Analysis
-
max time kernel
157s -
max time network
175s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 07:25
Static task
static1
Behavioral task
behavioral1
Sample
0da254418f70fb0cc5f62d9db51c56eaf3727fc79e824b599a7e9da8c5c23d91.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0da254418f70fb0cc5f62d9db51c56eaf3727fc79e824b599a7e9da8c5c23d91.exe
Resource
win10v2004-en-20220113
General
-
Target
0da254418f70fb0cc5f62d9db51c56eaf3727fc79e824b599a7e9da8c5c23d91.exe
-
Size
216KB
-
MD5
079225c2f8b2c0cea518c888e6f3fde8
-
SHA1
ce8b5a306b4af29994af8314a16db232a551ff0a
-
SHA256
0da254418f70fb0cc5f62d9db51c56eaf3727fc79e824b599a7e9da8c5c23d91
-
SHA512
6e0891bad6e6443938f9603b4900f6965f4c1cf991ca09d224f9aa8a394aaa78176b302f80d7ae09102d0177e3e000ef147447614165f9bcc97b9fef05e6c317
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral1/memory/1312-58-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral1/memory/820-59-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 820 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1816 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
0da254418f70fb0cc5f62d9db51c56eaf3727fc79e824b599a7e9da8c5c23d91.exepid process 1312 0da254418f70fb0cc5f62d9db51c56eaf3727fc79e824b599a7e9da8c5c23d91.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0da254418f70fb0cc5f62d9db51c56eaf3727fc79e824b599a7e9da8c5c23d91.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0da254418f70fb0cc5f62d9db51c56eaf3727fc79e824b599a7e9da8c5c23d91.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0da254418f70fb0cc5f62d9db51c56eaf3727fc79e824b599a7e9da8c5c23d91.exedescription pid process Token: SeIncBasePriorityPrivilege 1312 0da254418f70fb0cc5f62d9db51c56eaf3727fc79e824b599a7e9da8c5c23d91.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0da254418f70fb0cc5f62d9db51c56eaf3727fc79e824b599a7e9da8c5c23d91.execmd.exedescription pid process target process PID 1312 wrote to memory of 820 1312 0da254418f70fb0cc5f62d9db51c56eaf3727fc79e824b599a7e9da8c5c23d91.exe MediaCenter.exe PID 1312 wrote to memory of 820 1312 0da254418f70fb0cc5f62d9db51c56eaf3727fc79e824b599a7e9da8c5c23d91.exe MediaCenter.exe PID 1312 wrote to memory of 820 1312 0da254418f70fb0cc5f62d9db51c56eaf3727fc79e824b599a7e9da8c5c23d91.exe MediaCenter.exe PID 1312 wrote to memory of 820 1312 0da254418f70fb0cc5f62d9db51c56eaf3727fc79e824b599a7e9da8c5c23d91.exe MediaCenter.exe PID 1312 wrote to memory of 1816 1312 0da254418f70fb0cc5f62d9db51c56eaf3727fc79e824b599a7e9da8c5c23d91.exe cmd.exe PID 1312 wrote to memory of 1816 1312 0da254418f70fb0cc5f62d9db51c56eaf3727fc79e824b599a7e9da8c5c23d91.exe cmd.exe PID 1312 wrote to memory of 1816 1312 0da254418f70fb0cc5f62d9db51c56eaf3727fc79e824b599a7e9da8c5c23d91.exe cmd.exe PID 1312 wrote to memory of 1816 1312 0da254418f70fb0cc5f62d9db51c56eaf3727fc79e824b599a7e9da8c5c23d91.exe cmd.exe PID 1816 wrote to memory of 812 1816 cmd.exe PING.EXE PID 1816 wrote to memory of 812 1816 cmd.exe PING.EXE PID 1816 wrote to memory of 812 1816 cmd.exe PING.EXE PID 1816 wrote to memory of 812 1816 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0da254418f70fb0cc5f62d9db51c56eaf3727fc79e824b599a7e9da8c5c23d91.exe"C:\Users\Admin\AppData\Local\Temp\0da254418f70fb0cc5f62d9db51c56eaf3727fc79e824b599a7e9da8c5c23d91.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1312 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:820 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0da254418f70fb0cc5f62d9db51c56eaf3727fc79e824b599a7e9da8c5c23d91.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1816 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:812
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
40e4139ea2c1443d7446f6591e810bac
SHA1343da6e6cf4f8133f172df06fed86cf8ce5f3e28
SHA256bedad83e769b89fd8193bed4e67c203a19ace53ff5931c457be43b345435b083
SHA51270787beee9bfa619eba4d14cd6d516704eeb3af288ead020285ab9e7457baaabfba2fdcf985ede150368fa58899905856e5eeb5eb774c60cc240060cb9fb356e
-
MD5
40e4139ea2c1443d7446f6591e810bac
SHA1343da6e6cf4f8133f172df06fed86cf8ce5f3e28
SHA256bedad83e769b89fd8193bed4e67c203a19ace53ff5931c457be43b345435b083
SHA51270787beee9bfa619eba4d14cd6d516704eeb3af288ead020285ab9e7457baaabfba2fdcf985ede150368fa58899905856e5eeb5eb774c60cc240060cb9fb356e