Analysis
-
max time kernel
121s -
max time network
151s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 06:33
Static task
static1
Behavioral task
behavioral1
Sample
0facb4056bf97b999e0698f3690a3348e54897d49a98d949c74993903b33e35d.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0facb4056bf97b999e0698f3690a3348e54897d49a98d949c74993903b33e35d.exe
Resource
win10v2004-en-20220113
General
-
Target
0facb4056bf97b999e0698f3690a3348e54897d49a98d949c74993903b33e35d.exe
-
Size
80KB
-
MD5
ae41a035c0b5959f7e11060a772fcba3
-
SHA1
319469f74dec1d86f3d4cf9a4cb11aa0e1b7a4c1
-
SHA256
0facb4056bf97b999e0698f3690a3348e54897d49a98d949c74993903b33e35d
-
SHA512
a3c46ac0e8b74a426fbc3bcfbaa179bb4adb7aec44530ff1b209bee5dc4179003b7b1909197995e3a7984df78bcb8cc7de8d97c69db9241959ff729f6511e660
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1204 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1232 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0facb4056bf97b999e0698f3690a3348e54897d49a98d949c74993903b33e35d.exepid process 1180 0facb4056bf97b999e0698f3690a3348e54897d49a98d949c74993903b33e35d.exe 1180 0facb4056bf97b999e0698f3690a3348e54897d49a98d949c74993903b33e35d.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0facb4056bf97b999e0698f3690a3348e54897d49a98d949c74993903b33e35d.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0facb4056bf97b999e0698f3690a3348e54897d49a98d949c74993903b33e35d.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0facb4056bf97b999e0698f3690a3348e54897d49a98d949c74993903b33e35d.exedescription pid process Token: SeIncBasePriorityPrivilege 1180 0facb4056bf97b999e0698f3690a3348e54897d49a98d949c74993903b33e35d.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0facb4056bf97b999e0698f3690a3348e54897d49a98d949c74993903b33e35d.execmd.exedescription pid process target process PID 1180 wrote to memory of 1204 1180 0facb4056bf97b999e0698f3690a3348e54897d49a98d949c74993903b33e35d.exe MediaCenter.exe PID 1180 wrote to memory of 1204 1180 0facb4056bf97b999e0698f3690a3348e54897d49a98d949c74993903b33e35d.exe MediaCenter.exe PID 1180 wrote to memory of 1204 1180 0facb4056bf97b999e0698f3690a3348e54897d49a98d949c74993903b33e35d.exe MediaCenter.exe PID 1180 wrote to memory of 1204 1180 0facb4056bf97b999e0698f3690a3348e54897d49a98d949c74993903b33e35d.exe MediaCenter.exe PID 1180 wrote to memory of 1232 1180 0facb4056bf97b999e0698f3690a3348e54897d49a98d949c74993903b33e35d.exe cmd.exe PID 1180 wrote to memory of 1232 1180 0facb4056bf97b999e0698f3690a3348e54897d49a98d949c74993903b33e35d.exe cmd.exe PID 1180 wrote to memory of 1232 1180 0facb4056bf97b999e0698f3690a3348e54897d49a98d949c74993903b33e35d.exe cmd.exe PID 1180 wrote to memory of 1232 1180 0facb4056bf97b999e0698f3690a3348e54897d49a98d949c74993903b33e35d.exe cmd.exe PID 1232 wrote to memory of 1428 1232 cmd.exe PING.EXE PID 1232 wrote to memory of 1428 1232 cmd.exe PING.EXE PID 1232 wrote to memory of 1428 1232 cmd.exe PING.EXE PID 1232 wrote to memory of 1428 1232 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0facb4056bf97b999e0698f3690a3348e54897d49a98d949c74993903b33e35d.exe"C:\Users\Admin\AppData\Local\Temp\0facb4056bf97b999e0698f3690a3348e54897d49a98d949c74993903b33e35d.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1180 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1204 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0facb4056bf97b999e0698f3690a3348e54897d49a98d949c74993903b33e35d.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1232 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1428
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
9b5037fd7abac21446f8c1cc5805067b
SHA13d5c713af0ee49c15f9430d6fd5b4d088f3c02d0
SHA256892a3248681257b907495a4e9992cc87d24273824360874218327383180eb308
SHA512fda88b1197ece2cd2753b074edb1426472cf353c28425715ac7bf03eae4e9dea970028af20762acaa029920ced78ae5fdcb9aac4e0cf4fcf55f30876220d1794
-
MD5
9b5037fd7abac21446f8c1cc5805067b
SHA13d5c713af0ee49c15f9430d6fd5b4d088f3c02d0
SHA256892a3248681257b907495a4e9992cc87d24273824360874218327383180eb308
SHA512fda88b1197ece2cd2753b074edb1426472cf353c28425715ac7bf03eae4e9dea970028af20762acaa029920ced78ae5fdcb9aac4e0cf4fcf55f30876220d1794
-
MD5
9b5037fd7abac21446f8c1cc5805067b
SHA13d5c713af0ee49c15f9430d6fd5b4d088f3c02d0
SHA256892a3248681257b907495a4e9992cc87d24273824360874218327383180eb308
SHA512fda88b1197ece2cd2753b074edb1426472cf353c28425715ac7bf03eae4e9dea970028af20762acaa029920ced78ae5fdcb9aac4e0cf4fcf55f30876220d1794