Analysis
-
max time kernel
122s -
max time network
143s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12/02/2022, 06:38
Static task
static1
Behavioral task
behavioral1
Sample
0f67b84d59836af15a1a17580993e904acd0e6327dac102ca9b03e3dea58a746.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0f67b84d59836af15a1a17580993e904acd0e6327dac102ca9b03e3dea58a746.exe
Resource
win10v2004-en-20220112
General
-
Target
0f67b84d59836af15a1a17580993e904acd0e6327dac102ca9b03e3dea58a746.exe
-
Size
80KB
-
MD5
7a8a2755f9771d25c4f8e83b64b17a5b
-
SHA1
5f08c357367c597ce50227de03d8249722b3482f
-
SHA256
0f67b84d59836af15a1a17580993e904acd0e6327dac102ca9b03e3dea58a746
-
SHA512
658fc9fff1af1baeb1e2c29aac6413e55be8d33072e19ef5b3b3b069c1f37375c2974a825d16dd6818d534a4f04d098a19b67214a6e8f0c259c1397f853a9eb2
Malware Config
Signatures
-
Sakula Payload 3 IoCs
resource yara_rule behavioral1/files/0x00070000000132cc-55.dat family_sakula behavioral1/files/0x00070000000132cc-57.dat family_sakula behavioral1/files/0x00070000000132cc-56.dat family_sakula -
Executes dropped EXE 1 IoCs
pid Process 320 MediaCenter.exe -
Deletes itself 1 IoCs
pid Process 776 cmd.exe -
Loads dropped DLL 2 IoCs
pid Process 808 0f67b84d59836af15a1a17580993e904acd0e6327dac102ca9b03e3dea58a746.exe 808 0f67b84d59836af15a1a17580993e904acd0e6327dac102ca9b03e3dea58a746.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0f67b84d59836af15a1a17580993e904acd0e6327dac102ca9b03e3dea58a746.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
pid Process 1096 PING.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 808 0f67b84d59836af15a1a17580993e904acd0e6327dac102ca9b03e3dea58a746.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 808 wrote to memory of 320 808 0f67b84d59836af15a1a17580993e904acd0e6327dac102ca9b03e3dea58a746.exe 27 PID 808 wrote to memory of 320 808 0f67b84d59836af15a1a17580993e904acd0e6327dac102ca9b03e3dea58a746.exe 27 PID 808 wrote to memory of 320 808 0f67b84d59836af15a1a17580993e904acd0e6327dac102ca9b03e3dea58a746.exe 27 PID 808 wrote to memory of 320 808 0f67b84d59836af15a1a17580993e904acd0e6327dac102ca9b03e3dea58a746.exe 27 PID 808 wrote to memory of 776 808 0f67b84d59836af15a1a17580993e904acd0e6327dac102ca9b03e3dea58a746.exe 30 PID 808 wrote to memory of 776 808 0f67b84d59836af15a1a17580993e904acd0e6327dac102ca9b03e3dea58a746.exe 30 PID 808 wrote to memory of 776 808 0f67b84d59836af15a1a17580993e904acd0e6327dac102ca9b03e3dea58a746.exe 30 PID 808 wrote to memory of 776 808 0f67b84d59836af15a1a17580993e904acd0e6327dac102ca9b03e3dea58a746.exe 30 PID 776 wrote to memory of 1096 776 cmd.exe 32 PID 776 wrote to memory of 1096 776 cmd.exe 32 PID 776 wrote to memory of 1096 776 cmd.exe 32 PID 776 wrote to memory of 1096 776 cmd.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\0f67b84d59836af15a1a17580993e904acd0e6327dac102ca9b03e3dea58a746.exe"C:\Users\Admin\AppData\Local\Temp\0f67b84d59836af15a1a17580993e904acd0e6327dac102ca9b03e3dea58a746.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:808 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:320
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0f67b84d59836af15a1a17580993e904acd0e6327dac102ca9b03e3dea58a746.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:776 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1096
-
-