Analysis
-
max time kernel
122s -
max time network
135s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 07:09
Static task
static1
Behavioral task
behavioral1
Sample
0e5b520a7a45aa61affaeb723fea6a160f0066ff8017c106dbeb8b933a68273e.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0e5b520a7a45aa61affaeb723fea6a160f0066ff8017c106dbeb8b933a68273e.exe
Resource
win10v2004-en-20220113
General
-
Target
0e5b520a7a45aa61affaeb723fea6a160f0066ff8017c106dbeb8b933a68273e.exe
-
Size
80KB
-
MD5
99441edaecc221bf6ac36dcfe68860c8
-
SHA1
9f7b6efac4eaeb422c3b4d47abd0b133afecf47d
-
SHA256
0e5b520a7a45aa61affaeb723fea6a160f0066ff8017c106dbeb8b933a68273e
-
SHA512
a85f3d503054847322944f1b96124b4ede3b39b46564d0c28d5a858207b3637adf17b778dbeaf5c37c1213defccedfece805df720912245ea13dfd29e8ee9b72
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1924 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1320 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0e5b520a7a45aa61affaeb723fea6a160f0066ff8017c106dbeb8b933a68273e.exepid process 1568 0e5b520a7a45aa61affaeb723fea6a160f0066ff8017c106dbeb8b933a68273e.exe 1568 0e5b520a7a45aa61affaeb723fea6a160f0066ff8017c106dbeb8b933a68273e.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0e5b520a7a45aa61affaeb723fea6a160f0066ff8017c106dbeb8b933a68273e.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0e5b520a7a45aa61affaeb723fea6a160f0066ff8017c106dbeb8b933a68273e.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0e5b520a7a45aa61affaeb723fea6a160f0066ff8017c106dbeb8b933a68273e.exedescription pid process Token: SeIncBasePriorityPrivilege 1568 0e5b520a7a45aa61affaeb723fea6a160f0066ff8017c106dbeb8b933a68273e.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0e5b520a7a45aa61affaeb723fea6a160f0066ff8017c106dbeb8b933a68273e.execmd.exedescription pid process target process PID 1568 wrote to memory of 1924 1568 0e5b520a7a45aa61affaeb723fea6a160f0066ff8017c106dbeb8b933a68273e.exe MediaCenter.exe PID 1568 wrote to memory of 1924 1568 0e5b520a7a45aa61affaeb723fea6a160f0066ff8017c106dbeb8b933a68273e.exe MediaCenter.exe PID 1568 wrote to memory of 1924 1568 0e5b520a7a45aa61affaeb723fea6a160f0066ff8017c106dbeb8b933a68273e.exe MediaCenter.exe PID 1568 wrote to memory of 1924 1568 0e5b520a7a45aa61affaeb723fea6a160f0066ff8017c106dbeb8b933a68273e.exe MediaCenter.exe PID 1568 wrote to memory of 1320 1568 0e5b520a7a45aa61affaeb723fea6a160f0066ff8017c106dbeb8b933a68273e.exe cmd.exe PID 1568 wrote to memory of 1320 1568 0e5b520a7a45aa61affaeb723fea6a160f0066ff8017c106dbeb8b933a68273e.exe cmd.exe PID 1568 wrote to memory of 1320 1568 0e5b520a7a45aa61affaeb723fea6a160f0066ff8017c106dbeb8b933a68273e.exe cmd.exe PID 1568 wrote to memory of 1320 1568 0e5b520a7a45aa61affaeb723fea6a160f0066ff8017c106dbeb8b933a68273e.exe cmd.exe PID 1320 wrote to memory of 392 1320 cmd.exe PING.EXE PID 1320 wrote to memory of 392 1320 cmd.exe PING.EXE PID 1320 wrote to memory of 392 1320 cmd.exe PING.EXE PID 1320 wrote to memory of 392 1320 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0e5b520a7a45aa61affaeb723fea6a160f0066ff8017c106dbeb8b933a68273e.exe"C:\Users\Admin\AppData\Local\Temp\0e5b520a7a45aa61affaeb723fea6a160f0066ff8017c106dbeb8b933a68273e.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1568 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1924 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0e5b520a7a45aa61affaeb723fea6a160f0066ff8017c106dbeb8b933a68273e.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1320 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:392
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
d1a4911f61e6a70271fe51d5ec4309a3
SHA16a81eeaefc26fdc57acfe3e8ba5869a00ad73159
SHA256bbdb28b5a84b827eb235fd1ccd7de74e94845f93381fca4f1518db56962d9834
SHA51244dbf9b681a957875035a384ff5e876a82a3d658518b7a857fed6830cc00053c7e886a983072f02940565adb6c841619ba8bed153a32d3b8a3c5c6be027e837e
-
MD5
d1a4911f61e6a70271fe51d5ec4309a3
SHA16a81eeaefc26fdc57acfe3e8ba5869a00ad73159
SHA256bbdb28b5a84b827eb235fd1ccd7de74e94845f93381fca4f1518db56962d9834
SHA51244dbf9b681a957875035a384ff5e876a82a3d658518b7a857fed6830cc00053c7e886a983072f02940565adb6c841619ba8bed153a32d3b8a3c5c6be027e837e
-
MD5
d1a4911f61e6a70271fe51d5ec4309a3
SHA16a81eeaefc26fdc57acfe3e8ba5869a00ad73159
SHA256bbdb28b5a84b827eb235fd1ccd7de74e94845f93381fca4f1518db56962d9834
SHA51244dbf9b681a957875035a384ff5e876a82a3d658518b7a857fed6830cc00053c7e886a983072f02940565adb6c841619ba8bed153a32d3b8a3c5c6be027e837e