Analysis
-
max time kernel
137s -
max time network
154s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 08:19
Static task
static1
Behavioral task
behavioral1
Sample
0b45e126783a51846d41db08ae332566d362a2b0772506f6931214d634b7ebaa.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0b45e126783a51846d41db08ae332566d362a2b0772506f6931214d634b7ebaa.exe
Resource
win10v2004-en-20220112
General
-
Target
0b45e126783a51846d41db08ae332566d362a2b0772506f6931214d634b7ebaa.exe
-
Size
92KB
-
MD5
75671d499ddf0ed6dadb85ab8d9dcdcf
-
SHA1
ecd0ff998d5de2ea78eeb78c5c6c086a89e83096
-
SHA256
0b45e126783a51846d41db08ae332566d362a2b0772506f6931214d634b7ebaa
-
SHA512
e98d141074d2e6975579b129eb7d182549b5f1ab6b950f718f526218827aeaae3586f28406a5a95ca2570cf05b13abf59b00aafbae169810302a752ff44d244d
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 980 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 600 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
0b45e126783a51846d41db08ae332566d362a2b0772506f6931214d634b7ebaa.exepid process 1888 0b45e126783a51846d41db08ae332566d362a2b0772506f6931214d634b7ebaa.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0b45e126783a51846d41db08ae332566d362a2b0772506f6931214d634b7ebaa.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0b45e126783a51846d41db08ae332566d362a2b0772506f6931214d634b7ebaa.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0b45e126783a51846d41db08ae332566d362a2b0772506f6931214d634b7ebaa.exedescription pid process Token: SeIncBasePriorityPrivilege 1888 0b45e126783a51846d41db08ae332566d362a2b0772506f6931214d634b7ebaa.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0b45e126783a51846d41db08ae332566d362a2b0772506f6931214d634b7ebaa.execmd.exedescription pid process target process PID 1888 wrote to memory of 980 1888 0b45e126783a51846d41db08ae332566d362a2b0772506f6931214d634b7ebaa.exe MediaCenter.exe PID 1888 wrote to memory of 980 1888 0b45e126783a51846d41db08ae332566d362a2b0772506f6931214d634b7ebaa.exe MediaCenter.exe PID 1888 wrote to memory of 980 1888 0b45e126783a51846d41db08ae332566d362a2b0772506f6931214d634b7ebaa.exe MediaCenter.exe PID 1888 wrote to memory of 980 1888 0b45e126783a51846d41db08ae332566d362a2b0772506f6931214d634b7ebaa.exe MediaCenter.exe PID 1888 wrote to memory of 600 1888 0b45e126783a51846d41db08ae332566d362a2b0772506f6931214d634b7ebaa.exe cmd.exe PID 1888 wrote to memory of 600 1888 0b45e126783a51846d41db08ae332566d362a2b0772506f6931214d634b7ebaa.exe cmd.exe PID 1888 wrote to memory of 600 1888 0b45e126783a51846d41db08ae332566d362a2b0772506f6931214d634b7ebaa.exe cmd.exe PID 1888 wrote to memory of 600 1888 0b45e126783a51846d41db08ae332566d362a2b0772506f6931214d634b7ebaa.exe cmd.exe PID 600 wrote to memory of 1084 600 cmd.exe PING.EXE PID 600 wrote to memory of 1084 600 cmd.exe PING.EXE PID 600 wrote to memory of 1084 600 cmd.exe PING.EXE PID 600 wrote to memory of 1084 600 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0b45e126783a51846d41db08ae332566d362a2b0772506f6931214d634b7ebaa.exe"C:\Users\Admin\AppData\Local\Temp\0b45e126783a51846d41db08ae332566d362a2b0772506f6931214d634b7ebaa.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1888 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:980 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0b45e126783a51846d41db08ae332566d362a2b0772506f6931214d634b7ebaa.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:600 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1084
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
9bee7a94b758cd146ee13a6ea00f97c5
SHA1036dbefed4e120ebf2f1764e68c23022671cf08d
SHA256d9671ce43901def843675fcfadb9f961c37a845af816cd047ae9b020c1c5b414
SHA512e1df62e2c4ea53573b9c79293408f33ed845675464938cd8f3d8cffb1cd3d0ce18e9989ee4862bef89f1e4b7b78984f10addb1f574792150c16435902e710b13
-
MD5
9bee7a94b758cd146ee13a6ea00f97c5
SHA1036dbefed4e120ebf2f1764e68c23022671cf08d
SHA256d9671ce43901def843675fcfadb9f961c37a845af816cd047ae9b020c1c5b414
SHA512e1df62e2c4ea53573b9c79293408f33ed845675464938cd8f3d8cffb1cd3d0ce18e9989ee4862bef89f1e4b7b78984f10addb1f574792150c16435902e710b13