Analysis
-
max time kernel
150s -
max time network
170s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 07:27
Static task
static1
Behavioral task
behavioral1
Sample
0d89dffbb8c50b0e1ba5adcb22f6f3ed5c488ee808636b4258fec107e86ba842.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0d89dffbb8c50b0e1ba5adcb22f6f3ed5c488ee808636b4258fec107e86ba842.exe
Resource
win10v2004-en-20220112
General
-
Target
0d89dffbb8c50b0e1ba5adcb22f6f3ed5c488ee808636b4258fec107e86ba842.exe
-
Size
101KB
-
MD5
68c5c401528ecb532b9927c66642b23b
-
SHA1
bff18fb138d0f2dbf946280d41a2906d0ab8abd2
-
SHA256
0d89dffbb8c50b0e1ba5adcb22f6f3ed5c488ee808636b4258fec107e86ba842
-
SHA512
9d110ff5be4f24ef57c13020597f323c27f7245f263490435047035a2131549c64b45b45a51247369988d265125e995f240b7c8dd4be3568ab0e2a8251148042
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1920 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1848 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0d89dffbb8c50b0e1ba5adcb22f6f3ed5c488ee808636b4258fec107e86ba842.exepid process 1668 0d89dffbb8c50b0e1ba5adcb22f6f3ed5c488ee808636b4258fec107e86ba842.exe 1668 0d89dffbb8c50b0e1ba5adcb22f6f3ed5c488ee808636b4258fec107e86ba842.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0d89dffbb8c50b0e1ba5adcb22f6f3ed5c488ee808636b4258fec107e86ba842.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0d89dffbb8c50b0e1ba5adcb22f6f3ed5c488ee808636b4258fec107e86ba842.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0d89dffbb8c50b0e1ba5adcb22f6f3ed5c488ee808636b4258fec107e86ba842.exedescription pid process Token: SeIncBasePriorityPrivilege 1668 0d89dffbb8c50b0e1ba5adcb22f6f3ed5c488ee808636b4258fec107e86ba842.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0d89dffbb8c50b0e1ba5adcb22f6f3ed5c488ee808636b4258fec107e86ba842.execmd.exedescription pid process target process PID 1668 wrote to memory of 1920 1668 0d89dffbb8c50b0e1ba5adcb22f6f3ed5c488ee808636b4258fec107e86ba842.exe MediaCenter.exe PID 1668 wrote to memory of 1920 1668 0d89dffbb8c50b0e1ba5adcb22f6f3ed5c488ee808636b4258fec107e86ba842.exe MediaCenter.exe PID 1668 wrote to memory of 1920 1668 0d89dffbb8c50b0e1ba5adcb22f6f3ed5c488ee808636b4258fec107e86ba842.exe MediaCenter.exe PID 1668 wrote to memory of 1920 1668 0d89dffbb8c50b0e1ba5adcb22f6f3ed5c488ee808636b4258fec107e86ba842.exe MediaCenter.exe PID 1668 wrote to memory of 1848 1668 0d89dffbb8c50b0e1ba5adcb22f6f3ed5c488ee808636b4258fec107e86ba842.exe cmd.exe PID 1668 wrote to memory of 1848 1668 0d89dffbb8c50b0e1ba5adcb22f6f3ed5c488ee808636b4258fec107e86ba842.exe cmd.exe PID 1668 wrote to memory of 1848 1668 0d89dffbb8c50b0e1ba5adcb22f6f3ed5c488ee808636b4258fec107e86ba842.exe cmd.exe PID 1668 wrote to memory of 1848 1668 0d89dffbb8c50b0e1ba5adcb22f6f3ed5c488ee808636b4258fec107e86ba842.exe cmd.exe PID 1848 wrote to memory of 1648 1848 cmd.exe PING.EXE PID 1848 wrote to memory of 1648 1848 cmd.exe PING.EXE PID 1848 wrote to memory of 1648 1848 cmd.exe PING.EXE PID 1848 wrote to memory of 1648 1848 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0d89dffbb8c50b0e1ba5adcb22f6f3ed5c488ee808636b4258fec107e86ba842.exe"C:\Users\Admin\AppData\Local\Temp\0d89dffbb8c50b0e1ba5adcb22f6f3ed5c488ee808636b4258fec107e86ba842.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1668 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1920 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0d89dffbb8c50b0e1ba5adcb22f6f3ed5c488ee808636b4258fec107e86ba842.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1848 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1648
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
159d33507ef864ed43712114eb635fc2
SHA19042de8977053c11c99d8a263562c9c1a8f30bf9
SHA2561da883750d2d982017cb5aefafedba47ed30626bf222f9651c0c75f390ba2e3d
SHA512635d49b227a1dd36e666f21e3a02bfe56ce68c5e4c9903dd0c8375aa52037e4bd78fdff804aa79bb8195a6d00f430761e5c1f5d16ca87ddd511e738d80cdcc9f
-
MD5
159d33507ef864ed43712114eb635fc2
SHA19042de8977053c11c99d8a263562c9c1a8f30bf9
SHA2561da883750d2d982017cb5aefafedba47ed30626bf222f9651c0c75f390ba2e3d
SHA512635d49b227a1dd36e666f21e3a02bfe56ce68c5e4c9903dd0c8375aa52037e4bd78fdff804aa79bb8195a6d00f430761e5c1f5d16ca87ddd511e738d80cdcc9f
-
MD5
159d33507ef864ed43712114eb635fc2
SHA19042de8977053c11c99d8a263562c9c1a8f30bf9
SHA2561da883750d2d982017cb5aefafedba47ed30626bf222f9651c0c75f390ba2e3d
SHA512635d49b227a1dd36e666f21e3a02bfe56ce68c5e4c9903dd0c8375aa52037e4bd78fdff804aa79bb8195a6d00f430761e5c1f5d16ca87ddd511e738d80cdcc9f