Analysis
-
max time kernel
160s -
max time network
170s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 06:46
Static task
static1
Behavioral task
behavioral1
Sample
0f0735dc340c4c0b40b919668ea1ff114ae561a6214805ffbcdc56f7e2073208.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0f0735dc340c4c0b40b919668ea1ff114ae561a6214805ffbcdc56f7e2073208.exe
Resource
win10v2004-en-20220113
General
-
Target
0f0735dc340c4c0b40b919668ea1ff114ae561a6214805ffbcdc56f7e2073208.exe
-
Size
176KB
-
MD5
a3cff4add41773834124efa4f989a87f
-
SHA1
d8661cb0612419c4245305e88094dd38bcecf670
-
SHA256
0f0735dc340c4c0b40b919668ea1ff114ae561a6214805ffbcdc56f7e2073208
-
SHA512
d1d87419e4c65ae306a1df67ae9bf618c309015773f46f33a9763a14999bfb3f1b4aec0434fd086d9550cb624a8c91cdbe5709158b2586b568f5f3a185483494
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral1/memory/792-58-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral1/memory/1820-59-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1820 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1324 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
0f0735dc340c4c0b40b919668ea1ff114ae561a6214805ffbcdc56f7e2073208.exepid process 792 0f0735dc340c4c0b40b919668ea1ff114ae561a6214805ffbcdc56f7e2073208.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0f0735dc340c4c0b40b919668ea1ff114ae561a6214805ffbcdc56f7e2073208.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0f0735dc340c4c0b40b919668ea1ff114ae561a6214805ffbcdc56f7e2073208.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0f0735dc340c4c0b40b919668ea1ff114ae561a6214805ffbcdc56f7e2073208.exedescription pid process Token: SeIncBasePriorityPrivilege 792 0f0735dc340c4c0b40b919668ea1ff114ae561a6214805ffbcdc56f7e2073208.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0f0735dc340c4c0b40b919668ea1ff114ae561a6214805ffbcdc56f7e2073208.execmd.exedescription pid process target process PID 792 wrote to memory of 1820 792 0f0735dc340c4c0b40b919668ea1ff114ae561a6214805ffbcdc56f7e2073208.exe MediaCenter.exe PID 792 wrote to memory of 1820 792 0f0735dc340c4c0b40b919668ea1ff114ae561a6214805ffbcdc56f7e2073208.exe MediaCenter.exe PID 792 wrote to memory of 1820 792 0f0735dc340c4c0b40b919668ea1ff114ae561a6214805ffbcdc56f7e2073208.exe MediaCenter.exe PID 792 wrote to memory of 1820 792 0f0735dc340c4c0b40b919668ea1ff114ae561a6214805ffbcdc56f7e2073208.exe MediaCenter.exe PID 792 wrote to memory of 1324 792 0f0735dc340c4c0b40b919668ea1ff114ae561a6214805ffbcdc56f7e2073208.exe cmd.exe PID 792 wrote to memory of 1324 792 0f0735dc340c4c0b40b919668ea1ff114ae561a6214805ffbcdc56f7e2073208.exe cmd.exe PID 792 wrote to memory of 1324 792 0f0735dc340c4c0b40b919668ea1ff114ae561a6214805ffbcdc56f7e2073208.exe cmd.exe PID 792 wrote to memory of 1324 792 0f0735dc340c4c0b40b919668ea1ff114ae561a6214805ffbcdc56f7e2073208.exe cmd.exe PID 1324 wrote to memory of 1980 1324 cmd.exe PING.EXE PID 1324 wrote to memory of 1980 1324 cmd.exe PING.EXE PID 1324 wrote to memory of 1980 1324 cmd.exe PING.EXE PID 1324 wrote to memory of 1980 1324 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0f0735dc340c4c0b40b919668ea1ff114ae561a6214805ffbcdc56f7e2073208.exe"C:\Users\Admin\AppData\Local\Temp\0f0735dc340c4c0b40b919668ea1ff114ae561a6214805ffbcdc56f7e2073208.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:792 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1820 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0f0735dc340c4c0b40b919668ea1ff114ae561a6214805ffbcdc56f7e2073208.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1324 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1980
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
55c579ffc59d26ebd900f8f963df9f09
SHA1aeb16283e374b6fbd634dd484394d91dda6a3428
SHA2563490c6b1ab54ab2a0cd0549857ea2f185c00c40510fff5f412142a323aa33edd
SHA51211de82a7449de8f37eb6cc87f88f6a46b975b75b03e5ea62ef56cf6beadb94bd83e718c5f85da7d5c24f3e2dacdc6ea955924042bd77663e78c49df1767cfbf3
-
MD5
55c579ffc59d26ebd900f8f963df9f09
SHA1aeb16283e374b6fbd634dd484394d91dda6a3428
SHA2563490c6b1ab54ab2a0cd0549857ea2f185c00c40510fff5f412142a323aa33edd
SHA51211de82a7449de8f37eb6cc87f88f6a46b975b75b03e5ea62ef56cf6beadb94bd83e718c5f85da7d5c24f3e2dacdc6ea955924042bd77663e78c49df1767cfbf3