Analysis
-
max time kernel
119s -
max time network
144s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 08:19
Static task
static1
Behavioral task
behavioral1
Sample
0b449ea25d51b1e796a25a76b52ee1e4ab677502dab92e8c5b04214e3f0a9a41.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0b449ea25d51b1e796a25a76b52ee1e4ab677502dab92e8c5b04214e3f0a9a41.exe
Resource
win10v2004-en-20220113
General
-
Target
0b449ea25d51b1e796a25a76b52ee1e4ab677502dab92e8c5b04214e3f0a9a41.exe
-
Size
80KB
-
MD5
f0f3b34e2bfaf36c23e77a647730d660
-
SHA1
6f9ac2e8b38c497b10dcffbfc73c64eb6bdfbbb9
-
SHA256
0b449ea25d51b1e796a25a76b52ee1e4ab677502dab92e8c5b04214e3f0a9a41
-
SHA512
e12cb73787d905e426495e82853c35e7405ba49382ad1715f603b263330dd4e0962cc2d28847ae07383cd9e22b92570cbd19d85d30e45227da056609408bacab
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1568 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 276 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0b449ea25d51b1e796a25a76b52ee1e4ab677502dab92e8c5b04214e3f0a9a41.exepid process 1692 0b449ea25d51b1e796a25a76b52ee1e4ab677502dab92e8c5b04214e3f0a9a41.exe 1692 0b449ea25d51b1e796a25a76b52ee1e4ab677502dab92e8c5b04214e3f0a9a41.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0b449ea25d51b1e796a25a76b52ee1e4ab677502dab92e8c5b04214e3f0a9a41.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0b449ea25d51b1e796a25a76b52ee1e4ab677502dab92e8c5b04214e3f0a9a41.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0b449ea25d51b1e796a25a76b52ee1e4ab677502dab92e8c5b04214e3f0a9a41.exedescription pid process Token: SeIncBasePriorityPrivilege 1692 0b449ea25d51b1e796a25a76b52ee1e4ab677502dab92e8c5b04214e3f0a9a41.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0b449ea25d51b1e796a25a76b52ee1e4ab677502dab92e8c5b04214e3f0a9a41.execmd.exedescription pid process target process PID 1692 wrote to memory of 1568 1692 0b449ea25d51b1e796a25a76b52ee1e4ab677502dab92e8c5b04214e3f0a9a41.exe MediaCenter.exe PID 1692 wrote to memory of 1568 1692 0b449ea25d51b1e796a25a76b52ee1e4ab677502dab92e8c5b04214e3f0a9a41.exe MediaCenter.exe PID 1692 wrote to memory of 1568 1692 0b449ea25d51b1e796a25a76b52ee1e4ab677502dab92e8c5b04214e3f0a9a41.exe MediaCenter.exe PID 1692 wrote to memory of 1568 1692 0b449ea25d51b1e796a25a76b52ee1e4ab677502dab92e8c5b04214e3f0a9a41.exe MediaCenter.exe PID 1692 wrote to memory of 276 1692 0b449ea25d51b1e796a25a76b52ee1e4ab677502dab92e8c5b04214e3f0a9a41.exe cmd.exe PID 1692 wrote to memory of 276 1692 0b449ea25d51b1e796a25a76b52ee1e4ab677502dab92e8c5b04214e3f0a9a41.exe cmd.exe PID 1692 wrote to memory of 276 1692 0b449ea25d51b1e796a25a76b52ee1e4ab677502dab92e8c5b04214e3f0a9a41.exe cmd.exe PID 1692 wrote to memory of 276 1692 0b449ea25d51b1e796a25a76b52ee1e4ab677502dab92e8c5b04214e3f0a9a41.exe cmd.exe PID 276 wrote to memory of 1256 276 cmd.exe PING.EXE PID 276 wrote to memory of 1256 276 cmd.exe PING.EXE PID 276 wrote to memory of 1256 276 cmd.exe PING.EXE PID 276 wrote to memory of 1256 276 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0b449ea25d51b1e796a25a76b52ee1e4ab677502dab92e8c5b04214e3f0a9a41.exe"C:\Users\Admin\AppData\Local\Temp\0b449ea25d51b1e796a25a76b52ee1e4ab677502dab92e8c5b04214e3f0a9a41.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1692 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1568 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0b449ea25d51b1e796a25a76b52ee1e4ab677502dab92e8c5b04214e3f0a9a41.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:276 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1256
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
8f9b52c07e6c5be345084aee18dc8a0d
SHA1bdcd427f260ae79a1c741a09d156dd88482adb6e
SHA25631fe7bcc2d57c0af22247d3aa9a0073b252cd1714e51e1bad9f54132006f46d1
SHA51280e15b8854c366392791934ed9a9c86c9ea934d33837ea01ac6e6584cf3f6dc880cb41195ac6670c67f551ba057fc74c418c9ef93d4fe64044e5146265be7ac7
-
MD5
8f9b52c07e6c5be345084aee18dc8a0d
SHA1bdcd427f260ae79a1c741a09d156dd88482adb6e
SHA25631fe7bcc2d57c0af22247d3aa9a0073b252cd1714e51e1bad9f54132006f46d1
SHA51280e15b8854c366392791934ed9a9c86c9ea934d33837ea01ac6e6584cf3f6dc880cb41195ac6670c67f551ba057fc74c418c9ef93d4fe64044e5146265be7ac7
-
MD5
8f9b52c07e6c5be345084aee18dc8a0d
SHA1bdcd427f260ae79a1c741a09d156dd88482adb6e
SHA25631fe7bcc2d57c0af22247d3aa9a0073b252cd1714e51e1bad9f54132006f46d1
SHA51280e15b8854c366392791934ed9a9c86c9ea934d33837ea01ac6e6584cf3f6dc880cb41195ac6670c67f551ba057fc74c418c9ef93d4fe64044e5146265be7ac7