Analysis
-
max time kernel
131s -
max time network
155s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 06:33
Static task
static1
Behavioral task
behavioral1
Sample
0fabc3884c433efc3676b4272fa28a4bc93ab94cd80cf297770195f5d7601c73.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0fabc3884c433efc3676b4272fa28a4bc93ab94cd80cf297770195f5d7601c73.exe
Resource
win10v2004-en-20220113
General
-
Target
0fabc3884c433efc3676b4272fa28a4bc93ab94cd80cf297770195f5d7601c73.exe
-
Size
80KB
-
MD5
3eb4ffdd6133bccfff5d5acef84ba6e0
-
SHA1
22146b27c50174d043e48a3bf17029c6abe6abe3
-
SHA256
0fabc3884c433efc3676b4272fa28a4bc93ab94cd80cf297770195f5d7601c73
-
SHA512
f0d1181754fec00c2d02d076d852e6aa80125d946d8490ff07d32bfa41a04ac8367cbbf0674be962b08a48581ff7e6458fb444f90f075c9442dc7b47f8bb0ef2
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 516 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 360 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0fabc3884c433efc3676b4272fa28a4bc93ab94cd80cf297770195f5d7601c73.exepid process 1444 0fabc3884c433efc3676b4272fa28a4bc93ab94cd80cf297770195f5d7601c73.exe 1444 0fabc3884c433efc3676b4272fa28a4bc93ab94cd80cf297770195f5d7601c73.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0fabc3884c433efc3676b4272fa28a4bc93ab94cd80cf297770195f5d7601c73.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0fabc3884c433efc3676b4272fa28a4bc93ab94cd80cf297770195f5d7601c73.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0fabc3884c433efc3676b4272fa28a4bc93ab94cd80cf297770195f5d7601c73.exedescription pid process Token: SeIncBasePriorityPrivilege 1444 0fabc3884c433efc3676b4272fa28a4bc93ab94cd80cf297770195f5d7601c73.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0fabc3884c433efc3676b4272fa28a4bc93ab94cd80cf297770195f5d7601c73.execmd.exedescription pid process target process PID 1444 wrote to memory of 516 1444 0fabc3884c433efc3676b4272fa28a4bc93ab94cd80cf297770195f5d7601c73.exe MediaCenter.exe PID 1444 wrote to memory of 516 1444 0fabc3884c433efc3676b4272fa28a4bc93ab94cd80cf297770195f5d7601c73.exe MediaCenter.exe PID 1444 wrote to memory of 516 1444 0fabc3884c433efc3676b4272fa28a4bc93ab94cd80cf297770195f5d7601c73.exe MediaCenter.exe PID 1444 wrote to memory of 516 1444 0fabc3884c433efc3676b4272fa28a4bc93ab94cd80cf297770195f5d7601c73.exe MediaCenter.exe PID 1444 wrote to memory of 360 1444 0fabc3884c433efc3676b4272fa28a4bc93ab94cd80cf297770195f5d7601c73.exe cmd.exe PID 1444 wrote to memory of 360 1444 0fabc3884c433efc3676b4272fa28a4bc93ab94cd80cf297770195f5d7601c73.exe cmd.exe PID 1444 wrote to memory of 360 1444 0fabc3884c433efc3676b4272fa28a4bc93ab94cd80cf297770195f5d7601c73.exe cmd.exe PID 1444 wrote to memory of 360 1444 0fabc3884c433efc3676b4272fa28a4bc93ab94cd80cf297770195f5d7601c73.exe cmd.exe PID 360 wrote to memory of 2000 360 cmd.exe PING.EXE PID 360 wrote to memory of 2000 360 cmd.exe PING.EXE PID 360 wrote to memory of 2000 360 cmd.exe PING.EXE PID 360 wrote to memory of 2000 360 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0fabc3884c433efc3676b4272fa28a4bc93ab94cd80cf297770195f5d7601c73.exe"C:\Users\Admin\AppData\Local\Temp\0fabc3884c433efc3676b4272fa28a4bc93ab94cd80cf297770195f5d7601c73.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1444 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:516 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0fabc3884c433efc3676b4272fa28a4bc93ab94cd80cf297770195f5d7601c73.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:360 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:2000
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
3a789dbbe941447fd4f4c1334f25d249
SHA1a51712ab8f7e23d451821bb5e57ddf1a0baa40a7
SHA25629cf9972dabee1f740300a174c883c6ffa64b62905e9f6c729eac4917f1d7f0c
SHA5128ffc0237c96d082d5022564b0d2048b2254ca7170ad2ad0a894922753e1075563960b5a9b434b5b7308d400e417c44be38cde86b96207e17baf18c67e0c97ec2
-
MD5
3a789dbbe941447fd4f4c1334f25d249
SHA1a51712ab8f7e23d451821bb5e57ddf1a0baa40a7
SHA25629cf9972dabee1f740300a174c883c6ffa64b62905e9f6c729eac4917f1d7f0c
SHA5128ffc0237c96d082d5022564b0d2048b2254ca7170ad2ad0a894922753e1075563960b5a9b434b5b7308d400e417c44be38cde86b96207e17baf18c67e0c97ec2
-
MD5
3a789dbbe941447fd4f4c1334f25d249
SHA1a51712ab8f7e23d451821bb5e57ddf1a0baa40a7
SHA25629cf9972dabee1f740300a174c883c6ffa64b62905e9f6c729eac4917f1d7f0c
SHA5128ffc0237c96d082d5022564b0d2048b2254ca7170ad2ad0a894922753e1075563960b5a9b434b5b7308d400e417c44be38cde86b96207e17baf18c67e0c97ec2