Analysis
-
max time kernel
154s -
max time network
133s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 06:34
Static task
static1
Behavioral task
behavioral1
Sample
0fa15c2122cf3a929a217630f38ad9095cd92ff435bc7da8b872777fed3c5557.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0fa15c2122cf3a929a217630f38ad9095cd92ff435bc7da8b872777fed3c5557.exe
Resource
win10v2004-en-20220113
General
-
Target
0fa15c2122cf3a929a217630f38ad9095cd92ff435bc7da8b872777fed3c5557.exe
-
Size
101KB
-
MD5
7ec30d316f89a7e223852d0dd50a0e6f
-
SHA1
f986a6eb3e59d4b11519b100d5e62c66544c4f0f
-
SHA256
0fa15c2122cf3a929a217630f38ad9095cd92ff435bc7da8b872777fed3c5557
-
SHA512
3bd6f56c4a24c4311590ab734dbaa2886edc60597b4e0671a41f305ff417dce2430e6f0fbedea2fea37e62d36371d391868e59a7653340e601813f03c78f07c5
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1752 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1984 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0fa15c2122cf3a929a217630f38ad9095cd92ff435bc7da8b872777fed3c5557.exepid process 952 0fa15c2122cf3a929a217630f38ad9095cd92ff435bc7da8b872777fed3c5557.exe 952 0fa15c2122cf3a929a217630f38ad9095cd92ff435bc7da8b872777fed3c5557.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0fa15c2122cf3a929a217630f38ad9095cd92ff435bc7da8b872777fed3c5557.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0fa15c2122cf3a929a217630f38ad9095cd92ff435bc7da8b872777fed3c5557.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0fa15c2122cf3a929a217630f38ad9095cd92ff435bc7da8b872777fed3c5557.exedescription pid process Token: SeIncBasePriorityPrivilege 952 0fa15c2122cf3a929a217630f38ad9095cd92ff435bc7da8b872777fed3c5557.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0fa15c2122cf3a929a217630f38ad9095cd92ff435bc7da8b872777fed3c5557.execmd.exedescription pid process target process PID 952 wrote to memory of 1752 952 0fa15c2122cf3a929a217630f38ad9095cd92ff435bc7da8b872777fed3c5557.exe MediaCenter.exe PID 952 wrote to memory of 1752 952 0fa15c2122cf3a929a217630f38ad9095cd92ff435bc7da8b872777fed3c5557.exe MediaCenter.exe PID 952 wrote to memory of 1752 952 0fa15c2122cf3a929a217630f38ad9095cd92ff435bc7da8b872777fed3c5557.exe MediaCenter.exe PID 952 wrote to memory of 1752 952 0fa15c2122cf3a929a217630f38ad9095cd92ff435bc7da8b872777fed3c5557.exe MediaCenter.exe PID 952 wrote to memory of 1984 952 0fa15c2122cf3a929a217630f38ad9095cd92ff435bc7da8b872777fed3c5557.exe cmd.exe PID 952 wrote to memory of 1984 952 0fa15c2122cf3a929a217630f38ad9095cd92ff435bc7da8b872777fed3c5557.exe cmd.exe PID 952 wrote to memory of 1984 952 0fa15c2122cf3a929a217630f38ad9095cd92ff435bc7da8b872777fed3c5557.exe cmd.exe PID 952 wrote to memory of 1984 952 0fa15c2122cf3a929a217630f38ad9095cd92ff435bc7da8b872777fed3c5557.exe cmd.exe PID 1984 wrote to memory of 1192 1984 cmd.exe PING.EXE PID 1984 wrote to memory of 1192 1984 cmd.exe PING.EXE PID 1984 wrote to memory of 1192 1984 cmd.exe PING.EXE PID 1984 wrote to memory of 1192 1984 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0fa15c2122cf3a929a217630f38ad9095cd92ff435bc7da8b872777fed3c5557.exe"C:\Users\Admin\AppData\Local\Temp\0fa15c2122cf3a929a217630f38ad9095cd92ff435bc7da8b872777fed3c5557.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:952 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1752 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0fa15c2122cf3a929a217630f38ad9095cd92ff435bc7da8b872777fed3c5557.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1984 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1192
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
7cb402e77282c7ddef848d88d73315a8
SHA1b239139baa5269720e85aa9857ff6e25813d0ff9
SHA256284e08ac6888282428a90accb0bad1f7724f58c52f8b1fd057e2833ea8afa5d4
SHA512c7464aec61dab9ca31e4af7ba3a0374977d9f3a0ea4ee9bc11d52d9f63bd91c7acca7df3f35198098fbd5ae3efe6df7a4e4b4097fed64671e3b2f260550ed421
-
MD5
7cb402e77282c7ddef848d88d73315a8
SHA1b239139baa5269720e85aa9857ff6e25813d0ff9
SHA256284e08ac6888282428a90accb0bad1f7724f58c52f8b1fd057e2833ea8afa5d4
SHA512c7464aec61dab9ca31e4af7ba3a0374977d9f3a0ea4ee9bc11d52d9f63bd91c7acca7df3f35198098fbd5ae3efe6df7a4e4b4097fed64671e3b2f260550ed421
-
MD5
7cb402e77282c7ddef848d88d73315a8
SHA1b239139baa5269720e85aa9857ff6e25813d0ff9
SHA256284e08ac6888282428a90accb0bad1f7724f58c52f8b1fd057e2833ea8afa5d4
SHA512c7464aec61dab9ca31e4af7ba3a0374977d9f3a0ea4ee9bc11d52d9f63bd91c7acca7df3f35198098fbd5ae3efe6df7a4e4b4097fed64671e3b2f260550ed421