Analysis
-
max time kernel
147s -
max time network
157s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 06:35
Static task
static1
Behavioral task
behavioral1
Sample
0f90c60395c37a08d26d62001ba375c909ce09f67414e1d836139182b4b1aeed.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0f90c60395c37a08d26d62001ba375c909ce09f67414e1d836139182b4b1aeed.exe
Resource
win10v2004-en-20220113
General
-
Target
0f90c60395c37a08d26d62001ba375c909ce09f67414e1d836139182b4b1aeed.exe
-
Size
89KB
-
MD5
be552dae855aef48c571f0eefd2c261d
-
SHA1
b48b9685a95cfa9b935a31637139f29a21d3a8a0
-
SHA256
0f90c60395c37a08d26d62001ba375c909ce09f67414e1d836139182b4b1aeed
-
SHA512
097951eac9a9fd29ac19e4ca66474aa7c847dd5f8ca2f2c0800e69af3382c9d3396a083d9661014e22939d3659b69c68de37d65c8fb6f22b8c7afa05bcae3780
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 588 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 640 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
0f90c60395c37a08d26d62001ba375c909ce09f67414e1d836139182b4b1aeed.exepid process 1364 0f90c60395c37a08d26d62001ba375c909ce09f67414e1d836139182b4b1aeed.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0f90c60395c37a08d26d62001ba375c909ce09f67414e1d836139182b4b1aeed.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0f90c60395c37a08d26d62001ba375c909ce09f67414e1d836139182b4b1aeed.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0f90c60395c37a08d26d62001ba375c909ce09f67414e1d836139182b4b1aeed.exedescription pid process Token: SeIncBasePriorityPrivilege 1364 0f90c60395c37a08d26d62001ba375c909ce09f67414e1d836139182b4b1aeed.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0f90c60395c37a08d26d62001ba375c909ce09f67414e1d836139182b4b1aeed.execmd.exedescription pid process target process PID 1364 wrote to memory of 588 1364 0f90c60395c37a08d26d62001ba375c909ce09f67414e1d836139182b4b1aeed.exe MediaCenter.exe PID 1364 wrote to memory of 588 1364 0f90c60395c37a08d26d62001ba375c909ce09f67414e1d836139182b4b1aeed.exe MediaCenter.exe PID 1364 wrote to memory of 588 1364 0f90c60395c37a08d26d62001ba375c909ce09f67414e1d836139182b4b1aeed.exe MediaCenter.exe PID 1364 wrote to memory of 588 1364 0f90c60395c37a08d26d62001ba375c909ce09f67414e1d836139182b4b1aeed.exe MediaCenter.exe PID 1364 wrote to memory of 640 1364 0f90c60395c37a08d26d62001ba375c909ce09f67414e1d836139182b4b1aeed.exe cmd.exe PID 1364 wrote to memory of 640 1364 0f90c60395c37a08d26d62001ba375c909ce09f67414e1d836139182b4b1aeed.exe cmd.exe PID 1364 wrote to memory of 640 1364 0f90c60395c37a08d26d62001ba375c909ce09f67414e1d836139182b4b1aeed.exe cmd.exe PID 1364 wrote to memory of 640 1364 0f90c60395c37a08d26d62001ba375c909ce09f67414e1d836139182b4b1aeed.exe cmd.exe PID 640 wrote to memory of 1116 640 cmd.exe PING.EXE PID 640 wrote to memory of 1116 640 cmd.exe PING.EXE PID 640 wrote to memory of 1116 640 cmd.exe PING.EXE PID 640 wrote to memory of 1116 640 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0f90c60395c37a08d26d62001ba375c909ce09f67414e1d836139182b4b1aeed.exe"C:\Users\Admin\AppData\Local\Temp\0f90c60395c37a08d26d62001ba375c909ce09f67414e1d836139182b4b1aeed.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1364 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:588 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0f90c60395c37a08d26d62001ba375c909ce09f67414e1d836139182b4b1aeed.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:640 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1116
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
529d3552b916095e257d60afaec15a7b
SHA185289599b1d4846505c8262ddd883451b83db33c
SHA2563d75a35114159aaa6eb49c7e9f338b4338dc62f5053bb936fb3e624a896fba4f
SHA512794c72088f43017e69cb3f55b6119640fb32f1f3f9dc2944075f415d3866eb34487553eb49a8b3dab99c6ce36f4e0ea5b700f9196d75e7d729be48f750a1805f
-
MD5
529d3552b916095e257d60afaec15a7b
SHA185289599b1d4846505c8262ddd883451b83db33c
SHA2563d75a35114159aaa6eb49c7e9f338b4338dc62f5053bb936fb3e624a896fba4f
SHA512794c72088f43017e69cb3f55b6119640fb32f1f3f9dc2944075f415d3866eb34487553eb49a8b3dab99c6ce36f4e0ea5b700f9196d75e7d729be48f750a1805f