Analysis
-
max time kernel
143s -
max time network
153s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 08:22
Static task
static1
Behavioral task
behavioral1
Sample
0b3d5223c362c6c25fe3b255a8a9815f7e2861b9b3cd031e50638e1bdcd3e038.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0b3d5223c362c6c25fe3b255a8a9815f7e2861b9b3cd031e50638e1bdcd3e038.exe
Resource
win10v2004-en-20220113
General
-
Target
0b3d5223c362c6c25fe3b255a8a9815f7e2861b9b3cd031e50638e1bdcd3e038.exe
-
Size
216KB
-
MD5
a3c89eed5a00021eaed7f50d0cf528b6
-
SHA1
7e1dbb54e3e521cfb86dcd04110b93030632bba1
-
SHA256
0b3d5223c362c6c25fe3b255a8a9815f7e2861b9b3cd031e50638e1bdcd3e038
-
SHA512
0d134c2754681db90ffc43b8f6b5dd823c061ad80b640dedaf6fe44b696851c175d42a2745491a79c094b0ac300db99e983463f8644a524fce8e0ab28a6c3ee8
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral1/memory/1276-58-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral1/memory/1920-59-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1920 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 616 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
0b3d5223c362c6c25fe3b255a8a9815f7e2861b9b3cd031e50638e1bdcd3e038.exepid process 1276 0b3d5223c362c6c25fe3b255a8a9815f7e2861b9b3cd031e50638e1bdcd3e038.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0b3d5223c362c6c25fe3b255a8a9815f7e2861b9b3cd031e50638e1bdcd3e038.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0b3d5223c362c6c25fe3b255a8a9815f7e2861b9b3cd031e50638e1bdcd3e038.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0b3d5223c362c6c25fe3b255a8a9815f7e2861b9b3cd031e50638e1bdcd3e038.exedescription pid process Token: SeIncBasePriorityPrivilege 1276 0b3d5223c362c6c25fe3b255a8a9815f7e2861b9b3cd031e50638e1bdcd3e038.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0b3d5223c362c6c25fe3b255a8a9815f7e2861b9b3cd031e50638e1bdcd3e038.execmd.exedescription pid process target process PID 1276 wrote to memory of 1920 1276 0b3d5223c362c6c25fe3b255a8a9815f7e2861b9b3cd031e50638e1bdcd3e038.exe MediaCenter.exe PID 1276 wrote to memory of 1920 1276 0b3d5223c362c6c25fe3b255a8a9815f7e2861b9b3cd031e50638e1bdcd3e038.exe MediaCenter.exe PID 1276 wrote to memory of 1920 1276 0b3d5223c362c6c25fe3b255a8a9815f7e2861b9b3cd031e50638e1bdcd3e038.exe MediaCenter.exe PID 1276 wrote to memory of 1920 1276 0b3d5223c362c6c25fe3b255a8a9815f7e2861b9b3cd031e50638e1bdcd3e038.exe MediaCenter.exe PID 1276 wrote to memory of 616 1276 0b3d5223c362c6c25fe3b255a8a9815f7e2861b9b3cd031e50638e1bdcd3e038.exe cmd.exe PID 1276 wrote to memory of 616 1276 0b3d5223c362c6c25fe3b255a8a9815f7e2861b9b3cd031e50638e1bdcd3e038.exe cmd.exe PID 1276 wrote to memory of 616 1276 0b3d5223c362c6c25fe3b255a8a9815f7e2861b9b3cd031e50638e1bdcd3e038.exe cmd.exe PID 1276 wrote to memory of 616 1276 0b3d5223c362c6c25fe3b255a8a9815f7e2861b9b3cd031e50638e1bdcd3e038.exe cmd.exe PID 616 wrote to memory of 1996 616 cmd.exe PING.EXE PID 616 wrote to memory of 1996 616 cmd.exe PING.EXE PID 616 wrote to memory of 1996 616 cmd.exe PING.EXE PID 616 wrote to memory of 1996 616 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0b3d5223c362c6c25fe3b255a8a9815f7e2861b9b3cd031e50638e1bdcd3e038.exe"C:\Users\Admin\AppData\Local\Temp\0b3d5223c362c6c25fe3b255a8a9815f7e2861b9b3cd031e50638e1bdcd3e038.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1276 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1920 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0b3d5223c362c6c25fe3b255a8a9815f7e2861b9b3cd031e50638e1bdcd3e038.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:616 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1996
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
57ca4627df9748c1df6263e368276fce
SHA16a3b64a1e78474fbabab0cf5b605678b2a4d3fa0
SHA2565ad016ac3fd100c17e7b5260fdd2043a9f406f11f360a7d7d3d37fbc7f9df25b
SHA512386869c586fd64deb48aa7435132a9da755137e13ccfb50239a01901aa2d7b01a09f498c4340dc8ab28e32fa8692681d62bf3e4380f48afd46123aed9d77825d
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
57ca4627df9748c1df6263e368276fce
SHA16a3b64a1e78474fbabab0cf5b605678b2a4d3fa0
SHA2565ad016ac3fd100c17e7b5260fdd2043a9f406f11f360a7d7d3d37fbc7f9df25b
SHA512386869c586fd64deb48aa7435132a9da755137e13ccfb50239a01901aa2d7b01a09f498c4340dc8ab28e32fa8692681d62bf3e4380f48afd46123aed9d77825d
-
memory/1276-54-0x0000000076041000-0x0000000076043000-memory.dmpFilesize
8KB
-
memory/1276-58-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1920-59-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB