Analysis
-
max time kernel
139s -
max time network
171s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 08:17
Static task
static1
Behavioral task
behavioral1
Sample
0b4fe77e6f8f37e2e5f9f4b9db2e7ab41e7c489d201547354269f2a9d0a5b19c.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0b4fe77e6f8f37e2e5f9f4b9db2e7ab41e7c489d201547354269f2a9d0a5b19c.exe
Resource
win10v2004-en-20220113
General
-
Target
0b4fe77e6f8f37e2e5f9f4b9db2e7ab41e7c489d201547354269f2a9d0a5b19c.exe
-
Size
80KB
-
MD5
b611c7623faee5bf85dde7e54fe79415
-
SHA1
3a348502ed33e5e1531373982efb20b708cc0fd1
-
SHA256
0b4fe77e6f8f37e2e5f9f4b9db2e7ab41e7c489d201547354269f2a9d0a5b19c
-
SHA512
64ab31bff528d48fb7f9ef06597b7f6c50e7c1c2a39c05fe888c567b35a3015e973f2bd26a7e17f6ea810c51b5742ab6ee444fcf79123fdfff72aed7cd9a232a
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1156 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1176 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0b4fe77e6f8f37e2e5f9f4b9db2e7ab41e7c489d201547354269f2a9d0a5b19c.exepid process 828 0b4fe77e6f8f37e2e5f9f4b9db2e7ab41e7c489d201547354269f2a9d0a5b19c.exe 828 0b4fe77e6f8f37e2e5f9f4b9db2e7ab41e7c489d201547354269f2a9d0a5b19c.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0b4fe77e6f8f37e2e5f9f4b9db2e7ab41e7c489d201547354269f2a9d0a5b19c.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0b4fe77e6f8f37e2e5f9f4b9db2e7ab41e7c489d201547354269f2a9d0a5b19c.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0b4fe77e6f8f37e2e5f9f4b9db2e7ab41e7c489d201547354269f2a9d0a5b19c.exedescription pid process Token: SeIncBasePriorityPrivilege 828 0b4fe77e6f8f37e2e5f9f4b9db2e7ab41e7c489d201547354269f2a9d0a5b19c.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0b4fe77e6f8f37e2e5f9f4b9db2e7ab41e7c489d201547354269f2a9d0a5b19c.execmd.exedescription pid process target process PID 828 wrote to memory of 1156 828 0b4fe77e6f8f37e2e5f9f4b9db2e7ab41e7c489d201547354269f2a9d0a5b19c.exe MediaCenter.exe PID 828 wrote to memory of 1156 828 0b4fe77e6f8f37e2e5f9f4b9db2e7ab41e7c489d201547354269f2a9d0a5b19c.exe MediaCenter.exe PID 828 wrote to memory of 1156 828 0b4fe77e6f8f37e2e5f9f4b9db2e7ab41e7c489d201547354269f2a9d0a5b19c.exe MediaCenter.exe PID 828 wrote to memory of 1156 828 0b4fe77e6f8f37e2e5f9f4b9db2e7ab41e7c489d201547354269f2a9d0a5b19c.exe MediaCenter.exe PID 828 wrote to memory of 1176 828 0b4fe77e6f8f37e2e5f9f4b9db2e7ab41e7c489d201547354269f2a9d0a5b19c.exe cmd.exe PID 828 wrote to memory of 1176 828 0b4fe77e6f8f37e2e5f9f4b9db2e7ab41e7c489d201547354269f2a9d0a5b19c.exe cmd.exe PID 828 wrote to memory of 1176 828 0b4fe77e6f8f37e2e5f9f4b9db2e7ab41e7c489d201547354269f2a9d0a5b19c.exe cmd.exe PID 828 wrote to memory of 1176 828 0b4fe77e6f8f37e2e5f9f4b9db2e7ab41e7c489d201547354269f2a9d0a5b19c.exe cmd.exe PID 1176 wrote to memory of 1560 1176 cmd.exe PING.EXE PID 1176 wrote to memory of 1560 1176 cmd.exe PING.EXE PID 1176 wrote to memory of 1560 1176 cmd.exe PING.EXE PID 1176 wrote to memory of 1560 1176 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0b4fe77e6f8f37e2e5f9f4b9db2e7ab41e7c489d201547354269f2a9d0a5b19c.exe"C:\Users\Admin\AppData\Local\Temp\0b4fe77e6f8f37e2e5f9f4b9db2e7ab41e7c489d201547354269f2a9d0a5b19c.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:828 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1156 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0b4fe77e6f8f37e2e5f9f4b9db2e7ab41e7c489d201547354269f2a9d0a5b19c.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1176 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1560
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
b6ae8cbf5e6405227a191707e26ba706
SHA18a4b403703b0a9240d7ec00ac2777cfedc774bd0
SHA256bc49e02eb0fcabb91c56669abcf70bfe123fd882e4ec5baa3d164dda9d3e5d8c
SHA5124d523bd81bd7f3bfda4d68daefd2b3fa3e32598ee9eed163f0f3c0592a3636ceb9648652709c962f485bf9bb0923b74b863c8db0a2137be836bd4bc9c6d0c7a5
-
MD5
b6ae8cbf5e6405227a191707e26ba706
SHA18a4b403703b0a9240d7ec00ac2777cfedc774bd0
SHA256bc49e02eb0fcabb91c56669abcf70bfe123fd882e4ec5baa3d164dda9d3e5d8c
SHA5124d523bd81bd7f3bfda4d68daefd2b3fa3e32598ee9eed163f0f3c0592a3636ceb9648652709c962f485bf9bb0923b74b863c8db0a2137be836bd4bc9c6d0c7a5
-
MD5
b6ae8cbf5e6405227a191707e26ba706
SHA18a4b403703b0a9240d7ec00ac2777cfedc774bd0
SHA256bc49e02eb0fcabb91c56669abcf70bfe123fd882e4ec5baa3d164dda9d3e5d8c
SHA5124d523bd81bd7f3bfda4d68daefd2b3fa3e32598ee9eed163f0f3c0592a3636ceb9648652709c962f485bf9bb0923b74b863c8db0a2137be836bd4bc9c6d0c7a5