Analysis
-
max time kernel
151s -
max time network
172s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 06:41
Static task
static1
Behavioral task
behavioral1
Sample
0f3af70c83ccb285eb5c4bae2203d14ed0de0128b189ac0c36405699bc69c866.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0f3af70c83ccb285eb5c4bae2203d14ed0de0128b189ac0c36405699bc69c866.exe
Resource
win10v2004-en-20220112
General
-
Target
0f3af70c83ccb285eb5c4bae2203d14ed0de0128b189ac0c36405699bc69c866.exe
-
Size
191KB
-
MD5
f55b2262310ec8cee3c32b3fc355b99c
-
SHA1
dc64aa26f8b9af07ab3fbf7e3fdcc27df57c88a5
-
SHA256
0f3af70c83ccb285eb5c4bae2203d14ed0de0128b189ac0c36405699bc69c866
-
SHA512
b84a09b4d556944eb291145bf36bf0adf080da222ea75f571dbec5a1cc26e3af0b8c1be589ceed9159793b5602e78c8ac5372d3d509df67c70c56c62545acf99
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1396 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 744 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0f3af70c83ccb285eb5c4bae2203d14ed0de0128b189ac0c36405699bc69c866.exepid process 1632 0f3af70c83ccb285eb5c4bae2203d14ed0de0128b189ac0c36405699bc69c866.exe 1632 0f3af70c83ccb285eb5c4bae2203d14ed0de0128b189ac0c36405699bc69c866.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0f3af70c83ccb285eb5c4bae2203d14ed0de0128b189ac0c36405699bc69c866.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0f3af70c83ccb285eb5c4bae2203d14ed0de0128b189ac0c36405699bc69c866.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0f3af70c83ccb285eb5c4bae2203d14ed0de0128b189ac0c36405699bc69c866.exedescription pid process Token: SeIncBasePriorityPrivilege 1632 0f3af70c83ccb285eb5c4bae2203d14ed0de0128b189ac0c36405699bc69c866.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0f3af70c83ccb285eb5c4bae2203d14ed0de0128b189ac0c36405699bc69c866.execmd.exedescription pid process target process PID 1632 wrote to memory of 1396 1632 0f3af70c83ccb285eb5c4bae2203d14ed0de0128b189ac0c36405699bc69c866.exe MediaCenter.exe PID 1632 wrote to memory of 1396 1632 0f3af70c83ccb285eb5c4bae2203d14ed0de0128b189ac0c36405699bc69c866.exe MediaCenter.exe PID 1632 wrote to memory of 1396 1632 0f3af70c83ccb285eb5c4bae2203d14ed0de0128b189ac0c36405699bc69c866.exe MediaCenter.exe PID 1632 wrote to memory of 1396 1632 0f3af70c83ccb285eb5c4bae2203d14ed0de0128b189ac0c36405699bc69c866.exe MediaCenter.exe PID 1632 wrote to memory of 744 1632 0f3af70c83ccb285eb5c4bae2203d14ed0de0128b189ac0c36405699bc69c866.exe cmd.exe PID 1632 wrote to memory of 744 1632 0f3af70c83ccb285eb5c4bae2203d14ed0de0128b189ac0c36405699bc69c866.exe cmd.exe PID 1632 wrote to memory of 744 1632 0f3af70c83ccb285eb5c4bae2203d14ed0de0128b189ac0c36405699bc69c866.exe cmd.exe PID 1632 wrote to memory of 744 1632 0f3af70c83ccb285eb5c4bae2203d14ed0de0128b189ac0c36405699bc69c866.exe cmd.exe PID 744 wrote to memory of 1484 744 cmd.exe PING.EXE PID 744 wrote to memory of 1484 744 cmd.exe PING.EXE PID 744 wrote to memory of 1484 744 cmd.exe PING.EXE PID 744 wrote to memory of 1484 744 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0f3af70c83ccb285eb5c4bae2203d14ed0de0128b189ac0c36405699bc69c866.exe"C:\Users\Admin\AppData\Local\Temp\0f3af70c83ccb285eb5c4bae2203d14ed0de0128b189ac0c36405699bc69c866.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1632 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1396 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0f3af70c83ccb285eb5c4bae2203d14ed0de0128b189ac0c36405699bc69c866.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:744 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1484
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
ffeb3c1b8b25623fad42fcacf3ee4c38
SHA166f7b827b2092a417e563c18dcc122b0fd9d3ebe
SHA25641cd25c7cc482e310cbc345414b5434bad04886145b8f5f1d3b7cd923a1c85cf
SHA5122020fb59d3f8ef8d0acf6fde71ac2df985eb2b4689c01361d4714c02e5b0ba2202f3cad3b9bf084f8bb25c87c417431cacbd80e785d65d5aae4221bedff5d8d0
-
MD5
ffeb3c1b8b25623fad42fcacf3ee4c38
SHA166f7b827b2092a417e563c18dcc122b0fd9d3ebe
SHA25641cd25c7cc482e310cbc345414b5434bad04886145b8f5f1d3b7cd923a1c85cf
SHA5122020fb59d3f8ef8d0acf6fde71ac2df985eb2b4689c01361d4714c02e5b0ba2202f3cad3b9bf084f8bb25c87c417431cacbd80e785d65d5aae4221bedff5d8d0
-
MD5
ffeb3c1b8b25623fad42fcacf3ee4c38
SHA166f7b827b2092a417e563c18dcc122b0fd9d3ebe
SHA25641cd25c7cc482e310cbc345414b5434bad04886145b8f5f1d3b7cd923a1c85cf
SHA5122020fb59d3f8ef8d0acf6fde71ac2df985eb2b4689c01361d4714c02e5b0ba2202f3cad3b9bf084f8bb25c87c417431cacbd80e785d65d5aae4221bedff5d8d0