Analysis
-
max time kernel
144s -
max time network
174s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 07:10
Static task
static1
Behavioral task
behavioral1
Sample
0e592681ec1afc589320c42c03ab89c64e64d30df19bb7793d0a007066e19cb5.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0e592681ec1afc589320c42c03ab89c64e64d30df19bb7793d0a007066e19cb5.exe
Resource
win10v2004-en-20220113
General
-
Target
0e592681ec1afc589320c42c03ab89c64e64d30df19bb7793d0a007066e19cb5.exe
-
Size
101KB
-
MD5
96923e7cd4b8652daf2288af7474d6bf
-
SHA1
7ed6549d937050d40587adfbe1bc4d455f7b1396
-
SHA256
0e592681ec1afc589320c42c03ab89c64e64d30df19bb7793d0a007066e19cb5
-
SHA512
f0c488c44c2f787d56c0866d9284509367cc810983770f352bffecf2d753a7868f05c829155c910c52dc9af4085bdb2d9ae670ecf683ea468da353e3f61b7d7f
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1700 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1552 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0e592681ec1afc589320c42c03ab89c64e64d30df19bb7793d0a007066e19cb5.exepid process 1780 0e592681ec1afc589320c42c03ab89c64e64d30df19bb7793d0a007066e19cb5.exe 1780 0e592681ec1afc589320c42c03ab89c64e64d30df19bb7793d0a007066e19cb5.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0e592681ec1afc589320c42c03ab89c64e64d30df19bb7793d0a007066e19cb5.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0e592681ec1afc589320c42c03ab89c64e64d30df19bb7793d0a007066e19cb5.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0e592681ec1afc589320c42c03ab89c64e64d30df19bb7793d0a007066e19cb5.exedescription pid process Token: SeIncBasePriorityPrivilege 1780 0e592681ec1afc589320c42c03ab89c64e64d30df19bb7793d0a007066e19cb5.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0e592681ec1afc589320c42c03ab89c64e64d30df19bb7793d0a007066e19cb5.execmd.exedescription pid process target process PID 1780 wrote to memory of 1700 1780 0e592681ec1afc589320c42c03ab89c64e64d30df19bb7793d0a007066e19cb5.exe MediaCenter.exe PID 1780 wrote to memory of 1700 1780 0e592681ec1afc589320c42c03ab89c64e64d30df19bb7793d0a007066e19cb5.exe MediaCenter.exe PID 1780 wrote to memory of 1700 1780 0e592681ec1afc589320c42c03ab89c64e64d30df19bb7793d0a007066e19cb5.exe MediaCenter.exe PID 1780 wrote to memory of 1700 1780 0e592681ec1afc589320c42c03ab89c64e64d30df19bb7793d0a007066e19cb5.exe MediaCenter.exe PID 1780 wrote to memory of 1552 1780 0e592681ec1afc589320c42c03ab89c64e64d30df19bb7793d0a007066e19cb5.exe cmd.exe PID 1780 wrote to memory of 1552 1780 0e592681ec1afc589320c42c03ab89c64e64d30df19bb7793d0a007066e19cb5.exe cmd.exe PID 1780 wrote to memory of 1552 1780 0e592681ec1afc589320c42c03ab89c64e64d30df19bb7793d0a007066e19cb5.exe cmd.exe PID 1780 wrote to memory of 1552 1780 0e592681ec1afc589320c42c03ab89c64e64d30df19bb7793d0a007066e19cb5.exe cmd.exe PID 1552 wrote to memory of 812 1552 cmd.exe PING.EXE PID 1552 wrote to memory of 812 1552 cmd.exe PING.EXE PID 1552 wrote to memory of 812 1552 cmd.exe PING.EXE PID 1552 wrote to memory of 812 1552 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0e592681ec1afc589320c42c03ab89c64e64d30df19bb7793d0a007066e19cb5.exe"C:\Users\Admin\AppData\Local\Temp\0e592681ec1afc589320c42c03ab89c64e64d30df19bb7793d0a007066e19cb5.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1780 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1700 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0e592681ec1afc589320c42c03ab89c64e64d30df19bb7793d0a007066e19cb5.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1552 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:812
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
db6553dfbdc9bde109d5233b9d8e4402
SHA11f534f4e1763ef5db00921575eb5446384b58cfe
SHA256c88f70d87a9708e48e7916fbc5db4d98153fc80fe192829956e0b6fa5c09d5a6
SHA51260c677a9fa1c6b5048fc3a95e51e7c82b975676568f59bbd33e377bffd6f6907aa46ba68b3937ff2ad5950f216a57e8c6904d71ea5255b75faef661d760ea60a
-
MD5
db6553dfbdc9bde109d5233b9d8e4402
SHA11f534f4e1763ef5db00921575eb5446384b58cfe
SHA256c88f70d87a9708e48e7916fbc5db4d98153fc80fe192829956e0b6fa5c09d5a6
SHA51260c677a9fa1c6b5048fc3a95e51e7c82b975676568f59bbd33e377bffd6f6907aa46ba68b3937ff2ad5950f216a57e8c6904d71ea5255b75faef661d760ea60a
-
MD5
db6553dfbdc9bde109d5233b9d8e4402
SHA11f534f4e1763ef5db00921575eb5446384b58cfe
SHA256c88f70d87a9708e48e7916fbc5db4d98153fc80fe192829956e0b6fa5c09d5a6
SHA51260c677a9fa1c6b5048fc3a95e51e7c82b975676568f59bbd33e377bffd6f6907aa46ba68b3937ff2ad5950f216a57e8c6904d71ea5255b75faef661d760ea60a