Analysis
-
max time kernel
120s -
max time network
132s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 07:29
Static task
static1
Behavioral task
behavioral1
Sample
0d766510ecf3c0c605e8121e057f85dbe4280b48ef67a0489569e9b7fbb6478d.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0d766510ecf3c0c605e8121e057f85dbe4280b48ef67a0489569e9b7fbb6478d.exe
Resource
win10v2004-en-20220112
General
-
Target
0d766510ecf3c0c605e8121e057f85dbe4280b48ef67a0489569e9b7fbb6478d.exe
-
Size
100KB
-
MD5
7bfba06d804348981a7559484793a8dc
-
SHA1
078faa0c7a4de6572ae2d4bac80a3892e131f983
-
SHA256
0d766510ecf3c0c605e8121e057f85dbe4280b48ef67a0489569e9b7fbb6478d
-
SHA512
7adde601b73ab0418c3a9f0b6b42975677a39440948cc68baeb5f1cdcd7b8a6849baa8f1be77f9d1e9158e05f836b03e961cb7a2e21c090c0d78c640a4bbd634
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1068 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1156 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0d766510ecf3c0c605e8121e057f85dbe4280b48ef67a0489569e9b7fbb6478d.exepid process 980 0d766510ecf3c0c605e8121e057f85dbe4280b48ef67a0489569e9b7fbb6478d.exe 980 0d766510ecf3c0c605e8121e057f85dbe4280b48ef67a0489569e9b7fbb6478d.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0d766510ecf3c0c605e8121e057f85dbe4280b48ef67a0489569e9b7fbb6478d.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0d766510ecf3c0c605e8121e057f85dbe4280b48ef67a0489569e9b7fbb6478d.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0d766510ecf3c0c605e8121e057f85dbe4280b48ef67a0489569e9b7fbb6478d.exedescription pid process Token: SeIncBasePriorityPrivilege 980 0d766510ecf3c0c605e8121e057f85dbe4280b48ef67a0489569e9b7fbb6478d.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0d766510ecf3c0c605e8121e057f85dbe4280b48ef67a0489569e9b7fbb6478d.execmd.exedescription pid process target process PID 980 wrote to memory of 1068 980 0d766510ecf3c0c605e8121e057f85dbe4280b48ef67a0489569e9b7fbb6478d.exe MediaCenter.exe PID 980 wrote to memory of 1068 980 0d766510ecf3c0c605e8121e057f85dbe4280b48ef67a0489569e9b7fbb6478d.exe MediaCenter.exe PID 980 wrote to memory of 1068 980 0d766510ecf3c0c605e8121e057f85dbe4280b48ef67a0489569e9b7fbb6478d.exe MediaCenter.exe PID 980 wrote to memory of 1068 980 0d766510ecf3c0c605e8121e057f85dbe4280b48ef67a0489569e9b7fbb6478d.exe MediaCenter.exe PID 980 wrote to memory of 1156 980 0d766510ecf3c0c605e8121e057f85dbe4280b48ef67a0489569e9b7fbb6478d.exe cmd.exe PID 980 wrote to memory of 1156 980 0d766510ecf3c0c605e8121e057f85dbe4280b48ef67a0489569e9b7fbb6478d.exe cmd.exe PID 980 wrote to memory of 1156 980 0d766510ecf3c0c605e8121e057f85dbe4280b48ef67a0489569e9b7fbb6478d.exe cmd.exe PID 980 wrote to memory of 1156 980 0d766510ecf3c0c605e8121e057f85dbe4280b48ef67a0489569e9b7fbb6478d.exe cmd.exe PID 1156 wrote to memory of 756 1156 cmd.exe PING.EXE PID 1156 wrote to memory of 756 1156 cmd.exe PING.EXE PID 1156 wrote to memory of 756 1156 cmd.exe PING.EXE PID 1156 wrote to memory of 756 1156 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0d766510ecf3c0c605e8121e057f85dbe4280b48ef67a0489569e9b7fbb6478d.exe"C:\Users\Admin\AppData\Local\Temp\0d766510ecf3c0c605e8121e057f85dbe4280b48ef67a0489569e9b7fbb6478d.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:980 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1068 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0d766510ecf3c0c605e8121e057f85dbe4280b48ef67a0489569e9b7fbb6478d.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1156 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:756
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
1cbd869c84db2a207a643ce11321d679
SHA174d8da1a1172c6493837c02f7cc1f2383aaaa0e9
SHA25677ca06148c4c862cc9f236df7f5c0b811e7bb8d956685210e2d4f4b6e97dbf1a
SHA5122b56dc584d4300988af824549b60864cceb2033f6754b94aeca7b81a4ccfda076d2940091e47ad9672cf14056f1efce609bd00b7ff555b463f0a5b1110f45a85
-
MD5
1cbd869c84db2a207a643ce11321d679
SHA174d8da1a1172c6493837c02f7cc1f2383aaaa0e9
SHA25677ca06148c4c862cc9f236df7f5c0b811e7bb8d956685210e2d4f4b6e97dbf1a
SHA5122b56dc584d4300988af824549b60864cceb2033f6754b94aeca7b81a4ccfda076d2940091e47ad9672cf14056f1efce609bd00b7ff555b463f0a5b1110f45a85
-
MD5
1cbd869c84db2a207a643ce11321d679
SHA174d8da1a1172c6493837c02f7cc1f2383aaaa0e9
SHA25677ca06148c4c862cc9f236df7f5c0b811e7bb8d956685210e2d4f4b6e97dbf1a
SHA5122b56dc584d4300988af824549b60864cceb2033f6754b94aeca7b81a4ccfda076d2940091e47ad9672cf14056f1efce609bd00b7ff555b463f0a5b1110f45a85