Analysis
-
max time kernel
122s -
max time network
140s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 06:37
Static task
static1
Behavioral task
behavioral1
Sample
0f79bdee22715c69fe59bd1317edbf32f1cca115775981c281fc29e233f50028.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0f79bdee22715c69fe59bd1317edbf32f1cca115775981c281fc29e233f50028.exe
Resource
win10v2004-en-20220112
General
-
Target
0f79bdee22715c69fe59bd1317edbf32f1cca115775981c281fc29e233f50028.exe
-
Size
89KB
-
MD5
c0a075ce6fd285d108599085ff26b781
-
SHA1
daba68f483a26a946ddef15cd3e55bbc086c5a4c
-
SHA256
0f79bdee22715c69fe59bd1317edbf32f1cca115775981c281fc29e233f50028
-
SHA512
cfc111bc22b5c3c96a614e8a1eff734b29d56bb5764e2152ab5213c0c0d55d403a0c3d2bc17038ece50fb0571d0408c1e048dc469b40f0c7dfce135190e7bf6d
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 956 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1984 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
0f79bdee22715c69fe59bd1317edbf32f1cca115775981c281fc29e233f50028.exepid process 780 0f79bdee22715c69fe59bd1317edbf32f1cca115775981c281fc29e233f50028.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0f79bdee22715c69fe59bd1317edbf32f1cca115775981c281fc29e233f50028.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0f79bdee22715c69fe59bd1317edbf32f1cca115775981c281fc29e233f50028.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0f79bdee22715c69fe59bd1317edbf32f1cca115775981c281fc29e233f50028.exedescription pid process Token: SeIncBasePriorityPrivilege 780 0f79bdee22715c69fe59bd1317edbf32f1cca115775981c281fc29e233f50028.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0f79bdee22715c69fe59bd1317edbf32f1cca115775981c281fc29e233f50028.execmd.exedescription pid process target process PID 780 wrote to memory of 956 780 0f79bdee22715c69fe59bd1317edbf32f1cca115775981c281fc29e233f50028.exe MediaCenter.exe PID 780 wrote to memory of 956 780 0f79bdee22715c69fe59bd1317edbf32f1cca115775981c281fc29e233f50028.exe MediaCenter.exe PID 780 wrote to memory of 956 780 0f79bdee22715c69fe59bd1317edbf32f1cca115775981c281fc29e233f50028.exe MediaCenter.exe PID 780 wrote to memory of 956 780 0f79bdee22715c69fe59bd1317edbf32f1cca115775981c281fc29e233f50028.exe MediaCenter.exe PID 780 wrote to memory of 1984 780 0f79bdee22715c69fe59bd1317edbf32f1cca115775981c281fc29e233f50028.exe cmd.exe PID 780 wrote to memory of 1984 780 0f79bdee22715c69fe59bd1317edbf32f1cca115775981c281fc29e233f50028.exe cmd.exe PID 780 wrote to memory of 1984 780 0f79bdee22715c69fe59bd1317edbf32f1cca115775981c281fc29e233f50028.exe cmd.exe PID 780 wrote to memory of 1984 780 0f79bdee22715c69fe59bd1317edbf32f1cca115775981c281fc29e233f50028.exe cmd.exe PID 1984 wrote to memory of 1192 1984 cmd.exe PING.EXE PID 1984 wrote to memory of 1192 1984 cmd.exe PING.EXE PID 1984 wrote to memory of 1192 1984 cmd.exe PING.EXE PID 1984 wrote to memory of 1192 1984 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0f79bdee22715c69fe59bd1317edbf32f1cca115775981c281fc29e233f50028.exe"C:\Users\Admin\AppData\Local\Temp\0f79bdee22715c69fe59bd1317edbf32f1cca115775981c281fc29e233f50028.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:780 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:956 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0f79bdee22715c69fe59bd1317edbf32f1cca115775981c281fc29e233f50028.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1984 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1192
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
72cc4b3bd88d698e11bc1f592b00c661
SHA17178e4dfca4f984b1d78eae18848c6acd6707b93
SHA2569427137eb962207d81e48d9da6bc05847c6826903fc2ba18493085585d3c3dc5
SHA512a1ca47c29f8271d24479e1687f4f6f84f7c39dc7ffc4a55c460196f89b076856264c23a5026b882e660d41f9ed8f4964ddf5404eba007766c5158e1b61757180
-
MD5
72cc4b3bd88d698e11bc1f592b00c661
SHA17178e4dfca4f984b1d78eae18848c6acd6707b93
SHA2569427137eb962207d81e48d9da6bc05847c6826903fc2ba18493085585d3c3dc5
SHA512a1ca47c29f8271d24479e1687f4f6f84f7c39dc7ffc4a55c460196f89b076856264c23a5026b882e660d41f9ed8f4964ddf5404eba007766c5158e1b61757180