
max time kernel
124s -
max time network
148s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 07:23
Static task
static1
Behavioral task
behavioral1
Sample
0dbd83f4265297f3aeeb74d323544843187ecd359bf8857ef8787170e43bdac6.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0dbd83f4265297f3aeeb74d323544843187ecd359bf8857ef8787170e43bdac6.exe
Resource
win10v2004-en-20220113
General
-
Target
0dbd83f4265297f3aeeb74d323544843187ecd359bf8857ef8787170e43bdac6.exe
-
Size
101KB
-
MD5
51a0a17c8c6db19609bfa27b4e0415d2
-
SHA1
0290ef83b95ef2343381ff8ec70f98013bd2eb6f
-
SHA256
0dbd83f4265297f3aeeb74d323544843187ecd359bf8857ef8787170e43bdac6
-
SHA512
ecde4837f702fece07695637a79f1b0aff4a14e2fe8ab92ca652d2ee588a36f989789417dee707ac32164fb8a8d189089b42e71aa66e06824bca3ad0567b9a9f
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1720 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1212 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0dbd83f4265297f3aeeb74d323544843187ecd359bf8857ef8787170e43bdac6.exepid process 1204 0dbd83f4265297f3aeeb74d323544843187ecd359bf8857ef8787170e43bdac6.exe 1204 0dbd83f4265297f3aeeb74d323544843187ecd359bf8857ef8787170e43bdac6.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0dbd83f4265297f3aeeb74d323544843187ecd359bf8857ef8787170e43bdac6.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0dbd83f4265297f3aeeb74d323544843187ecd359bf8857ef8787170e43bdac6.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0dbd83f4265297f3aeeb74d323544843187ecd359bf8857ef8787170e43bdac6.exedescription pid process Token: SeIncBasePriorityPrivilege 1204 0dbd83f4265297f3aeeb74d323544843187ecd359bf8857ef8787170e43bdac6.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0dbd83f4265297f3aeeb74d323544843187ecd359bf8857ef8787170e43bdac6.execmd.exedescription pid process target process PID 1204 wrote to memory of 1720 1204 0dbd83f4265297f3aeeb74d323544843187ecd359bf8857ef8787170e43bdac6.exe MediaCenter.exe PID 1204 wrote to memory of 1720 1204 0dbd83f4265297f3aeeb74d323544843187ecd359bf8857ef8787170e43bdac6.exe MediaCenter.exe PID 1204 wrote to memory of 1720 1204 0dbd83f4265297f3aeeb74d323544843187ecd359bf8857ef8787170e43bdac6.exe MediaCenter.exe PID 1204 wrote to memory of 1720 1204 0dbd83f4265297f3aeeb74d323544843187ecd359bf8857ef8787170e43bdac6.exe MediaCenter.exe PID 1204 wrote to memory of 1212 1204 0dbd83f4265297f3aeeb74d323544843187ecd359bf8857ef8787170e43bdac6.exe cmd.exe PID 1204 wrote to memory of 1212 1204 0dbd83f4265297f3aeeb74d323544843187ecd359bf8857ef8787170e43bdac6.exe cmd.exe PID 1204 wrote to memory of 1212 1204 0dbd83f4265297f3aeeb74d323544843187ecd359bf8857ef8787170e43bdac6.exe cmd.exe PID 1204 wrote to memory of 1212 1204 0dbd83f4265297f3aeeb74d323544843187ecd359bf8857ef8787170e43bdac6.exe cmd.exe PID 1212 wrote to memory of 1568 1212 cmd.exe PING.EXE PID 1212 wrote to memory of 1568 1212 cmd.exe PING.EXE PID 1212 wrote to memory of 1568 1212 cmd.exe PING.EXE PID 1212 wrote to memory of 1568 1212 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0dbd83f4265297f3aeeb74d323544843187ecd359bf8857ef8787170e43bdac6.exe"C:\Users\Admin\AppData\Local\Temp\0dbd83f4265297f3aeeb74d323544843187ecd359bf8857ef8787170e43bdac6.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1204 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1720 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0dbd83f4265297f3aeeb74d323544843187ecd359bf8857ef8787170e43bdac6.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1212 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1568
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
b38464dbcae9def90b0208b2c9119707
SHA1e298fbef8658cebb3268caee532632fdbd5e8a28
SHA256329d4e781b2311d087f9772778fefe124f898f897c029577e01a59e553948b90
SHA5120c2549eef4acc3b06acc010b95f98ffbb4f6a0d12d718777810b1e53b14297e236a11c2b306e9905bc79c5a8ed61baa1f7c0c87688ff69a43bd5f683f8fa17f6
-
MD5
b38464dbcae9def90b0208b2c9119707
SHA1e298fbef8658cebb3268caee532632fdbd5e8a28
SHA256329d4e781b2311d087f9772778fefe124f898f897c029577e01a59e553948b90
SHA5120c2549eef4acc3b06acc010b95f98ffbb4f6a0d12d718777810b1e53b14297e236a11c2b306e9905bc79c5a8ed61baa1f7c0c87688ff69a43bd5f683f8fa17f6
-
MD5
b38464dbcae9def90b0208b2c9119707
SHA1e298fbef8658cebb3268caee532632fdbd5e8a28
SHA256329d4e781b2311d087f9772778fefe124f898f897c029577e01a59e553948b90
SHA5120c2549eef4acc3b06acc010b95f98ffbb4f6a0d12d718777810b1e53b14297e236a11c2b306e9905bc79c5a8ed61baa1f7c0c87688ff69a43bd5f683f8fa17f6