Analysis
-
max time kernel
124s -
max time network
149s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 07:24
Static task
static1
Behavioral task
behavioral1
Sample
0da58db447dcdeacd572fb2e83b03e4244cbd9ea00516e3731b50f6681d4d357.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0da58db447dcdeacd572fb2e83b03e4244cbd9ea00516e3731b50f6681d4d357.exe
Resource
win10v2004-en-20220113
General
-
Target
0da58db447dcdeacd572fb2e83b03e4244cbd9ea00516e3731b50f6681d4d357.exe
-
Size
79KB
-
MD5
f1bb11a03dc06d65a0df3a2da49d8e7b
-
SHA1
9d7bd4ea013bf34406d7bb9c500e25b29a158db0
-
SHA256
0da58db447dcdeacd572fb2e83b03e4244cbd9ea00516e3731b50f6681d4d357
-
SHA512
638c7f384d876618b608cdd75735b8c2fa0fc94573e9b8b07f445bd6e6be224df062de7000783bcb26be9d6928092878f9b5fe692c9bd18e5de248d8b376ba86
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1448 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1788 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0da58db447dcdeacd572fb2e83b03e4244cbd9ea00516e3731b50f6681d4d357.exepid process 1592 0da58db447dcdeacd572fb2e83b03e4244cbd9ea00516e3731b50f6681d4d357.exe 1592 0da58db447dcdeacd572fb2e83b03e4244cbd9ea00516e3731b50f6681d4d357.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0da58db447dcdeacd572fb2e83b03e4244cbd9ea00516e3731b50f6681d4d357.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0da58db447dcdeacd572fb2e83b03e4244cbd9ea00516e3731b50f6681d4d357.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0da58db447dcdeacd572fb2e83b03e4244cbd9ea00516e3731b50f6681d4d357.exedescription pid process Token: SeIncBasePriorityPrivilege 1592 0da58db447dcdeacd572fb2e83b03e4244cbd9ea00516e3731b50f6681d4d357.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0da58db447dcdeacd572fb2e83b03e4244cbd9ea00516e3731b50f6681d4d357.execmd.exedescription pid process target process PID 1592 wrote to memory of 1448 1592 0da58db447dcdeacd572fb2e83b03e4244cbd9ea00516e3731b50f6681d4d357.exe MediaCenter.exe PID 1592 wrote to memory of 1448 1592 0da58db447dcdeacd572fb2e83b03e4244cbd9ea00516e3731b50f6681d4d357.exe MediaCenter.exe PID 1592 wrote to memory of 1448 1592 0da58db447dcdeacd572fb2e83b03e4244cbd9ea00516e3731b50f6681d4d357.exe MediaCenter.exe PID 1592 wrote to memory of 1448 1592 0da58db447dcdeacd572fb2e83b03e4244cbd9ea00516e3731b50f6681d4d357.exe MediaCenter.exe PID 1592 wrote to memory of 1788 1592 0da58db447dcdeacd572fb2e83b03e4244cbd9ea00516e3731b50f6681d4d357.exe cmd.exe PID 1592 wrote to memory of 1788 1592 0da58db447dcdeacd572fb2e83b03e4244cbd9ea00516e3731b50f6681d4d357.exe cmd.exe PID 1592 wrote to memory of 1788 1592 0da58db447dcdeacd572fb2e83b03e4244cbd9ea00516e3731b50f6681d4d357.exe cmd.exe PID 1592 wrote to memory of 1788 1592 0da58db447dcdeacd572fb2e83b03e4244cbd9ea00516e3731b50f6681d4d357.exe cmd.exe PID 1788 wrote to memory of 748 1788 cmd.exe PING.EXE PID 1788 wrote to memory of 748 1788 cmd.exe PING.EXE PID 1788 wrote to memory of 748 1788 cmd.exe PING.EXE PID 1788 wrote to memory of 748 1788 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0da58db447dcdeacd572fb2e83b03e4244cbd9ea00516e3731b50f6681d4d357.exe"C:\Users\Admin\AppData\Local\Temp\0da58db447dcdeacd572fb2e83b03e4244cbd9ea00516e3731b50f6681d4d357.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1592 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1448 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0da58db447dcdeacd572fb2e83b03e4244cbd9ea00516e3731b50f6681d4d357.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1788 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:748
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
eb1921adf0d0998dba752dd87f54f6ed
SHA146058b30049d462cec7ddb7bbe41209b771b615c
SHA2568809389d36643e6266712ec0776c0cdbae19a093c9834b42c9e87c3b87926094
SHA512044c9ea1e637adce04da03bcf90bc4f90f67cc50339ca8119a8fce5c414dcb38caa5ca553b3f7cedf6781730913b1ccbca696f46b01ec8df2667767a454ece35
-
MD5
eb1921adf0d0998dba752dd87f54f6ed
SHA146058b30049d462cec7ddb7bbe41209b771b615c
SHA2568809389d36643e6266712ec0776c0cdbae19a093c9834b42c9e87c3b87926094
SHA512044c9ea1e637adce04da03bcf90bc4f90f67cc50339ca8119a8fce5c414dcb38caa5ca553b3f7cedf6781730913b1ccbca696f46b01ec8df2667767a454ece35
-
MD5
eb1921adf0d0998dba752dd87f54f6ed
SHA146058b30049d462cec7ddb7bbe41209b771b615c
SHA2568809389d36643e6266712ec0776c0cdbae19a093c9834b42c9e87c3b87926094
SHA512044c9ea1e637adce04da03bcf90bc4f90f67cc50339ca8119a8fce5c414dcb38caa5ca553b3f7cedf6781730913b1ccbca696f46b01ec8df2667767a454ece35