Analysis
-
max time kernel
138s -
max time network
164s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 06:41
Static task
static1
Behavioral task
behavioral1
Sample
0f3df777b087f711352bfe643a85951c2ef1ff3709c15f141f1e2743eb78d5b3.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0f3df777b087f711352bfe643a85951c2ef1ff3709c15f141f1e2743eb78d5b3.exe
Resource
win10v2004-en-20220112
General
-
Target
0f3df777b087f711352bfe643a85951c2ef1ff3709c15f141f1e2743eb78d5b3.exe
-
Size
144KB
-
MD5
c89ebdecdac0d78e5469995cf1cda592
-
SHA1
6dd265bc54a27f82563b9eeecad15382df63382f
-
SHA256
0f3df777b087f711352bfe643a85951c2ef1ff3709c15f141f1e2743eb78d5b3
-
SHA512
b44847d81ede4d864b174c9b93a7167411c265d22618e78f9ea0e9d16011b2c768d48621d5b95033593fe194bc6f0b5dc3c8811080e70201a29b0fc953d4a3f0
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 516 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 528 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0f3df777b087f711352bfe643a85951c2ef1ff3709c15f141f1e2743eb78d5b3.exepid process 820 0f3df777b087f711352bfe643a85951c2ef1ff3709c15f141f1e2743eb78d5b3.exe 820 0f3df777b087f711352bfe643a85951c2ef1ff3709c15f141f1e2743eb78d5b3.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0f3df777b087f711352bfe643a85951c2ef1ff3709c15f141f1e2743eb78d5b3.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0f3df777b087f711352bfe643a85951c2ef1ff3709c15f141f1e2743eb78d5b3.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0f3df777b087f711352bfe643a85951c2ef1ff3709c15f141f1e2743eb78d5b3.exedescription pid process Token: SeIncBasePriorityPrivilege 820 0f3df777b087f711352bfe643a85951c2ef1ff3709c15f141f1e2743eb78d5b3.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0f3df777b087f711352bfe643a85951c2ef1ff3709c15f141f1e2743eb78d5b3.execmd.exedescription pid process target process PID 820 wrote to memory of 516 820 0f3df777b087f711352bfe643a85951c2ef1ff3709c15f141f1e2743eb78d5b3.exe MediaCenter.exe PID 820 wrote to memory of 516 820 0f3df777b087f711352bfe643a85951c2ef1ff3709c15f141f1e2743eb78d5b3.exe MediaCenter.exe PID 820 wrote to memory of 516 820 0f3df777b087f711352bfe643a85951c2ef1ff3709c15f141f1e2743eb78d5b3.exe MediaCenter.exe PID 820 wrote to memory of 516 820 0f3df777b087f711352bfe643a85951c2ef1ff3709c15f141f1e2743eb78d5b3.exe MediaCenter.exe PID 820 wrote to memory of 528 820 0f3df777b087f711352bfe643a85951c2ef1ff3709c15f141f1e2743eb78d5b3.exe cmd.exe PID 820 wrote to memory of 528 820 0f3df777b087f711352bfe643a85951c2ef1ff3709c15f141f1e2743eb78d5b3.exe cmd.exe PID 820 wrote to memory of 528 820 0f3df777b087f711352bfe643a85951c2ef1ff3709c15f141f1e2743eb78d5b3.exe cmd.exe PID 820 wrote to memory of 528 820 0f3df777b087f711352bfe643a85951c2ef1ff3709c15f141f1e2743eb78d5b3.exe cmd.exe PID 528 wrote to memory of 1132 528 cmd.exe PING.EXE PID 528 wrote to memory of 1132 528 cmd.exe PING.EXE PID 528 wrote to memory of 1132 528 cmd.exe PING.EXE PID 528 wrote to memory of 1132 528 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0f3df777b087f711352bfe643a85951c2ef1ff3709c15f141f1e2743eb78d5b3.exe"C:\Users\Admin\AppData\Local\Temp\0f3df777b087f711352bfe643a85951c2ef1ff3709c15f141f1e2743eb78d5b3.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:820 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:516 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0f3df777b087f711352bfe643a85951c2ef1ff3709c15f141f1e2743eb78d5b3.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:528 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1132
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
c007632b60e21d0fba2f0f7a762835e7
SHA1da7dfa535d2a7a232db0486c6d09f5e6931d84da
SHA25609ff698a531d2d096588bb97e42adca8c7e8226cdcf3743f6edcc15b158c87e2
SHA5123fee04a2f2274137170843b5305130cd388a27aeb31b6659751f0e762f62a43446a7e7181ca163492029cd8979607e03d043eb0f5a78f8ba64155773c5cae0a1
-
MD5
c007632b60e21d0fba2f0f7a762835e7
SHA1da7dfa535d2a7a232db0486c6d09f5e6931d84da
SHA25609ff698a531d2d096588bb97e42adca8c7e8226cdcf3743f6edcc15b158c87e2
SHA5123fee04a2f2274137170843b5305130cd388a27aeb31b6659751f0e762f62a43446a7e7181ca163492029cd8979607e03d043eb0f5a78f8ba64155773c5cae0a1
-
MD5
c007632b60e21d0fba2f0f7a762835e7
SHA1da7dfa535d2a7a232db0486c6d09f5e6931d84da
SHA25609ff698a531d2d096588bb97e42adca8c7e8226cdcf3743f6edcc15b158c87e2
SHA5123fee04a2f2274137170843b5305130cd388a27aeb31b6659751f0e762f62a43446a7e7181ca163492029cd8979607e03d043eb0f5a78f8ba64155773c5cae0a1