Analysis
-
max time kernel
157s -
max time network
152s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 06:45
Static task
static1
Behavioral task
behavioral1
Sample
0f0999200fc6e1f2f2e22886e2acea37dd38d8c5ef13dc5ab6c0865383b44968.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0f0999200fc6e1f2f2e22886e2acea37dd38d8c5ef13dc5ab6c0865383b44968.exe
Resource
win10v2004-en-20220113
General
-
Target
0f0999200fc6e1f2f2e22886e2acea37dd38d8c5ef13dc5ab6c0865383b44968.exe
-
Size
150KB
-
MD5
27e3db657f8c9b11b86df7d5ae7732fb
-
SHA1
c48a4c857de355db80ed2ff659152bdd3f58d82a
-
SHA256
0f0999200fc6e1f2f2e22886e2acea37dd38d8c5ef13dc5ab6c0865383b44968
-
SHA512
1e9b8cf861c144815fb72b79aa0cf581544d788707109b0360dd9c8811b30a37de803b25774da5d1197f03fe175652a8ae627b6ebdb25d838de8c1e9349173b7
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1588 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1044 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
0f0999200fc6e1f2f2e22886e2acea37dd38d8c5ef13dc5ab6c0865383b44968.exepid process 1568 0f0999200fc6e1f2f2e22886e2acea37dd38d8c5ef13dc5ab6c0865383b44968.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0f0999200fc6e1f2f2e22886e2acea37dd38d8c5ef13dc5ab6c0865383b44968.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0f0999200fc6e1f2f2e22886e2acea37dd38d8c5ef13dc5ab6c0865383b44968.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0f0999200fc6e1f2f2e22886e2acea37dd38d8c5ef13dc5ab6c0865383b44968.exedescription pid process Token: SeIncBasePriorityPrivilege 1568 0f0999200fc6e1f2f2e22886e2acea37dd38d8c5ef13dc5ab6c0865383b44968.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0f0999200fc6e1f2f2e22886e2acea37dd38d8c5ef13dc5ab6c0865383b44968.execmd.exedescription pid process target process PID 1568 wrote to memory of 1588 1568 0f0999200fc6e1f2f2e22886e2acea37dd38d8c5ef13dc5ab6c0865383b44968.exe MediaCenter.exe PID 1568 wrote to memory of 1588 1568 0f0999200fc6e1f2f2e22886e2acea37dd38d8c5ef13dc5ab6c0865383b44968.exe MediaCenter.exe PID 1568 wrote to memory of 1588 1568 0f0999200fc6e1f2f2e22886e2acea37dd38d8c5ef13dc5ab6c0865383b44968.exe MediaCenter.exe PID 1568 wrote to memory of 1588 1568 0f0999200fc6e1f2f2e22886e2acea37dd38d8c5ef13dc5ab6c0865383b44968.exe MediaCenter.exe PID 1568 wrote to memory of 1044 1568 0f0999200fc6e1f2f2e22886e2acea37dd38d8c5ef13dc5ab6c0865383b44968.exe cmd.exe PID 1568 wrote to memory of 1044 1568 0f0999200fc6e1f2f2e22886e2acea37dd38d8c5ef13dc5ab6c0865383b44968.exe cmd.exe PID 1568 wrote to memory of 1044 1568 0f0999200fc6e1f2f2e22886e2acea37dd38d8c5ef13dc5ab6c0865383b44968.exe cmd.exe PID 1568 wrote to memory of 1044 1568 0f0999200fc6e1f2f2e22886e2acea37dd38d8c5ef13dc5ab6c0865383b44968.exe cmd.exe PID 1044 wrote to memory of 1492 1044 cmd.exe PING.EXE PID 1044 wrote to memory of 1492 1044 cmd.exe PING.EXE PID 1044 wrote to memory of 1492 1044 cmd.exe PING.EXE PID 1044 wrote to memory of 1492 1044 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0f0999200fc6e1f2f2e22886e2acea37dd38d8c5ef13dc5ab6c0865383b44968.exe"C:\Users\Admin\AppData\Local\Temp\0f0999200fc6e1f2f2e22886e2acea37dd38d8c5ef13dc5ab6c0865383b44968.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1568 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1588 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0f0999200fc6e1f2f2e22886e2acea37dd38d8c5ef13dc5ab6c0865383b44968.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1044 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1492
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
aaf9304bb514e572e24cfd75537a9985
SHA1673172327de9bfc0236fe5c9ff537bdff21cc834
SHA256c56c181b7a2cb84f56486387f2d00fab4206f34b193ce61d8b8c02593d5fae19
SHA51259c331693e48eddc55fe474911541399da47d6ab2539c1b368bae0f0d1d63d2463ed81fec7fe761d2d82468d4d14d03b106f7babd517dd101f025326f3aafe7d
-
MD5
aaf9304bb514e572e24cfd75537a9985
SHA1673172327de9bfc0236fe5c9ff537bdff21cc834
SHA256c56c181b7a2cb84f56486387f2d00fab4206f34b193ce61d8b8c02593d5fae19
SHA51259c331693e48eddc55fe474911541399da47d6ab2539c1b368bae0f0d1d63d2463ed81fec7fe761d2d82468d4d14d03b106f7babd517dd101f025326f3aafe7d