Analysis
-
max time kernel
147s -
max time network
157s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 06:46
Static task
static1
Behavioral task
behavioral1
Sample
0f055f3137e08e60fff6271ac8665723e38c71c0663cd7a4796203bf0b4f2b53.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0f055f3137e08e60fff6271ac8665723e38c71c0663cd7a4796203bf0b4f2b53.exe
Resource
win10v2004-en-20220112
General
-
Target
0f055f3137e08e60fff6271ac8665723e38c71c0663cd7a4796203bf0b4f2b53.exe
-
Size
216KB
-
MD5
de2e33614b5252f8fc4a904c184e113c
-
SHA1
308534741cecae7488b25261ca08c039206e9e7f
-
SHA256
0f055f3137e08e60fff6271ac8665723e38c71c0663cd7a4796203bf0b4f2b53
-
SHA512
08b9a9e4755932ef025e85d89adf27a8eeb2f3bf2b6697072d46c52de23d853e8ba645f321695bc2f925ecb2d7f8a402091c888e27b053cd8f75215b34aa6259
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral1/memory/1524-58-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral1/memory/1492-59-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1492 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1708 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
0f055f3137e08e60fff6271ac8665723e38c71c0663cd7a4796203bf0b4f2b53.exepid process 1524 0f055f3137e08e60fff6271ac8665723e38c71c0663cd7a4796203bf0b4f2b53.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0f055f3137e08e60fff6271ac8665723e38c71c0663cd7a4796203bf0b4f2b53.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0f055f3137e08e60fff6271ac8665723e38c71c0663cd7a4796203bf0b4f2b53.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0f055f3137e08e60fff6271ac8665723e38c71c0663cd7a4796203bf0b4f2b53.exedescription pid process Token: SeIncBasePriorityPrivilege 1524 0f055f3137e08e60fff6271ac8665723e38c71c0663cd7a4796203bf0b4f2b53.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0f055f3137e08e60fff6271ac8665723e38c71c0663cd7a4796203bf0b4f2b53.execmd.exedescription pid process target process PID 1524 wrote to memory of 1492 1524 0f055f3137e08e60fff6271ac8665723e38c71c0663cd7a4796203bf0b4f2b53.exe MediaCenter.exe PID 1524 wrote to memory of 1492 1524 0f055f3137e08e60fff6271ac8665723e38c71c0663cd7a4796203bf0b4f2b53.exe MediaCenter.exe PID 1524 wrote to memory of 1492 1524 0f055f3137e08e60fff6271ac8665723e38c71c0663cd7a4796203bf0b4f2b53.exe MediaCenter.exe PID 1524 wrote to memory of 1492 1524 0f055f3137e08e60fff6271ac8665723e38c71c0663cd7a4796203bf0b4f2b53.exe MediaCenter.exe PID 1524 wrote to memory of 1708 1524 0f055f3137e08e60fff6271ac8665723e38c71c0663cd7a4796203bf0b4f2b53.exe cmd.exe PID 1524 wrote to memory of 1708 1524 0f055f3137e08e60fff6271ac8665723e38c71c0663cd7a4796203bf0b4f2b53.exe cmd.exe PID 1524 wrote to memory of 1708 1524 0f055f3137e08e60fff6271ac8665723e38c71c0663cd7a4796203bf0b4f2b53.exe cmd.exe PID 1524 wrote to memory of 1708 1524 0f055f3137e08e60fff6271ac8665723e38c71c0663cd7a4796203bf0b4f2b53.exe cmd.exe PID 1708 wrote to memory of 288 1708 cmd.exe PING.EXE PID 1708 wrote to memory of 288 1708 cmd.exe PING.EXE PID 1708 wrote to memory of 288 1708 cmd.exe PING.EXE PID 1708 wrote to memory of 288 1708 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0f055f3137e08e60fff6271ac8665723e38c71c0663cd7a4796203bf0b4f2b53.exe"C:\Users\Admin\AppData\Local\Temp\0f055f3137e08e60fff6271ac8665723e38c71c0663cd7a4796203bf0b4f2b53.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1524 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1492 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0f055f3137e08e60fff6271ac8665723e38c71c0663cd7a4796203bf0b4f2b53.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1708 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:288
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
4a5fcd222c244568f42b1c729b57009e
SHA1a77eeb842644b2ba6e45f3dbbe5cd5cb09d74872
SHA2562ebad1cd3dce2e90f89b434db1e57167a28557484bd83afde9bb69af33908199
SHA5128fa1d1c59529c928f0bb909116ce1f96fd4a8b9559ef7d9541ba89da7db836c9dfa9f434f24fa60a3e5fc261fc8dc3b029c4698dbc3d69b03fd1be711219bc59
-
MD5
4a5fcd222c244568f42b1c729b57009e
SHA1a77eeb842644b2ba6e45f3dbbe5cd5cb09d74872
SHA2562ebad1cd3dce2e90f89b434db1e57167a28557484bd83afde9bb69af33908199
SHA5128fa1d1c59529c928f0bb909116ce1f96fd4a8b9559ef7d9541ba89da7db836c9dfa9f434f24fa60a3e5fc261fc8dc3b029c4698dbc3d69b03fd1be711219bc59