Analysis
-
max time kernel
129s -
max time network
142s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 06:39
Static task
static1
Behavioral task
behavioral1
Sample
0f58f3a4bfa973026e42b336205a63df205f7a0bf565321d7d08589bcfec6b81.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0f58f3a4bfa973026e42b336205a63df205f7a0bf565321d7d08589bcfec6b81.exe
Resource
win10v2004-en-20220113
General
-
Target
0f58f3a4bfa973026e42b336205a63df205f7a0bf565321d7d08589bcfec6b81.exe
-
Size
144KB
-
MD5
6dee3b23eb34596dd80d2774b23e36d8
-
SHA1
1144a179bb6b400b2d4ec779949674b5ab3a6767
-
SHA256
0f58f3a4bfa973026e42b336205a63df205f7a0bf565321d7d08589bcfec6b81
-
SHA512
2f7039157f017781ad5c22d8c9b6d081de6246bb39ba73ba5cf31fcccad6807857b011a24116ebd185ef3657fe450fe7512ac13339f28b8d78ea2d8645bd614b
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral1/memory/1652-59-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral1/memory/1620-60-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1620 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 916 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
0f58f3a4bfa973026e42b336205a63df205f7a0bf565321d7d08589bcfec6b81.exepid process 1652 0f58f3a4bfa973026e42b336205a63df205f7a0bf565321d7d08589bcfec6b81.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0f58f3a4bfa973026e42b336205a63df205f7a0bf565321d7d08589bcfec6b81.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0f58f3a4bfa973026e42b336205a63df205f7a0bf565321d7d08589bcfec6b81.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0f58f3a4bfa973026e42b336205a63df205f7a0bf565321d7d08589bcfec6b81.exedescription pid process Token: SeIncBasePriorityPrivilege 1652 0f58f3a4bfa973026e42b336205a63df205f7a0bf565321d7d08589bcfec6b81.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0f58f3a4bfa973026e42b336205a63df205f7a0bf565321d7d08589bcfec6b81.execmd.exedescription pid process target process PID 1652 wrote to memory of 1620 1652 0f58f3a4bfa973026e42b336205a63df205f7a0bf565321d7d08589bcfec6b81.exe MediaCenter.exe PID 1652 wrote to memory of 1620 1652 0f58f3a4bfa973026e42b336205a63df205f7a0bf565321d7d08589bcfec6b81.exe MediaCenter.exe PID 1652 wrote to memory of 1620 1652 0f58f3a4bfa973026e42b336205a63df205f7a0bf565321d7d08589bcfec6b81.exe MediaCenter.exe PID 1652 wrote to memory of 1620 1652 0f58f3a4bfa973026e42b336205a63df205f7a0bf565321d7d08589bcfec6b81.exe MediaCenter.exe PID 1652 wrote to memory of 916 1652 0f58f3a4bfa973026e42b336205a63df205f7a0bf565321d7d08589bcfec6b81.exe cmd.exe PID 1652 wrote to memory of 916 1652 0f58f3a4bfa973026e42b336205a63df205f7a0bf565321d7d08589bcfec6b81.exe cmd.exe PID 1652 wrote to memory of 916 1652 0f58f3a4bfa973026e42b336205a63df205f7a0bf565321d7d08589bcfec6b81.exe cmd.exe PID 1652 wrote to memory of 916 1652 0f58f3a4bfa973026e42b336205a63df205f7a0bf565321d7d08589bcfec6b81.exe cmd.exe PID 916 wrote to memory of 944 916 cmd.exe PING.EXE PID 916 wrote to memory of 944 916 cmd.exe PING.EXE PID 916 wrote to memory of 944 916 cmd.exe PING.EXE PID 916 wrote to memory of 944 916 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0f58f3a4bfa973026e42b336205a63df205f7a0bf565321d7d08589bcfec6b81.exe"C:\Users\Admin\AppData\Local\Temp\0f58f3a4bfa973026e42b336205a63df205f7a0bf565321d7d08589bcfec6b81.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1652 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1620 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0f58f3a4bfa973026e42b336205a63df205f7a0bf565321d7d08589bcfec6b81.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:916 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:944
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
12d00d73c7b610358db53a92006e786b
SHA181954715064ed59fb697698889b9154f299a73d5
SHA256e0e106793951e0a4f959668c08fb202e1f10b9a5dd6b0278b413159b6ef31f45
SHA512e6475f851121b1211168f80d82b03d022eab333d447bda07beda284a815eee36fe77770518cf4da8367d7fab896c0e113b311eca68c84e568d4e98e5f89edcac
-
MD5
12d00d73c7b610358db53a92006e786b
SHA181954715064ed59fb697698889b9154f299a73d5
SHA256e0e106793951e0a4f959668c08fb202e1f10b9a5dd6b0278b413159b6ef31f45
SHA512e6475f851121b1211168f80d82b03d022eab333d447bda07beda284a815eee36fe77770518cf4da8367d7fab896c0e113b311eca68c84e568d4e98e5f89edcac