Analysis
-
max time kernel
149s -
max time network
167s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 06:35
Static task
static1
Behavioral task
behavioral1
Sample
0f95d296561dc212cc9a6b7a70500ac189804e4f28249aeddf7bf82b6b857d82.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0f95d296561dc212cc9a6b7a70500ac189804e4f28249aeddf7bf82b6b857d82.exe
Resource
win10v2004-en-20220112
General
-
Target
0f95d296561dc212cc9a6b7a70500ac189804e4f28249aeddf7bf82b6b857d82.exe
-
Size
176KB
-
MD5
9daa9e7055ac835259621f145b894b57
-
SHA1
2e750fa81653b6a02f57a4344542249e814c349b
-
SHA256
0f95d296561dc212cc9a6b7a70500ac189804e4f28249aeddf7bf82b6b857d82
-
SHA512
5b6f8cf50fc0a54844a902e1a4a096d673c17d87e124c5f9a1d5295f60d9c7759a415a1bb04c9ffd1471838ec5e6cd20db93ddcdc998c1169153a607c516b569
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral1/memory/612-59-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral1/memory/1560-60-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1560 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1240 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
0f95d296561dc212cc9a6b7a70500ac189804e4f28249aeddf7bf82b6b857d82.exepid process 612 0f95d296561dc212cc9a6b7a70500ac189804e4f28249aeddf7bf82b6b857d82.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0f95d296561dc212cc9a6b7a70500ac189804e4f28249aeddf7bf82b6b857d82.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0f95d296561dc212cc9a6b7a70500ac189804e4f28249aeddf7bf82b6b857d82.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0f95d296561dc212cc9a6b7a70500ac189804e4f28249aeddf7bf82b6b857d82.exedescription pid process Token: SeIncBasePriorityPrivilege 612 0f95d296561dc212cc9a6b7a70500ac189804e4f28249aeddf7bf82b6b857d82.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0f95d296561dc212cc9a6b7a70500ac189804e4f28249aeddf7bf82b6b857d82.execmd.exedescription pid process target process PID 612 wrote to memory of 1560 612 0f95d296561dc212cc9a6b7a70500ac189804e4f28249aeddf7bf82b6b857d82.exe MediaCenter.exe PID 612 wrote to memory of 1560 612 0f95d296561dc212cc9a6b7a70500ac189804e4f28249aeddf7bf82b6b857d82.exe MediaCenter.exe PID 612 wrote to memory of 1560 612 0f95d296561dc212cc9a6b7a70500ac189804e4f28249aeddf7bf82b6b857d82.exe MediaCenter.exe PID 612 wrote to memory of 1560 612 0f95d296561dc212cc9a6b7a70500ac189804e4f28249aeddf7bf82b6b857d82.exe MediaCenter.exe PID 612 wrote to memory of 1240 612 0f95d296561dc212cc9a6b7a70500ac189804e4f28249aeddf7bf82b6b857d82.exe cmd.exe PID 612 wrote to memory of 1240 612 0f95d296561dc212cc9a6b7a70500ac189804e4f28249aeddf7bf82b6b857d82.exe cmd.exe PID 612 wrote to memory of 1240 612 0f95d296561dc212cc9a6b7a70500ac189804e4f28249aeddf7bf82b6b857d82.exe cmd.exe PID 612 wrote to memory of 1240 612 0f95d296561dc212cc9a6b7a70500ac189804e4f28249aeddf7bf82b6b857d82.exe cmd.exe PID 1240 wrote to memory of 1048 1240 cmd.exe PING.EXE PID 1240 wrote to memory of 1048 1240 cmd.exe PING.EXE PID 1240 wrote to memory of 1048 1240 cmd.exe PING.EXE PID 1240 wrote to memory of 1048 1240 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0f95d296561dc212cc9a6b7a70500ac189804e4f28249aeddf7bf82b6b857d82.exe"C:\Users\Admin\AppData\Local\Temp\0f95d296561dc212cc9a6b7a70500ac189804e4f28249aeddf7bf82b6b857d82.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:612 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1560 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0f95d296561dc212cc9a6b7a70500ac189804e4f28249aeddf7bf82b6b857d82.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1240 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1048
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
87da1538aecaaf371e7e4eacb969232c
SHA1d8090e6e79206da3b8630f8433ac5c239df878d2
SHA256d4e3cde3266ba4347873a4b5ad69ff3fa8106a8c8909e04fa8ad4c9fd05acc14
SHA512a93c29beb4c3f94c8979347e3cc3c60ac46c63da4656490c09d77782e10d25a2a59c41368f144bbba79f104caa225e4dfa1d875ae6e49fca48b1f1f4b1145818
-
MD5
87da1538aecaaf371e7e4eacb969232c
SHA1d8090e6e79206da3b8630f8433ac5c239df878d2
SHA256d4e3cde3266ba4347873a4b5ad69ff3fa8106a8c8909e04fa8ad4c9fd05acc14
SHA512a93c29beb4c3f94c8979347e3cc3c60ac46c63da4656490c09d77782e10d25a2a59c41368f144bbba79f104caa225e4dfa1d875ae6e49fca48b1f1f4b1145818