Analysis
-
max time kernel
125s -
max time network
145s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 07:09
Static task
static1
Behavioral task
behavioral1
Sample
0e6614d77a6142be9b96f5e01cf1c5da6b9a72b928481422af04eff3376625c1.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0e6614d77a6142be9b96f5e01cf1c5da6b9a72b928481422af04eff3376625c1.exe
Resource
win10v2004-en-20220113
General
-
Target
0e6614d77a6142be9b96f5e01cf1c5da6b9a72b928481422af04eff3376625c1.exe
-
Size
80KB
-
MD5
df66d7ecf3c62064e19b2a71dd056719
-
SHA1
edbe6d5be26cb5d2401e162f0f5a097473525cde
-
SHA256
0e6614d77a6142be9b96f5e01cf1c5da6b9a72b928481422af04eff3376625c1
-
SHA512
3f65438d9a609b37fc02d0beaee4e7a443fc4c29f0bc549a90baf6daa809e51aedab0cf7f2b47bd6abdc9c945e9556388f4c589ad01964eb0c45e9069031f60d
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1668 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1212 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0e6614d77a6142be9b96f5e01cf1c5da6b9a72b928481422af04eff3376625c1.exepid process 308 0e6614d77a6142be9b96f5e01cf1c5da6b9a72b928481422af04eff3376625c1.exe 308 0e6614d77a6142be9b96f5e01cf1c5da6b9a72b928481422af04eff3376625c1.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0e6614d77a6142be9b96f5e01cf1c5da6b9a72b928481422af04eff3376625c1.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0e6614d77a6142be9b96f5e01cf1c5da6b9a72b928481422af04eff3376625c1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0e6614d77a6142be9b96f5e01cf1c5da6b9a72b928481422af04eff3376625c1.exedescription pid process Token: SeIncBasePriorityPrivilege 308 0e6614d77a6142be9b96f5e01cf1c5da6b9a72b928481422af04eff3376625c1.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0e6614d77a6142be9b96f5e01cf1c5da6b9a72b928481422af04eff3376625c1.execmd.exedescription pid process target process PID 308 wrote to memory of 1668 308 0e6614d77a6142be9b96f5e01cf1c5da6b9a72b928481422af04eff3376625c1.exe MediaCenter.exe PID 308 wrote to memory of 1668 308 0e6614d77a6142be9b96f5e01cf1c5da6b9a72b928481422af04eff3376625c1.exe MediaCenter.exe PID 308 wrote to memory of 1668 308 0e6614d77a6142be9b96f5e01cf1c5da6b9a72b928481422af04eff3376625c1.exe MediaCenter.exe PID 308 wrote to memory of 1668 308 0e6614d77a6142be9b96f5e01cf1c5da6b9a72b928481422af04eff3376625c1.exe MediaCenter.exe PID 308 wrote to memory of 1212 308 0e6614d77a6142be9b96f5e01cf1c5da6b9a72b928481422af04eff3376625c1.exe cmd.exe PID 308 wrote to memory of 1212 308 0e6614d77a6142be9b96f5e01cf1c5da6b9a72b928481422af04eff3376625c1.exe cmd.exe PID 308 wrote to memory of 1212 308 0e6614d77a6142be9b96f5e01cf1c5da6b9a72b928481422af04eff3376625c1.exe cmd.exe PID 308 wrote to memory of 1212 308 0e6614d77a6142be9b96f5e01cf1c5da6b9a72b928481422af04eff3376625c1.exe cmd.exe PID 1212 wrote to memory of 980 1212 cmd.exe PING.EXE PID 1212 wrote to memory of 980 1212 cmd.exe PING.EXE PID 1212 wrote to memory of 980 1212 cmd.exe PING.EXE PID 1212 wrote to memory of 980 1212 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0e6614d77a6142be9b96f5e01cf1c5da6b9a72b928481422af04eff3376625c1.exe"C:\Users\Admin\AppData\Local\Temp\0e6614d77a6142be9b96f5e01cf1c5da6b9a72b928481422af04eff3376625c1.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:308 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1668 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0e6614d77a6142be9b96f5e01cf1c5da6b9a72b928481422af04eff3376625c1.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1212 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:980
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
26383021fee9f5c4819d2a7bb3b95c25
SHA191d7fec74a52cd93fdf0c6611ee8f50e5221ccc4
SHA256a8492f8317737513b4dd18f3e11091da66d5678938c2e8071ffb2b2814fb5ff3
SHA512f571ebca0da5104bd1e3a367b5a7e3174aae8984400fefac47642f272ce290195e084f6ab9900f607ccb086e0a4d2801956077d5b7f708521ea4290a4a5fcf5f
-
MD5
26383021fee9f5c4819d2a7bb3b95c25
SHA191d7fec74a52cd93fdf0c6611ee8f50e5221ccc4
SHA256a8492f8317737513b4dd18f3e11091da66d5678938c2e8071ffb2b2814fb5ff3
SHA512f571ebca0da5104bd1e3a367b5a7e3174aae8984400fefac47642f272ce290195e084f6ab9900f607ccb086e0a4d2801956077d5b7f708521ea4290a4a5fcf5f
-
MD5
26383021fee9f5c4819d2a7bb3b95c25
SHA191d7fec74a52cd93fdf0c6611ee8f50e5221ccc4
SHA256a8492f8317737513b4dd18f3e11091da66d5678938c2e8071ffb2b2814fb5ff3
SHA512f571ebca0da5104bd1e3a367b5a7e3174aae8984400fefac47642f272ce290195e084f6ab9900f607ccb086e0a4d2801956077d5b7f708521ea4290a4a5fcf5f