Analysis
-
max time kernel
147s -
max time network
161s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 06:34
Static task
static1
Behavioral task
behavioral1
Sample
0fa46e1794fcb3e72f2ade92f72f21448e7aef1fd6061252144cdf8071e4fb3d.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0fa46e1794fcb3e72f2ade92f72f21448e7aef1fd6061252144cdf8071e4fb3d.exe
Resource
win10v2004-en-20220113
General
-
Target
0fa46e1794fcb3e72f2ade92f72f21448e7aef1fd6061252144cdf8071e4fb3d.exe
-
Size
200KB
-
MD5
bafd4811101071481009786ee537d00d
-
SHA1
768c1f3779bead2eb451882d2429a86d4c4638f4
-
SHA256
0fa46e1794fcb3e72f2ade92f72f21448e7aef1fd6061252144cdf8071e4fb3d
-
SHA512
36ff95c654c5cb3b0f7b8669a9777b64b403554ff37a3ca84e705edf32646894a65b595ed08c82a13e978a3aea9495b103991666051552678dfd39435ba773e8
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral1/memory/1648-59-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral1/memory/1636-60-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1636 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 744 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
0fa46e1794fcb3e72f2ade92f72f21448e7aef1fd6061252144cdf8071e4fb3d.exepid process 1648 0fa46e1794fcb3e72f2ade92f72f21448e7aef1fd6061252144cdf8071e4fb3d.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0fa46e1794fcb3e72f2ade92f72f21448e7aef1fd6061252144cdf8071e4fb3d.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0fa46e1794fcb3e72f2ade92f72f21448e7aef1fd6061252144cdf8071e4fb3d.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0fa46e1794fcb3e72f2ade92f72f21448e7aef1fd6061252144cdf8071e4fb3d.exedescription pid process Token: SeIncBasePriorityPrivilege 1648 0fa46e1794fcb3e72f2ade92f72f21448e7aef1fd6061252144cdf8071e4fb3d.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0fa46e1794fcb3e72f2ade92f72f21448e7aef1fd6061252144cdf8071e4fb3d.execmd.exedescription pid process target process PID 1648 wrote to memory of 1636 1648 0fa46e1794fcb3e72f2ade92f72f21448e7aef1fd6061252144cdf8071e4fb3d.exe MediaCenter.exe PID 1648 wrote to memory of 1636 1648 0fa46e1794fcb3e72f2ade92f72f21448e7aef1fd6061252144cdf8071e4fb3d.exe MediaCenter.exe PID 1648 wrote to memory of 1636 1648 0fa46e1794fcb3e72f2ade92f72f21448e7aef1fd6061252144cdf8071e4fb3d.exe MediaCenter.exe PID 1648 wrote to memory of 1636 1648 0fa46e1794fcb3e72f2ade92f72f21448e7aef1fd6061252144cdf8071e4fb3d.exe MediaCenter.exe PID 1648 wrote to memory of 744 1648 0fa46e1794fcb3e72f2ade92f72f21448e7aef1fd6061252144cdf8071e4fb3d.exe cmd.exe PID 1648 wrote to memory of 744 1648 0fa46e1794fcb3e72f2ade92f72f21448e7aef1fd6061252144cdf8071e4fb3d.exe cmd.exe PID 1648 wrote to memory of 744 1648 0fa46e1794fcb3e72f2ade92f72f21448e7aef1fd6061252144cdf8071e4fb3d.exe cmd.exe PID 1648 wrote to memory of 744 1648 0fa46e1794fcb3e72f2ade92f72f21448e7aef1fd6061252144cdf8071e4fb3d.exe cmd.exe PID 744 wrote to memory of 1480 744 cmd.exe PING.EXE PID 744 wrote to memory of 1480 744 cmd.exe PING.EXE PID 744 wrote to memory of 1480 744 cmd.exe PING.EXE PID 744 wrote to memory of 1480 744 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0fa46e1794fcb3e72f2ade92f72f21448e7aef1fd6061252144cdf8071e4fb3d.exe"C:\Users\Admin\AppData\Local\Temp\0fa46e1794fcb3e72f2ade92f72f21448e7aef1fd6061252144cdf8071e4fb3d.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1648 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1636 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0fa46e1794fcb3e72f2ade92f72f21448e7aef1fd6061252144cdf8071e4fb3d.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:744 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1480
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
4a6d5d283152127f3133187178437dfa
SHA1eee79605c3caaff439ba98e3003ef729ef2c22d5
SHA256621bbfee2953c6f907baca2d6a442665512245c23706f677dbefa6c02e39422b
SHA51258161367c91d52f0f56f8ad0e79047f6d7110b66b21200d967b7343f5ea8be5e620ac51885dc0818f49e5efab58c4b12b77b81929361f760b91b8e6700d7f700
-
MD5
4a6d5d283152127f3133187178437dfa
SHA1eee79605c3caaff439ba98e3003ef729ef2c22d5
SHA256621bbfee2953c6f907baca2d6a442665512245c23706f677dbefa6c02e39422b
SHA51258161367c91d52f0f56f8ad0e79047f6d7110b66b21200d967b7343f5ea8be5e620ac51885dc0818f49e5efab58c4b12b77b81929361f760b91b8e6700d7f700