Analysis
-
max time kernel
145s -
max time network
157s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 08:09
Static task
static1
Behavioral task
behavioral1
Sample
0b91b1d579392adb694f4dbf47ac3032f2128c09672fc07931cbbb4b63789a96.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0b91b1d579392adb694f4dbf47ac3032f2128c09672fc07931cbbb4b63789a96.exe
Resource
win10v2004-en-20220112
General
-
Target
0b91b1d579392adb694f4dbf47ac3032f2128c09672fc07931cbbb4b63789a96.exe
-
Size
80KB
-
MD5
dacfd47ed66fdd7c7c09bea07a5de53c
-
SHA1
dee078ca9d4d1880b09c624c078a5a71e89d355b
-
SHA256
0b91b1d579392adb694f4dbf47ac3032f2128c09672fc07931cbbb4b63789a96
-
SHA512
3d72c0936a9007016ea6d00a1111b52418adfc825eb7fcdd2f42709c4372cc786df0c711d036aa04f94c4c055735e7519fcc50e0d2601fc0830ca5ea5c7c7557
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1288 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 396 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0b91b1d579392adb694f4dbf47ac3032f2128c09672fc07931cbbb4b63789a96.exepid process 1468 0b91b1d579392adb694f4dbf47ac3032f2128c09672fc07931cbbb4b63789a96.exe 1468 0b91b1d579392adb694f4dbf47ac3032f2128c09672fc07931cbbb4b63789a96.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0b91b1d579392adb694f4dbf47ac3032f2128c09672fc07931cbbb4b63789a96.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0b91b1d579392adb694f4dbf47ac3032f2128c09672fc07931cbbb4b63789a96.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0b91b1d579392adb694f4dbf47ac3032f2128c09672fc07931cbbb4b63789a96.exedescription pid process Token: SeIncBasePriorityPrivilege 1468 0b91b1d579392adb694f4dbf47ac3032f2128c09672fc07931cbbb4b63789a96.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0b91b1d579392adb694f4dbf47ac3032f2128c09672fc07931cbbb4b63789a96.execmd.exedescription pid process target process PID 1468 wrote to memory of 1288 1468 0b91b1d579392adb694f4dbf47ac3032f2128c09672fc07931cbbb4b63789a96.exe MediaCenter.exe PID 1468 wrote to memory of 1288 1468 0b91b1d579392adb694f4dbf47ac3032f2128c09672fc07931cbbb4b63789a96.exe MediaCenter.exe PID 1468 wrote to memory of 1288 1468 0b91b1d579392adb694f4dbf47ac3032f2128c09672fc07931cbbb4b63789a96.exe MediaCenter.exe PID 1468 wrote to memory of 1288 1468 0b91b1d579392adb694f4dbf47ac3032f2128c09672fc07931cbbb4b63789a96.exe MediaCenter.exe PID 1468 wrote to memory of 396 1468 0b91b1d579392adb694f4dbf47ac3032f2128c09672fc07931cbbb4b63789a96.exe cmd.exe PID 1468 wrote to memory of 396 1468 0b91b1d579392adb694f4dbf47ac3032f2128c09672fc07931cbbb4b63789a96.exe cmd.exe PID 1468 wrote to memory of 396 1468 0b91b1d579392adb694f4dbf47ac3032f2128c09672fc07931cbbb4b63789a96.exe cmd.exe PID 1468 wrote to memory of 396 1468 0b91b1d579392adb694f4dbf47ac3032f2128c09672fc07931cbbb4b63789a96.exe cmd.exe PID 396 wrote to memory of 1048 396 cmd.exe PING.EXE PID 396 wrote to memory of 1048 396 cmd.exe PING.EXE PID 396 wrote to memory of 1048 396 cmd.exe PING.EXE PID 396 wrote to memory of 1048 396 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0b91b1d579392adb694f4dbf47ac3032f2128c09672fc07931cbbb4b63789a96.exe"C:\Users\Admin\AppData\Local\Temp\0b91b1d579392adb694f4dbf47ac3032f2128c09672fc07931cbbb4b63789a96.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1468 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1288 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0b91b1d579392adb694f4dbf47ac3032f2128c09672fc07931cbbb4b63789a96.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:396 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1048
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
7aab888a0570ba98a5094907af94d174
SHA1530279d94499386ce6ac2d1f3d4ca41388bde1b6
SHA256361a388cff301648fe12d23444c59424ffeefff64236f281ac70cfaa37e8eaae
SHA512d7ea9e211f838aef04d00e03e402cdb137022751e898ac67e4d913c82a529ca444d5829e1f54aec4c92ae1e1d5d3313d8e52c8af6a3a8c28f2e689004bd968a5
-
MD5
7aab888a0570ba98a5094907af94d174
SHA1530279d94499386ce6ac2d1f3d4ca41388bde1b6
SHA256361a388cff301648fe12d23444c59424ffeefff64236f281ac70cfaa37e8eaae
SHA512d7ea9e211f838aef04d00e03e402cdb137022751e898ac67e4d913c82a529ca444d5829e1f54aec4c92ae1e1d5d3313d8e52c8af6a3a8c28f2e689004bd968a5
-
MD5
7aab888a0570ba98a5094907af94d174
SHA1530279d94499386ce6ac2d1f3d4ca41388bde1b6
SHA256361a388cff301648fe12d23444c59424ffeefff64236f281ac70cfaa37e8eaae
SHA512d7ea9e211f838aef04d00e03e402cdb137022751e898ac67e4d913c82a529ca444d5829e1f54aec4c92ae1e1d5d3313d8e52c8af6a3a8c28f2e689004bd968a5