Analysis
-
max time kernel
133s -
max time network
152s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 07:24
Static task
static1
Behavioral task
behavioral1
Sample
0db561fc3320635e0bbd1ff8e481016e0c6f5698b7ba7191470e9db22e4033ad.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0db561fc3320635e0bbd1ff8e481016e0c6f5698b7ba7191470e9db22e4033ad.exe
Resource
win10v2004-en-20220113
General
-
Target
0db561fc3320635e0bbd1ff8e481016e0c6f5698b7ba7191470e9db22e4033ad.exe
-
Size
99KB
-
MD5
d2616dfac129f2af6b893987fb787584
-
SHA1
3b2ada756586062e3144696b9fed16bf65e30697
-
SHA256
0db561fc3320635e0bbd1ff8e481016e0c6f5698b7ba7191470e9db22e4033ad
-
SHA512
057f1c2d8ec830f875122dc5700bd1d2cc5ad5804a1c9d7fdf043a56425b80da2c5d9226afb9e055d8800a9d8ddde1d8a8de9c3d9088fe575b9ed71365b5d0a9
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1324 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1100 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0db561fc3320635e0bbd1ff8e481016e0c6f5698b7ba7191470e9db22e4033ad.exepid process 1680 0db561fc3320635e0bbd1ff8e481016e0c6f5698b7ba7191470e9db22e4033ad.exe 1680 0db561fc3320635e0bbd1ff8e481016e0c6f5698b7ba7191470e9db22e4033ad.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0db561fc3320635e0bbd1ff8e481016e0c6f5698b7ba7191470e9db22e4033ad.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0db561fc3320635e0bbd1ff8e481016e0c6f5698b7ba7191470e9db22e4033ad.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0db561fc3320635e0bbd1ff8e481016e0c6f5698b7ba7191470e9db22e4033ad.exedescription pid process Token: SeIncBasePriorityPrivilege 1680 0db561fc3320635e0bbd1ff8e481016e0c6f5698b7ba7191470e9db22e4033ad.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0db561fc3320635e0bbd1ff8e481016e0c6f5698b7ba7191470e9db22e4033ad.execmd.exedescription pid process target process PID 1680 wrote to memory of 1324 1680 0db561fc3320635e0bbd1ff8e481016e0c6f5698b7ba7191470e9db22e4033ad.exe MediaCenter.exe PID 1680 wrote to memory of 1324 1680 0db561fc3320635e0bbd1ff8e481016e0c6f5698b7ba7191470e9db22e4033ad.exe MediaCenter.exe PID 1680 wrote to memory of 1324 1680 0db561fc3320635e0bbd1ff8e481016e0c6f5698b7ba7191470e9db22e4033ad.exe MediaCenter.exe PID 1680 wrote to memory of 1324 1680 0db561fc3320635e0bbd1ff8e481016e0c6f5698b7ba7191470e9db22e4033ad.exe MediaCenter.exe PID 1680 wrote to memory of 1100 1680 0db561fc3320635e0bbd1ff8e481016e0c6f5698b7ba7191470e9db22e4033ad.exe cmd.exe PID 1680 wrote to memory of 1100 1680 0db561fc3320635e0bbd1ff8e481016e0c6f5698b7ba7191470e9db22e4033ad.exe cmd.exe PID 1680 wrote to memory of 1100 1680 0db561fc3320635e0bbd1ff8e481016e0c6f5698b7ba7191470e9db22e4033ad.exe cmd.exe PID 1680 wrote to memory of 1100 1680 0db561fc3320635e0bbd1ff8e481016e0c6f5698b7ba7191470e9db22e4033ad.exe cmd.exe PID 1100 wrote to memory of 1748 1100 cmd.exe PING.EXE PID 1100 wrote to memory of 1748 1100 cmd.exe PING.EXE PID 1100 wrote to memory of 1748 1100 cmd.exe PING.EXE PID 1100 wrote to memory of 1748 1100 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0db561fc3320635e0bbd1ff8e481016e0c6f5698b7ba7191470e9db22e4033ad.exe"C:\Users\Admin\AppData\Local\Temp\0db561fc3320635e0bbd1ff8e481016e0c6f5698b7ba7191470e9db22e4033ad.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1324 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0db561fc3320635e0bbd1ff8e481016e0c6f5698b7ba7191470e9db22e4033ad.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1100 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1748
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
85f0376e6e912788625adf33570a4a62
SHA19976e71ca8fa44595a6eda106ac94e9207768c74
SHA2562477cfc935e955169f5530c5ee829f682e2ff23714d5edcd116c5d80a9e5d9c0
SHA5128942eafa11f605185dd04536bffa6af37107941e1b27d553a8f34f2c9e01a90b3c17cf878e07b54d6470782064cdba2dd6d026078d5bf4caa193833454d66f25
-
MD5
85f0376e6e912788625adf33570a4a62
SHA19976e71ca8fa44595a6eda106ac94e9207768c74
SHA2562477cfc935e955169f5530c5ee829f682e2ff23714d5edcd116c5d80a9e5d9c0
SHA5128942eafa11f605185dd04536bffa6af37107941e1b27d553a8f34f2c9e01a90b3c17cf878e07b54d6470782064cdba2dd6d026078d5bf4caa193833454d66f25
-
MD5
85f0376e6e912788625adf33570a4a62
SHA19976e71ca8fa44595a6eda106ac94e9207768c74
SHA2562477cfc935e955169f5530c5ee829f682e2ff23714d5edcd116c5d80a9e5d9c0
SHA5128942eafa11f605185dd04536bffa6af37107941e1b27d553a8f34f2c9e01a90b3c17cf878e07b54d6470782064cdba2dd6d026078d5bf4caa193833454d66f25