Analysis
-
max time kernel
119s -
max time network
133s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 06:45
Static task
static1
Behavioral task
behavioral1
Sample
0f0951a135ad2beeed527dc2fe941a4076ea999adfe33843e73243c16dbd2e2b.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0f0951a135ad2beeed527dc2fe941a4076ea999adfe33843e73243c16dbd2e2b.exe
Resource
win10v2004-en-20220112
General
-
Target
0f0951a135ad2beeed527dc2fe941a4076ea999adfe33843e73243c16dbd2e2b.exe
-
Size
79KB
-
MD5
89d77670ed3f33009431fcc65d23b64d
-
SHA1
59581de470ce92b52516fd324cbf7d44698e4c85
-
SHA256
0f0951a135ad2beeed527dc2fe941a4076ea999adfe33843e73243c16dbd2e2b
-
SHA512
a1ddb17d2e9e064fc3d9478875a5a988303cc585ba290d84281873e0901b82d8e1de88b1c0d68f7e458cbdfbc5b90ec45a5ab0a71cbce5ce402182f87de8ba69
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 316 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 968 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0f0951a135ad2beeed527dc2fe941a4076ea999adfe33843e73243c16dbd2e2b.exepid process 1696 0f0951a135ad2beeed527dc2fe941a4076ea999adfe33843e73243c16dbd2e2b.exe 1696 0f0951a135ad2beeed527dc2fe941a4076ea999adfe33843e73243c16dbd2e2b.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0f0951a135ad2beeed527dc2fe941a4076ea999adfe33843e73243c16dbd2e2b.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0f0951a135ad2beeed527dc2fe941a4076ea999adfe33843e73243c16dbd2e2b.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0f0951a135ad2beeed527dc2fe941a4076ea999adfe33843e73243c16dbd2e2b.exedescription pid process Token: SeIncBasePriorityPrivilege 1696 0f0951a135ad2beeed527dc2fe941a4076ea999adfe33843e73243c16dbd2e2b.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0f0951a135ad2beeed527dc2fe941a4076ea999adfe33843e73243c16dbd2e2b.execmd.exedescription pid process target process PID 1696 wrote to memory of 316 1696 0f0951a135ad2beeed527dc2fe941a4076ea999adfe33843e73243c16dbd2e2b.exe MediaCenter.exe PID 1696 wrote to memory of 316 1696 0f0951a135ad2beeed527dc2fe941a4076ea999adfe33843e73243c16dbd2e2b.exe MediaCenter.exe PID 1696 wrote to memory of 316 1696 0f0951a135ad2beeed527dc2fe941a4076ea999adfe33843e73243c16dbd2e2b.exe MediaCenter.exe PID 1696 wrote to memory of 316 1696 0f0951a135ad2beeed527dc2fe941a4076ea999adfe33843e73243c16dbd2e2b.exe MediaCenter.exe PID 1696 wrote to memory of 968 1696 0f0951a135ad2beeed527dc2fe941a4076ea999adfe33843e73243c16dbd2e2b.exe cmd.exe PID 1696 wrote to memory of 968 1696 0f0951a135ad2beeed527dc2fe941a4076ea999adfe33843e73243c16dbd2e2b.exe cmd.exe PID 1696 wrote to memory of 968 1696 0f0951a135ad2beeed527dc2fe941a4076ea999adfe33843e73243c16dbd2e2b.exe cmd.exe PID 1696 wrote to memory of 968 1696 0f0951a135ad2beeed527dc2fe941a4076ea999adfe33843e73243c16dbd2e2b.exe cmd.exe PID 968 wrote to memory of 1920 968 cmd.exe PING.EXE PID 968 wrote to memory of 1920 968 cmd.exe PING.EXE PID 968 wrote to memory of 1920 968 cmd.exe PING.EXE PID 968 wrote to memory of 1920 968 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0f0951a135ad2beeed527dc2fe941a4076ea999adfe33843e73243c16dbd2e2b.exe"C:\Users\Admin\AppData\Local\Temp\0f0951a135ad2beeed527dc2fe941a4076ea999adfe33843e73243c16dbd2e2b.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1696 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:316 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0f0951a135ad2beeed527dc2fe941a4076ea999adfe33843e73243c16dbd2e2b.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:968 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1920
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
92cb7c155f385b7a99f9b9a5d890fe84
SHA189a14863f34509e8265e900ddbba8c8effb2172e
SHA2561c4463dcb15193a6ac3f260eec840b60627b62dc01cd11f0a1b6659805d35a19
SHA512ee6e6f120cadcfc61a1e9a63bb219bdb4ef1e37121dbd8b3de18c8a18ed0b802c5059cd0e0fef1bf601516b72d7d754c2a849f5bf59a0a9ef854c580abc09fe3
-
MD5
92cb7c155f385b7a99f9b9a5d890fe84
SHA189a14863f34509e8265e900ddbba8c8effb2172e
SHA2561c4463dcb15193a6ac3f260eec840b60627b62dc01cd11f0a1b6659805d35a19
SHA512ee6e6f120cadcfc61a1e9a63bb219bdb4ef1e37121dbd8b3de18c8a18ed0b802c5059cd0e0fef1bf601516b72d7d754c2a849f5bf59a0a9ef854c580abc09fe3
-
MD5
92cb7c155f385b7a99f9b9a5d890fe84
SHA189a14863f34509e8265e900ddbba8c8effb2172e
SHA2561c4463dcb15193a6ac3f260eec840b60627b62dc01cd11f0a1b6659805d35a19
SHA512ee6e6f120cadcfc61a1e9a63bb219bdb4ef1e37121dbd8b3de18c8a18ed0b802c5059cd0e0fef1bf601516b72d7d754c2a849f5bf59a0a9ef854c580abc09fe3