Analysis
-
max time kernel
149s -
max time network
187s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 08:08
Static task
static1
Behavioral task
behavioral1
Sample
0ba1ed465a2c9e18ec05d33d7ab7da442487facfd5ed2addaa762b0c1251fccd.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0ba1ed465a2c9e18ec05d33d7ab7da442487facfd5ed2addaa762b0c1251fccd.exe
Resource
win10v2004-en-20220112
General
-
Target
0ba1ed465a2c9e18ec05d33d7ab7da442487facfd5ed2addaa762b0c1251fccd.exe
-
Size
101KB
-
MD5
ca318c838cd1c3c6a2ddf3abc538b652
-
SHA1
13a91edaf4f5727c5f5fa4277b4041e7110bd8fa
-
SHA256
0ba1ed465a2c9e18ec05d33d7ab7da442487facfd5ed2addaa762b0c1251fccd
-
SHA512
92ff016c800290cedca1cc2d0168520120d7277d357b37f9df07e3b73440ccaec9d11406286c99116c5cda6669d25a30cea118ea580685bebd6fac70e9a0fea9
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1652 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1452 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0ba1ed465a2c9e18ec05d33d7ab7da442487facfd5ed2addaa762b0c1251fccd.exepid process 1320 0ba1ed465a2c9e18ec05d33d7ab7da442487facfd5ed2addaa762b0c1251fccd.exe 1320 0ba1ed465a2c9e18ec05d33d7ab7da442487facfd5ed2addaa762b0c1251fccd.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0ba1ed465a2c9e18ec05d33d7ab7da442487facfd5ed2addaa762b0c1251fccd.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0ba1ed465a2c9e18ec05d33d7ab7da442487facfd5ed2addaa762b0c1251fccd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0ba1ed465a2c9e18ec05d33d7ab7da442487facfd5ed2addaa762b0c1251fccd.exedescription pid process Token: SeIncBasePriorityPrivilege 1320 0ba1ed465a2c9e18ec05d33d7ab7da442487facfd5ed2addaa762b0c1251fccd.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0ba1ed465a2c9e18ec05d33d7ab7da442487facfd5ed2addaa762b0c1251fccd.execmd.exedescription pid process target process PID 1320 wrote to memory of 1652 1320 0ba1ed465a2c9e18ec05d33d7ab7da442487facfd5ed2addaa762b0c1251fccd.exe MediaCenter.exe PID 1320 wrote to memory of 1652 1320 0ba1ed465a2c9e18ec05d33d7ab7da442487facfd5ed2addaa762b0c1251fccd.exe MediaCenter.exe PID 1320 wrote to memory of 1652 1320 0ba1ed465a2c9e18ec05d33d7ab7da442487facfd5ed2addaa762b0c1251fccd.exe MediaCenter.exe PID 1320 wrote to memory of 1652 1320 0ba1ed465a2c9e18ec05d33d7ab7da442487facfd5ed2addaa762b0c1251fccd.exe MediaCenter.exe PID 1320 wrote to memory of 1452 1320 0ba1ed465a2c9e18ec05d33d7ab7da442487facfd5ed2addaa762b0c1251fccd.exe cmd.exe PID 1320 wrote to memory of 1452 1320 0ba1ed465a2c9e18ec05d33d7ab7da442487facfd5ed2addaa762b0c1251fccd.exe cmd.exe PID 1320 wrote to memory of 1452 1320 0ba1ed465a2c9e18ec05d33d7ab7da442487facfd5ed2addaa762b0c1251fccd.exe cmd.exe PID 1320 wrote to memory of 1452 1320 0ba1ed465a2c9e18ec05d33d7ab7da442487facfd5ed2addaa762b0c1251fccd.exe cmd.exe PID 1452 wrote to memory of 340 1452 cmd.exe PING.EXE PID 1452 wrote to memory of 340 1452 cmd.exe PING.EXE PID 1452 wrote to memory of 340 1452 cmd.exe PING.EXE PID 1452 wrote to memory of 340 1452 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0ba1ed465a2c9e18ec05d33d7ab7da442487facfd5ed2addaa762b0c1251fccd.exe"C:\Users\Admin\AppData\Local\Temp\0ba1ed465a2c9e18ec05d33d7ab7da442487facfd5ed2addaa762b0c1251fccd.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1320 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1652 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0ba1ed465a2c9e18ec05d33d7ab7da442487facfd5ed2addaa762b0c1251fccd.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1452 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:340
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
29f3ecd7a06b7d40e120e71d10d44c8d
SHA1d2c78719c1cd7dbb3b50b70895bf95296215b4ec
SHA2562d67cbe9652d8db403766a4f7dac9602f0756a10861f166a9b67d92aca9b65e1
SHA5128d18b8c616acb0fcfc8464aef3e1855c8f8a05ad57e90a388d015eaa53cd4f1c383a087bce837467e5fa97e4c0799db4a264087be66114928c10a24922dd4766
-
MD5
29f3ecd7a06b7d40e120e71d10d44c8d
SHA1d2c78719c1cd7dbb3b50b70895bf95296215b4ec
SHA2562d67cbe9652d8db403766a4f7dac9602f0756a10861f166a9b67d92aca9b65e1
SHA5128d18b8c616acb0fcfc8464aef3e1855c8f8a05ad57e90a388d015eaa53cd4f1c383a087bce837467e5fa97e4c0799db4a264087be66114928c10a24922dd4766
-
MD5
29f3ecd7a06b7d40e120e71d10d44c8d
SHA1d2c78719c1cd7dbb3b50b70895bf95296215b4ec
SHA2562d67cbe9652d8db403766a4f7dac9602f0756a10861f166a9b67d92aca9b65e1
SHA5128d18b8c616acb0fcfc8464aef3e1855c8f8a05ad57e90a388d015eaa53cd4f1c383a087bce837467e5fa97e4c0799db4a264087be66114928c10a24922dd4766