Analysis
-
max time kernel
122s -
max time network
143s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 06:38
Static task
static1
Behavioral task
behavioral1
Sample
0f67b84d59836af15a1a17580993e904acd0e6327dac102ca9b03e3dea58a746.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0f67b84d59836af15a1a17580993e904acd0e6327dac102ca9b03e3dea58a746.exe
Resource
win10v2004-en-20220112
General
-
Target
0f67b84d59836af15a1a17580993e904acd0e6327dac102ca9b03e3dea58a746.exe
-
Size
80KB
-
MD5
7a8a2755f9771d25c4f8e83b64b17a5b
-
SHA1
5f08c357367c597ce50227de03d8249722b3482f
-
SHA256
0f67b84d59836af15a1a17580993e904acd0e6327dac102ca9b03e3dea58a746
-
SHA512
658fc9fff1af1baeb1e2c29aac6413e55be8d33072e19ef5b3b3b069c1f37375c2974a825d16dd6818d534a4f04d098a19b67214a6e8f0c259c1397f853a9eb2
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 320 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 776 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0f67b84d59836af15a1a17580993e904acd0e6327dac102ca9b03e3dea58a746.exepid process 808 0f67b84d59836af15a1a17580993e904acd0e6327dac102ca9b03e3dea58a746.exe 808 0f67b84d59836af15a1a17580993e904acd0e6327dac102ca9b03e3dea58a746.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0f67b84d59836af15a1a17580993e904acd0e6327dac102ca9b03e3dea58a746.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0f67b84d59836af15a1a17580993e904acd0e6327dac102ca9b03e3dea58a746.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0f67b84d59836af15a1a17580993e904acd0e6327dac102ca9b03e3dea58a746.exedescription pid process Token: SeIncBasePriorityPrivilege 808 0f67b84d59836af15a1a17580993e904acd0e6327dac102ca9b03e3dea58a746.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0f67b84d59836af15a1a17580993e904acd0e6327dac102ca9b03e3dea58a746.execmd.exedescription pid process target process PID 808 wrote to memory of 320 808 0f67b84d59836af15a1a17580993e904acd0e6327dac102ca9b03e3dea58a746.exe MediaCenter.exe PID 808 wrote to memory of 320 808 0f67b84d59836af15a1a17580993e904acd0e6327dac102ca9b03e3dea58a746.exe MediaCenter.exe PID 808 wrote to memory of 320 808 0f67b84d59836af15a1a17580993e904acd0e6327dac102ca9b03e3dea58a746.exe MediaCenter.exe PID 808 wrote to memory of 320 808 0f67b84d59836af15a1a17580993e904acd0e6327dac102ca9b03e3dea58a746.exe MediaCenter.exe PID 808 wrote to memory of 776 808 0f67b84d59836af15a1a17580993e904acd0e6327dac102ca9b03e3dea58a746.exe cmd.exe PID 808 wrote to memory of 776 808 0f67b84d59836af15a1a17580993e904acd0e6327dac102ca9b03e3dea58a746.exe cmd.exe PID 808 wrote to memory of 776 808 0f67b84d59836af15a1a17580993e904acd0e6327dac102ca9b03e3dea58a746.exe cmd.exe PID 808 wrote to memory of 776 808 0f67b84d59836af15a1a17580993e904acd0e6327dac102ca9b03e3dea58a746.exe cmd.exe PID 776 wrote to memory of 1096 776 cmd.exe PING.EXE PID 776 wrote to memory of 1096 776 cmd.exe PING.EXE PID 776 wrote to memory of 1096 776 cmd.exe PING.EXE PID 776 wrote to memory of 1096 776 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0f67b84d59836af15a1a17580993e904acd0e6327dac102ca9b03e3dea58a746.exe"C:\Users\Admin\AppData\Local\Temp\0f67b84d59836af15a1a17580993e904acd0e6327dac102ca9b03e3dea58a746.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:808 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:320 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0f67b84d59836af15a1a17580993e904acd0e6327dac102ca9b03e3dea58a746.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:776 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1096
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
3fa27afce84a79a782f959a77fd1f669
SHA1285331813656ee7d12ea0234389a5057c2b3511a
SHA25605876eba2cb42db9eae7a6ffd1fb3d52e3c7bfe942cc6488a6fe11e3c7f35047
SHA512afb9c4eed0f9c12c706d556be496d408c381d40a829993c04c2681f4671924f02786450b24f28102bd9ae1bad41029fa73e38037eba4694749e047f9bc2db409
-
MD5
3fa27afce84a79a782f959a77fd1f669
SHA1285331813656ee7d12ea0234389a5057c2b3511a
SHA25605876eba2cb42db9eae7a6ffd1fb3d52e3c7bfe942cc6488a6fe11e3c7f35047
SHA512afb9c4eed0f9c12c706d556be496d408c381d40a829993c04c2681f4671924f02786450b24f28102bd9ae1bad41029fa73e38037eba4694749e047f9bc2db409
-
MD5
3fa27afce84a79a782f959a77fd1f669
SHA1285331813656ee7d12ea0234389a5057c2b3511a
SHA25605876eba2cb42db9eae7a6ffd1fb3d52e3c7bfe942cc6488a6fe11e3c7f35047
SHA512afb9c4eed0f9c12c706d556be496d408c381d40a829993c04c2681f4671924f02786450b24f28102bd9ae1bad41029fa73e38037eba4694749e047f9bc2db409