Analysis
-
max time kernel
143s -
max time network
155s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 07:08
Static task
static1
Behavioral task
behavioral1
Sample
0e6b8d14e04e55ea3836d9de67a5b5314c66210701cb504bebed269030079856.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0e6b8d14e04e55ea3836d9de67a5b5314c66210701cb504bebed269030079856.exe
Resource
win10v2004-en-20220112
General
-
Target
0e6b8d14e04e55ea3836d9de67a5b5314c66210701cb504bebed269030079856.exe
-
Size
191KB
-
MD5
6875b11b2e7da9aeb6370077f6b228d3
-
SHA1
fc94eaf90b170a615dd19557399e8b9a8855114d
-
SHA256
0e6b8d14e04e55ea3836d9de67a5b5314c66210701cb504bebed269030079856
-
SHA512
b3d7fcb169dbf15652612f2cfbc3ac7177c1329bbe9f3c7c36e59607ffa84351824ed59931b044e2f739fe4a099c7d1ca134c66450d931960993a94606bdfa4b
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 940 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1652 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0e6b8d14e04e55ea3836d9de67a5b5314c66210701cb504bebed269030079856.exepid process 1528 0e6b8d14e04e55ea3836d9de67a5b5314c66210701cb504bebed269030079856.exe 1528 0e6b8d14e04e55ea3836d9de67a5b5314c66210701cb504bebed269030079856.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0e6b8d14e04e55ea3836d9de67a5b5314c66210701cb504bebed269030079856.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0e6b8d14e04e55ea3836d9de67a5b5314c66210701cb504bebed269030079856.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0e6b8d14e04e55ea3836d9de67a5b5314c66210701cb504bebed269030079856.exedescription pid process Token: SeIncBasePriorityPrivilege 1528 0e6b8d14e04e55ea3836d9de67a5b5314c66210701cb504bebed269030079856.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0e6b8d14e04e55ea3836d9de67a5b5314c66210701cb504bebed269030079856.execmd.exedescription pid process target process PID 1528 wrote to memory of 940 1528 0e6b8d14e04e55ea3836d9de67a5b5314c66210701cb504bebed269030079856.exe MediaCenter.exe PID 1528 wrote to memory of 940 1528 0e6b8d14e04e55ea3836d9de67a5b5314c66210701cb504bebed269030079856.exe MediaCenter.exe PID 1528 wrote to memory of 940 1528 0e6b8d14e04e55ea3836d9de67a5b5314c66210701cb504bebed269030079856.exe MediaCenter.exe PID 1528 wrote to memory of 940 1528 0e6b8d14e04e55ea3836d9de67a5b5314c66210701cb504bebed269030079856.exe MediaCenter.exe PID 1528 wrote to memory of 1652 1528 0e6b8d14e04e55ea3836d9de67a5b5314c66210701cb504bebed269030079856.exe cmd.exe PID 1528 wrote to memory of 1652 1528 0e6b8d14e04e55ea3836d9de67a5b5314c66210701cb504bebed269030079856.exe cmd.exe PID 1528 wrote to memory of 1652 1528 0e6b8d14e04e55ea3836d9de67a5b5314c66210701cb504bebed269030079856.exe cmd.exe PID 1528 wrote to memory of 1652 1528 0e6b8d14e04e55ea3836d9de67a5b5314c66210701cb504bebed269030079856.exe cmd.exe PID 1652 wrote to memory of 1640 1652 cmd.exe PING.EXE PID 1652 wrote to memory of 1640 1652 cmd.exe PING.EXE PID 1652 wrote to memory of 1640 1652 cmd.exe PING.EXE PID 1652 wrote to memory of 1640 1652 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0e6b8d14e04e55ea3836d9de67a5b5314c66210701cb504bebed269030079856.exe"C:\Users\Admin\AppData\Local\Temp\0e6b8d14e04e55ea3836d9de67a5b5314c66210701cb504bebed269030079856.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1528 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:940 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0e6b8d14e04e55ea3836d9de67a5b5314c66210701cb504bebed269030079856.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1652 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1640
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
da590ea58c5cc1bc65dcd6b5710535ed
SHA1f499f288c34be8043750d01016f86e7b4858b07f
SHA256a8bc5c9e3f5e611454ca1a9aec094691f8a0afae00c89d9b0e5622a0dd9c4455
SHA5120fee8fc76ec214d7adfdbf0b3d6311bf1d66fc46080d762d790ea9803bdc5467faf212cc91dbc200c7ea4bfa0b9c00f1c3b8e359722f17d523285842b2acf675
-
MD5
da590ea58c5cc1bc65dcd6b5710535ed
SHA1f499f288c34be8043750d01016f86e7b4858b07f
SHA256a8bc5c9e3f5e611454ca1a9aec094691f8a0afae00c89d9b0e5622a0dd9c4455
SHA5120fee8fc76ec214d7adfdbf0b3d6311bf1d66fc46080d762d790ea9803bdc5467faf212cc91dbc200c7ea4bfa0b9c00f1c3b8e359722f17d523285842b2acf675
-
MD5
da590ea58c5cc1bc65dcd6b5710535ed
SHA1f499f288c34be8043750d01016f86e7b4858b07f
SHA256a8bc5c9e3f5e611454ca1a9aec094691f8a0afae00c89d9b0e5622a0dd9c4455
SHA5120fee8fc76ec214d7adfdbf0b3d6311bf1d66fc46080d762d790ea9803bdc5467faf212cc91dbc200c7ea4bfa0b9c00f1c3b8e359722f17d523285842b2acf675