Analysis
-
max time kernel
134s -
max time network
150s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 06:33
Static task
static1
Behavioral task
behavioral1
Sample
0fb29a584eb880ef530d7c2d9ec79674223232b1b10bdd8c6918f88d8cb4b27a.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0fb29a584eb880ef530d7c2d9ec79674223232b1b10bdd8c6918f88d8cb4b27a.exe
Resource
win10v2004-en-20220112
General
-
Target
0fb29a584eb880ef530d7c2d9ec79674223232b1b10bdd8c6918f88d8cb4b27a.exe
-
Size
99KB
-
MD5
2d77a12a3da6ae20200a7f8ec9502eb0
-
SHA1
0b7d40a7bfaa7e23df0c7a6de308bf3234f1aa71
-
SHA256
0fb29a584eb880ef530d7c2d9ec79674223232b1b10bdd8c6918f88d8cb4b27a
-
SHA512
c052b37a66d39a504e7df1510af67a9d7198c5287552b7dde3cf7435470cea4f39954c8f3493759a41b27250e3c9aeb3c9e3c9dbb5eaa04180213a102da940a9
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1624 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1068 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0fb29a584eb880ef530d7c2d9ec79674223232b1b10bdd8c6918f88d8cb4b27a.exepid process 976 0fb29a584eb880ef530d7c2d9ec79674223232b1b10bdd8c6918f88d8cb4b27a.exe 976 0fb29a584eb880ef530d7c2d9ec79674223232b1b10bdd8c6918f88d8cb4b27a.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0fb29a584eb880ef530d7c2d9ec79674223232b1b10bdd8c6918f88d8cb4b27a.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0fb29a584eb880ef530d7c2d9ec79674223232b1b10bdd8c6918f88d8cb4b27a.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0fb29a584eb880ef530d7c2d9ec79674223232b1b10bdd8c6918f88d8cb4b27a.exedescription pid process Token: SeIncBasePriorityPrivilege 976 0fb29a584eb880ef530d7c2d9ec79674223232b1b10bdd8c6918f88d8cb4b27a.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0fb29a584eb880ef530d7c2d9ec79674223232b1b10bdd8c6918f88d8cb4b27a.execmd.exedescription pid process target process PID 976 wrote to memory of 1624 976 0fb29a584eb880ef530d7c2d9ec79674223232b1b10bdd8c6918f88d8cb4b27a.exe MediaCenter.exe PID 976 wrote to memory of 1624 976 0fb29a584eb880ef530d7c2d9ec79674223232b1b10bdd8c6918f88d8cb4b27a.exe MediaCenter.exe PID 976 wrote to memory of 1624 976 0fb29a584eb880ef530d7c2d9ec79674223232b1b10bdd8c6918f88d8cb4b27a.exe MediaCenter.exe PID 976 wrote to memory of 1624 976 0fb29a584eb880ef530d7c2d9ec79674223232b1b10bdd8c6918f88d8cb4b27a.exe MediaCenter.exe PID 976 wrote to memory of 1068 976 0fb29a584eb880ef530d7c2d9ec79674223232b1b10bdd8c6918f88d8cb4b27a.exe cmd.exe PID 976 wrote to memory of 1068 976 0fb29a584eb880ef530d7c2d9ec79674223232b1b10bdd8c6918f88d8cb4b27a.exe cmd.exe PID 976 wrote to memory of 1068 976 0fb29a584eb880ef530d7c2d9ec79674223232b1b10bdd8c6918f88d8cb4b27a.exe cmd.exe PID 976 wrote to memory of 1068 976 0fb29a584eb880ef530d7c2d9ec79674223232b1b10bdd8c6918f88d8cb4b27a.exe cmd.exe PID 1068 wrote to memory of 880 1068 cmd.exe PING.EXE PID 1068 wrote to memory of 880 1068 cmd.exe PING.EXE PID 1068 wrote to memory of 880 1068 cmd.exe PING.EXE PID 1068 wrote to memory of 880 1068 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0fb29a584eb880ef530d7c2d9ec79674223232b1b10bdd8c6918f88d8cb4b27a.exe"C:\Users\Admin\AppData\Local\Temp\0fb29a584eb880ef530d7c2d9ec79674223232b1b10bdd8c6918f88d8cb4b27a.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:976 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1624 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0fb29a584eb880ef530d7c2d9ec79674223232b1b10bdd8c6918f88d8cb4b27a.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1068 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:880
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
e6a7d08a482cfd56d5f721c4e9372302
SHA12fb37f15a73451349865f41f4944cb911ddce484
SHA256f37784a8a2f73584f34b8aa593f9a68d3d288bc33574c30267740d7c53cbda48
SHA51200556b0b4222a0ab6c0b1a31625248eb17c84fede5ce5642a08bff613d0e5fd32c34b476f4d8c7a5650988fdbe8a1c0c66cb48eca7fbc99e69586c30c2bf0814
-
MD5
e6a7d08a482cfd56d5f721c4e9372302
SHA12fb37f15a73451349865f41f4944cb911ddce484
SHA256f37784a8a2f73584f34b8aa593f9a68d3d288bc33574c30267740d7c53cbda48
SHA51200556b0b4222a0ab6c0b1a31625248eb17c84fede5ce5642a08bff613d0e5fd32c34b476f4d8c7a5650988fdbe8a1c0c66cb48eca7fbc99e69586c30c2bf0814
-
MD5
e6a7d08a482cfd56d5f721c4e9372302
SHA12fb37f15a73451349865f41f4944cb911ddce484
SHA256f37784a8a2f73584f34b8aa593f9a68d3d288bc33574c30267740d7c53cbda48
SHA51200556b0b4222a0ab6c0b1a31625248eb17c84fede5ce5642a08bff613d0e5fd32c34b476f4d8c7a5650988fdbe8a1c0c66cb48eca7fbc99e69586c30c2bf0814