Analysis
-
max time kernel
154s -
max time network
169s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 06:35
Static task
static1
Behavioral task
behavioral1
Sample
0f8cf34632239b0af0c6d9e7e050b115798f348685593497f880091fbd62992d.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0f8cf34632239b0af0c6d9e7e050b115798f348685593497f880091fbd62992d.exe
Resource
win10v2004-en-20220112
General
-
Target
0f8cf34632239b0af0c6d9e7e050b115798f348685593497f880091fbd62992d.exe
-
Size
101KB
-
MD5
6631f4c94572c07798dcd7cdd324fd6c
-
SHA1
7550935c1b7449ff968fcf3b64bbbce95ed75404
-
SHA256
0f8cf34632239b0af0c6d9e7e050b115798f348685593497f880091fbd62992d
-
SHA512
e5417143de65ea1b6b836a611b9bd006030b86d889800ba00df29a88b05f1d16d23ab9acd7b3a82bdc504e597ab1461680be666a06227366921f4975e8a770d8
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1884 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1836 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0f8cf34632239b0af0c6d9e7e050b115798f348685593497f880091fbd62992d.exepid process 1620 0f8cf34632239b0af0c6d9e7e050b115798f348685593497f880091fbd62992d.exe 1620 0f8cf34632239b0af0c6d9e7e050b115798f348685593497f880091fbd62992d.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0f8cf34632239b0af0c6d9e7e050b115798f348685593497f880091fbd62992d.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0f8cf34632239b0af0c6d9e7e050b115798f348685593497f880091fbd62992d.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0f8cf34632239b0af0c6d9e7e050b115798f348685593497f880091fbd62992d.exedescription pid process Token: SeIncBasePriorityPrivilege 1620 0f8cf34632239b0af0c6d9e7e050b115798f348685593497f880091fbd62992d.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0f8cf34632239b0af0c6d9e7e050b115798f348685593497f880091fbd62992d.execmd.exedescription pid process target process PID 1620 wrote to memory of 1884 1620 0f8cf34632239b0af0c6d9e7e050b115798f348685593497f880091fbd62992d.exe MediaCenter.exe PID 1620 wrote to memory of 1884 1620 0f8cf34632239b0af0c6d9e7e050b115798f348685593497f880091fbd62992d.exe MediaCenter.exe PID 1620 wrote to memory of 1884 1620 0f8cf34632239b0af0c6d9e7e050b115798f348685593497f880091fbd62992d.exe MediaCenter.exe PID 1620 wrote to memory of 1884 1620 0f8cf34632239b0af0c6d9e7e050b115798f348685593497f880091fbd62992d.exe MediaCenter.exe PID 1620 wrote to memory of 1836 1620 0f8cf34632239b0af0c6d9e7e050b115798f348685593497f880091fbd62992d.exe cmd.exe PID 1620 wrote to memory of 1836 1620 0f8cf34632239b0af0c6d9e7e050b115798f348685593497f880091fbd62992d.exe cmd.exe PID 1620 wrote to memory of 1836 1620 0f8cf34632239b0af0c6d9e7e050b115798f348685593497f880091fbd62992d.exe cmd.exe PID 1620 wrote to memory of 1836 1620 0f8cf34632239b0af0c6d9e7e050b115798f348685593497f880091fbd62992d.exe cmd.exe PID 1836 wrote to memory of 1820 1836 cmd.exe PING.EXE PID 1836 wrote to memory of 1820 1836 cmd.exe PING.EXE PID 1836 wrote to memory of 1820 1836 cmd.exe PING.EXE PID 1836 wrote to memory of 1820 1836 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0f8cf34632239b0af0c6d9e7e050b115798f348685593497f880091fbd62992d.exe"C:\Users\Admin\AppData\Local\Temp\0f8cf34632239b0af0c6d9e7e050b115798f348685593497f880091fbd62992d.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1884 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0f8cf34632239b0af0c6d9e7e050b115798f348685593497f880091fbd62992d.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1836 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1820
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
8f29a57e746f3867b731ee906a15244d
SHA13beab3113892cbdab758fab4f7a5a4109b931f3d
SHA256e1fd0c8600257418e7292a3821c073065e7943dd73168db5f9f24aa59ce7593a
SHA512fb8c5f8e9210e89467fc3dda906094d8a54416c43904845234a97272c2c63f63a8949f8f3c102a8679dd8c96dbfe06a1fb8ce43ead5c4e07d667c48a73f01633
-
MD5
8f29a57e746f3867b731ee906a15244d
SHA13beab3113892cbdab758fab4f7a5a4109b931f3d
SHA256e1fd0c8600257418e7292a3821c073065e7943dd73168db5f9f24aa59ce7593a
SHA512fb8c5f8e9210e89467fc3dda906094d8a54416c43904845234a97272c2c63f63a8949f8f3c102a8679dd8c96dbfe06a1fb8ce43ead5c4e07d667c48a73f01633
-
MD5
8f29a57e746f3867b731ee906a15244d
SHA13beab3113892cbdab758fab4f7a5a4109b931f3d
SHA256e1fd0c8600257418e7292a3821c073065e7943dd73168db5f9f24aa59ce7593a
SHA512fb8c5f8e9210e89467fc3dda906094d8a54416c43904845234a97272c2c63f63a8949f8f3c102a8679dd8c96dbfe06a1fb8ce43ead5c4e07d667c48a73f01633