Analysis
-
max time kernel
125s -
max time network
156s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 06:59
Static task
static1
Behavioral task
behavioral1
Sample
0ee3a70eee79d621bcf4ed84d75ef52ab772335ecdcaf5c616ac782a5c52786b.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0ee3a70eee79d621bcf4ed84d75ef52ab772335ecdcaf5c616ac782a5c52786b.exe
Resource
win10v2004-en-20220113
General
-
Target
0ee3a70eee79d621bcf4ed84d75ef52ab772335ecdcaf5c616ac782a5c52786b.exe
-
Size
99KB
-
MD5
ebbac991db86c808f50834b983686ab4
-
SHA1
b87eb0049b0b1a89dcb29195ab59c5c4961d89b2
-
SHA256
0ee3a70eee79d621bcf4ed84d75ef52ab772335ecdcaf5c616ac782a5c52786b
-
SHA512
a8b1fbc3a86d6a4c1928c5e686050389bc6fd1c36aa1f956874e55fe09491057f78536636576f50218dca208743f48b23d82e1f11f9695e282884f31542a1e6c
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1596 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 812 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0ee3a70eee79d621bcf4ed84d75ef52ab772335ecdcaf5c616ac782a5c52786b.exepid process 1908 0ee3a70eee79d621bcf4ed84d75ef52ab772335ecdcaf5c616ac782a5c52786b.exe 1908 0ee3a70eee79d621bcf4ed84d75ef52ab772335ecdcaf5c616ac782a5c52786b.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0ee3a70eee79d621bcf4ed84d75ef52ab772335ecdcaf5c616ac782a5c52786b.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0ee3a70eee79d621bcf4ed84d75ef52ab772335ecdcaf5c616ac782a5c52786b.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0ee3a70eee79d621bcf4ed84d75ef52ab772335ecdcaf5c616ac782a5c52786b.exedescription pid process Token: SeIncBasePriorityPrivilege 1908 0ee3a70eee79d621bcf4ed84d75ef52ab772335ecdcaf5c616ac782a5c52786b.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0ee3a70eee79d621bcf4ed84d75ef52ab772335ecdcaf5c616ac782a5c52786b.execmd.exedescription pid process target process PID 1908 wrote to memory of 1596 1908 0ee3a70eee79d621bcf4ed84d75ef52ab772335ecdcaf5c616ac782a5c52786b.exe MediaCenter.exe PID 1908 wrote to memory of 1596 1908 0ee3a70eee79d621bcf4ed84d75ef52ab772335ecdcaf5c616ac782a5c52786b.exe MediaCenter.exe PID 1908 wrote to memory of 1596 1908 0ee3a70eee79d621bcf4ed84d75ef52ab772335ecdcaf5c616ac782a5c52786b.exe MediaCenter.exe PID 1908 wrote to memory of 1596 1908 0ee3a70eee79d621bcf4ed84d75ef52ab772335ecdcaf5c616ac782a5c52786b.exe MediaCenter.exe PID 1908 wrote to memory of 812 1908 0ee3a70eee79d621bcf4ed84d75ef52ab772335ecdcaf5c616ac782a5c52786b.exe cmd.exe PID 1908 wrote to memory of 812 1908 0ee3a70eee79d621bcf4ed84d75ef52ab772335ecdcaf5c616ac782a5c52786b.exe cmd.exe PID 1908 wrote to memory of 812 1908 0ee3a70eee79d621bcf4ed84d75ef52ab772335ecdcaf5c616ac782a5c52786b.exe cmd.exe PID 1908 wrote to memory of 812 1908 0ee3a70eee79d621bcf4ed84d75ef52ab772335ecdcaf5c616ac782a5c52786b.exe cmd.exe PID 812 wrote to memory of 1056 812 cmd.exe PING.EXE PID 812 wrote to memory of 1056 812 cmd.exe PING.EXE PID 812 wrote to memory of 1056 812 cmd.exe PING.EXE PID 812 wrote to memory of 1056 812 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0ee3a70eee79d621bcf4ed84d75ef52ab772335ecdcaf5c616ac782a5c52786b.exe"C:\Users\Admin\AppData\Local\Temp\0ee3a70eee79d621bcf4ed84d75ef52ab772335ecdcaf5c616ac782a5c52786b.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1908 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1596 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0ee3a70eee79d621bcf4ed84d75ef52ab772335ecdcaf5c616ac782a5c52786b.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:812 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1056
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
fd6f6a4aed5f02608e33677edadbbe36
SHA10d74b72be824fec7281ba43951f68a4a71deb071
SHA256549b61cee06af41a9f907f0c76af685657bfb5eb1f36cee891292043bb3aa32d
SHA512bd13623779deb87efc35bd4d2504ab2b78e5233dc2a988942fc9fd22e740af54cd05fa536c4303c1069c89c63265770447ac1173b5b23b0237b89e016878fcd1
-
MD5
fd6f6a4aed5f02608e33677edadbbe36
SHA10d74b72be824fec7281ba43951f68a4a71deb071
SHA256549b61cee06af41a9f907f0c76af685657bfb5eb1f36cee891292043bb3aa32d
SHA512bd13623779deb87efc35bd4d2504ab2b78e5233dc2a988942fc9fd22e740af54cd05fa536c4303c1069c89c63265770447ac1173b5b23b0237b89e016878fcd1
-
MD5
fd6f6a4aed5f02608e33677edadbbe36
SHA10d74b72be824fec7281ba43951f68a4a71deb071
SHA256549b61cee06af41a9f907f0c76af685657bfb5eb1f36cee891292043bb3aa32d
SHA512bd13623779deb87efc35bd4d2504ab2b78e5233dc2a988942fc9fd22e740af54cd05fa536c4303c1069c89c63265770447ac1173b5b23b0237b89e016878fcd1