Analysis
-
max time kernel
130s -
max time network
153s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 08:18
Static task
static1
Behavioral task
behavioral1
Sample
0b4f98b2c4707095fb262fc19cde0ece98c55e3c3c3a80b54cef4eb827587ad7.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0b4f98b2c4707095fb262fc19cde0ece98c55e3c3c3a80b54cef4eb827587ad7.exe
Resource
win10v2004-en-20220113
General
-
Target
0b4f98b2c4707095fb262fc19cde0ece98c55e3c3c3a80b54cef4eb827587ad7.exe
-
Size
152KB
-
MD5
6778e78f1c00c3bf6f8ce8c9bf867a27
-
SHA1
99a8d40230eff419c8fbc30cee8d6234b96b38ea
-
SHA256
0b4f98b2c4707095fb262fc19cde0ece98c55e3c3c3a80b54cef4eb827587ad7
-
SHA512
0412507308eff3a64d2a74456b1d43b3fc630543fc942658053a757cac9338df96bff03ef7a5b80aa0c52e08e3ae103c0b7f6e880a52365e4fd14e10dc5d28c3
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1132 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1048 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
0b4f98b2c4707095fb262fc19cde0ece98c55e3c3c3a80b54cef4eb827587ad7.exepid process 1492 0b4f98b2c4707095fb262fc19cde0ece98c55e3c3c3a80b54cef4eb827587ad7.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0b4f98b2c4707095fb262fc19cde0ece98c55e3c3c3a80b54cef4eb827587ad7.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0b4f98b2c4707095fb262fc19cde0ece98c55e3c3c3a80b54cef4eb827587ad7.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0b4f98b2c4707095fb262fc19cde0ece98c55e3c3c3a80b54cef4eb827587ad7.exedescription pid process Token: SeIncBasePriorityPrivilege 1492 0b4f98b2c4707095fb262fc19cde0ece98c55e3c3c3a80b54cef4eb827587ad7.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0b4f98b2c4707095fb262fc19cde0ece98c55e3c3c3a80b54cef4eb827587ad7.execmd.exedescription pid process target process PID 1492 wrote to memory of 1132 1492 0b4f98b2c4707095fb262fc19cde0ece98c55e3c3c3a80b54cef4eb827587ad7.exe MediaCenter.exe PID 1492 wrote to memory of 1132 1492 0b4f98b2c4707095fb262fc19cde0ece98c55e3c3c3a80b54cef4eb827587ad7.exe MediaCenter.exe PID 1492 wrote to memory of 1132 1492 0b4f98b2c4707095fb262fc19cde0ece98c55e3c3c3a80b54cef4eb827587ad7.exe MediaCenter.exe PID 1492 wrote to memory of 1132 1492 0b4f98b2c4707095fb262fc19cde0ece98c55e3c3c3a80b54cef4eb827587ad7.exe MediaCenter.exe PID 1492 wrote to memory of 1048 1492 0b4f98b2c4707095fb262fc19cde0ece98c55e3c3c3a80b54cef4eb827587ad7.exe cmd.exe PID 1492 wrote to memory of 1048 1492 0b4f98b2c4707095fb262fc19cde0ece98c55e3c3c3a80b54cef4eb827587ad7.exe cmd.exe PID 1492 wrote to memory of 1048 1492 0b4f98b2c4707095fb262fc19cde0ece98c55e3c3c3a80b54cef4eb827587ad7.exe cmd.exe PID 1492 wrote to memory of 1048 1492 0b4f98b2c4707095fb262fc19cde0ece98c55e3c3c3a80b54cef4eb827587ad7.exe cmd.exe PID 1048 wrote to memory of 2008 1048 cmd.exe PING.EXE PID 1048 wrote to memory of 2008 1048 cmd.exe PING.EXE PID 1048 wrote to memory of 2008 1048 cmd.exe PING.EXE PID 1048 wrote to memory of 2008 1048 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0b4f98b2c4707095fb262fc19cde0ece98c55e3c3c3a80b54cef4eb827587ad7.exe"C:\Users\Admin\AppData\Local\Temp\0b4f98b2c4707095fb262fc19cde0ece98c55e3c3c3a80b54cef4eb827587ad7.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1492 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1132 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0b4f98b2c4707095fb262fc19cde0ece98c55e3c3c3a80b54cef4eb827587ad7.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1048 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:2008
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
26013070841336449a31ce0ee0e10e15
SHA1717c28012279b36f2e550257cfd4b2a7c2117714
SHA2564c205a0388cc253a136b3db950b82f0828271e09f4e8507caea08a7ddacd22cf
SHA51283dfe2d472b0473ff2b74c2018cfc3a4c620df97999340f7566417adfe4a97946623a3cf9407e14f881eaadfba95f187842049045b0d425ad25dd76863d080ea
-
MD5
26013070841336449a31ce0ee0e10e15
SHA1717c28012279b36f2e550257cfd4b2a7c2117714
SHA2564c205a0388cc253a136b3db950b82f0828271e09f4e8507caea08a7ddacd22cf
SHA51283dfe2d472b0473ff2b74c2018cfc3a4c620df97999340f7566417adfe4a97946623a3cf9407e14f881eaadfba95f187842049045b0d425ad25dd76863d080ea