Analysis
-
max time kernel
119s -
max time network
125s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 06:58
Static task
static1
Behavioral task
behavioral1
Sample
0eeb20908376f85725b70c43cb81f25167af8acaf555874f56dc1723a679e402.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0eeb20908376f85725b70c43cb81f25167af8acaf555874f56dc1723a679e402.exe
Resource
win10v2004-en-20220112
General
-
Target
0eeb20908376f85725b70c43cb81f25167af8acaf555874f56dc1723a679e402.exe
-
Size
80KB
-
MD5
4fd7c8fe5ae08c1bd2193eff81a64cd6
-
SHA1
1112836579b3a4e4d0d98c4c6eb149bef21e7de4
-
SHA256
0eeb20908376f85725b70c43cb81f25167af8acaf555874f56dc1723a679e402
-
SHA512
02ac4765dd9594ca601e668cf652ab49906e3eb22e9cf52e298104446735f59c07fed5de858206c07a68de7d0ff25347febf3f1f686db0834c62b20d1333046c
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1540 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1244 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0eeb20908376f85725b70c43cb81f25167af8acaf555874f56dc1723a679e402.exepid process 1128 0eeb20908376f85725b70c43cb81f25167af8acaf555874f56dc1723a679e402.exe 1128 0eeb20908376f85725b70c43cb81f25167af8acaf555874f56dc1723a679e402.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0eeb20908376f85725b70c43cb81f25167af8acaf555874f56dc1723a679e402.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0eeb20908376f85725b70c43cb81f25167af8acaf555874f56dc1723a679e402.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0eeb20908376f85725b70c43cb81f25167af8acaf555874f56dc1723a679e402.exedescription pid process Token: SeIncBasePriorityPrivilege 1128 0eeb20908376f85725b70c43cb81f25167af8acaf555874f56dc1723a679e402.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0eeb20908376f85725b70c43cb81f25167af8acaf555874f56dc1723a679e402.execmd.exedescription pid process target process PID 1128 wrote to memory of 1540 1128 0eeb20908376f85725b70c43cb81f25167af8acaf555874f56dc1723a679e402.exe MediaCenter.exe PID 1128 wrote to memory of 1540 1128 0eeb20908376f85725b70c43cb81f25167af8acaf555874f56dc1723a679e402.exe MediaCenter.exe PID 1128 wrote to memory of 1540 1128 0eeb20908376f85725b70c43cb81f25167af8acaf555874f56dc1723a679e402.exe MediaCenter.exe PID 1128 wrote to memory of 1540 1128 0eeb20908376f85725b70c43cb81f25167af8acaf555874f56dc1723a679e402.exe MediaCenter.exe PID 1128 wrote to memory of 1244 1128 0eeb20908376f85725b70c43cb81f25167af8acaf555874f56dc1723a679e402.exe cmd.exe PID 1128 wrote to memory of 1244 1128 0eeb20908376f85725b70c43cb81f25167af8acaf555874f56dc1723a679e402.exe cmd.exe PID 1128 wrote to memory of 1244 1128 0eeb20908376f85725b70c43cb81f25167af8acaf555874f56dc1723a679e402.exe cmd.exe PID 1128 wrote to memory of 1244 1128 0eeb20908376f85725b70c43cb81f25167af8acaf555874f56dc1723a679e402.exe cmd.exe PID 1244 wrote to memory of 1996 1244 cmd.exe PING.EXE PID 1244 wrote to memory of 1996 1244 cmd.exe PING.EXE PID 1244 wrote to memory of 1996 1244 cmd.exe PING.EXE PID 1244 wrote to memory of 1996 1244 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0eeb20908376f85725b70c43cb81f25167af8acaf555874f56dc1723a679e402.exe"C:\Users\Admin\AppData\Local\Temp\0eeb20908376f85725b70c43cb81f25167af8acaf555874f56dc1723a679e402.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1128 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1540 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0eeb20908376f85725b70c43cb81f25167af8acaf555874f56dc1723a679e402.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1244 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1996
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
7528b8a9b8cf8bdb8021a9ec3e3b801b
SHA11626679de9fa453d6265300ca0fd0efe9a9b694b
SHA2569a9f786d67d7b100b8adc13ba8e42e029f87b3153987bd9f90a4c862f1ce2966
SHA512f152546bf491477b4028025d0de5b4ad1dfab85f639cbc56bf78c9f28941260ab78187935b2d306cc7936318121ddd9f16bdc301a48d92f9287f54a015e9a3de
-
MD5
7528b8a9b8cf8bdb8021a9ec3e3b801b
SHA11626679de9fa453d6265300ca0fd0efe9a9b694b
SHA2569a9f786d67d7b100b8adc13ba8e42e029f87b3153987bd9f90a4c862f1ce2966
SHA512f152546bf491477b4028025d0de5b4ad1dfab85f639cbc56bf78c9f28941260ab78187935b2d306cc7936318121ddd9f16bdc301a48d92f9287f54a015e9a3de
-
MD5
7528b8a9b8cf8bdb8021a9ec3e3b801b
SHA11626679de9fa453d6265300ca0fd0efe9a9b694b
SHA2569a9f786d67d7b100b8adc13ba8e42e029f87b3153987bd9f90a4c862f1ce2966
SHA512f152546bf491477b4028025d0de5b4ad1dfab85f639cbc56bf78c9f28941260ab78187935b2d306cc7936318121ddd9f16bdc301a48d92f9287f54a015e9a3de