Analysis
-
max time kernel
139s -
max time network
162s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 07:27
Static task
static1
Behavioral task
behavioral1
Sample
0d8bef08d5ecc2481cf790b9f8754603762275635fa40b7a9c81abd192e1475b.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0d8bef08d5ecc2481cf790b9f8754603762275635fa40b7a9c81abd192e1475b.exe
Resource
win10v2004-en-20220113
General
-
Target
0d8bef08d5ecc2481cf790b9f8754603762275635fa40b7a9c81abd192e1475b.exe
-
Size
191KB
-
MD5
1d7cdb3a8cd88595a339d15ab0791779
-
SHA1
cf6ccdcd32b07f36f6b8631a10005106b14b3768
-
SHA256
0d8bef08d5ecc2481cf790b9f8754603762275635fa40b7a9c81abd192e1475b
-
SHA512
e2933a7e6f13e2bb18f2d4290e3ac1af5017e339416528095ec17326a97f9e33b2245b3ef0c3c950cc2b6b73ea61bc5fd28f4f01131a5474242943bea67882ec
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1100 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1176 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0d8bef08d5ecc2481cf790b9f8754603762275635fa40b7a9c81abd192e1475b.exepid process 952 0d8bef08d5ecc2481cf790b9f8754603762275635fa40b7a9c81abd192e1475b.exe 952 0d8bef08d5ecc2481cf790b9f8754603762275635fa40b7a9c81abd192e1475b.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0d8bef08d5ecc2481cf790b9f8754603762275635fa40b7a9c81abd192e1475b.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0d8bef08d5ecc2481cf790b9f8754603762275635fa40b7a9c81abd192e1475b.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0d8bef08d5ecc2481cf790b9f8754603762275635fa40b7a9c81abd192e1475b.exedescription pid process Token: SeIncBasePriorityPrivilege 952 0d8bef08d5ecc2481cf790b9f8754603762275635fa40b7a9c81abd192e1475b.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0d8bef08d5ecc2481cf790b9f8754603762275635fa40b7a9c81abd192e1475b.execmd.exedescription pid process target process PID 952 wrote to memory of 1100 952 0d8bef08d5ecc2481cf790b9f8754603762275635fa40b7a9c81abd192e1475b.exe MediaCenter.exe PID 952 wrote to memory of 1100 952 0d8bef08d5ecc2481cf790b9f8754603762275635fa40b7a9c81abd192e1475b.exe MediaCenter.exe PID 952 wrote to memory of 1100 952 0d8bef08d5ecc2481cf790b9f8754603762275635fa40b7a9c81abd192e1475b.exe MediaCenter.exe PID 952 wrote to memory of 1100 952 0d8bef08d5ecc2481cf790b9f8754603762275635fa40b7a9c81abd192e1475b.exe MediaCenter.exe PID 952 wrote to memory of 1176 952 0d8bef08d5ecc2481cf790b9f8754603762275635fa40b7a9c81abd192e1475b.exe cmd.exe PID 952 wrote to memory of 1176 952 0d8bef08d5ecc2481cf790b9f8754603762275635fa40b7a9c81abd192e1475b.exe cmd.exe PID 952 wrote to memory of 1176 952 0d8bef08d5ecc2481cf790b9f8754603762275635fa40b7a9c81abd192e1475b.exe cmd.exe PID 952 wrote to memory of 1176 952 0d8bef08d5ecc2481cf790b9f8754603762275635fa40b7a9c81abd192e1475b.exe cmd.exe PID 1176 wrote to memory of 1196 1176 cmd.exe PING.EXE PID 1176 wrote to memory of 1196 1176 cmd.exe PING.EXE PID 1176 wrote to memory of 1196 1176 cmd.exe PING.EXE PID 1176 wrote to memory of 1196 1176 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0d8bef08d5ecc2481cf790b9f8754603762275635fa40b7a9c81abd192e1475b.exe"C:\Users\Admin\AppData\Local\Temp\0d8bef08d5ecc2481cf790b9f8754603762275635fa40b7a9c81abd192e1475b.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:952 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1100 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0d8bef08d5ecc2481cf790b9f8754603762275635fa40b7a9c81abd192e1475b.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1176 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1196
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
c281fcb48a8aabe36962e2f52c69c5c4
SHA10e3b4ff6ea0026a1ba361f07182ce347a47238d2
SHA25627b1dd084cbb49733eaa9911374e40013d843c71cc7b69157971ffd122652090
SHA512333b8111c3c54d819dbb5bd53e700274f0949688628d9fe430e47d53e3004a556e44d77f80fa8d0afe9d3bbb133f514799adeec68107a154838a4452444160a1
-
MD5
c281fcb48a8aabe36962e2f52c69c5c4
SHA10e3b4ff6ea0026a1ba361f07182ce347a47238d2
SHA25627b1dd084cbb49733eaa9911374e40013d843c71cc7b69157971ffd122652090
SHA512333b8111c3c54d819dbb5bd53e700274f0949688628d9fe430e47d53e3004a556e44d77f80fa8d0afe9d3bbb133f514799adeec68107a154838a4452444160a1
-
MD5
c281fcb48a8aabe36962e2f52c69c5c4
SHA10e3b4ff6ea0026a1ba361f07182ce347a47238d2
SHA25627b1dd084cbb49733eaa9911374e40013d843c71cc7b69157971ffd122652090
SHA512333b8111c3c54d819dbb5bd53e700274f0949688628d9fe430e47d53e3004a556e44d77f80fa8d0afe9d3bbb133f514799adeec68107a154838a4452444160a1