Analysis
-
max time kernel
129s -
max time network
151s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 07:29
Static task
static1
Behavioral task
behavioral1
Sample
0d72e4987ffcbd8f5e540c0b2529b16a16ef5ad300f42650e4b875e265274424.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0d72e4987ffcbd8f5e540c0b2529b16a16ef5ad300f42650e4b875e265274424.exe
Resource
win10v2004-en-20220112
General
-
Target
0d72e4987ffcbd8f5e540c0b2529b16a16ef5ad300f42650e4b875e265274424.exe
-
Size
80KB
-
MD5
f90fc8aba9230cc2ac1bf869ff5dc2a0
-
SHA1
8a3f282b009746a215c0a8f24df95ca554e70a18
-
SHA256
0d72e4987ffcbd8f5e540c0b2529b16a16ef5ad300f42650e4b875e265274424
-
SHA512
94dd4217c7ebd0da24425caa298e9e2949f40d1e5a7f65e215f5647b1749167bb3d5bdff46707411a091fa2f2f37acfa5cc6b7c6c85023d0c05b9994cd671b58
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 868 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 904 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0d72e4987ffcbd8f5e540c0b2529b16a16ef5ad300f42650e4b875e265274424.exepid process 1548 0d72e4987ffcbd8f5e540c0b2529b16a16ef5ad300f42650e4b875e265274424.exe 1548 0d72e4987ffcbd8f5e540c0b2529b16a16ef5ad300f42650e4b875e265274424.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0d72e4987ffcbd8f5e540c0b2529b16a16ef5ad300f42650e4b875e265274424.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0d72e4987ffcbd8f5e540c0b2529b16a16ef5ad300f42650e4b875e265274424.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0d72e4987ffcbd8f5e540c0b2529b16a16ef5ad300f42650e4b875e265274424.exedescription pid process Token: SeIncBasePriorityPrivilege 1548 0d72e4987ffcbd8f5e540c0b2529b16a16ef5ad300f42650e4b875e265274424.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0d72e4987ffcbd8f5e540c0b2529b16a16ef5ad300f42650e4b875e265274424.execmd.exedescription pid process target process PID 1548 wrote to memory of 868 1548 0d72e4987ffcbd8f5e540c0b2529b16a16ef5ad300f42650e4b875e265274424.exe MediaCenter.exe PID 1548 wrote to memory of 868 1548 0d72e4987ffcbd8f5e540c0b2529b16a16ef5ad300f42650e4b875e265274424.exe MediaCenter.exe PID 1548 wrote to memory of 868 1548 0d72e4987ffcbd8f5e540c0b2529b16a16ef5ad300f42650e4b875e265274424.exe MediaCenter.exe PID 1548 wrote to memory of 868 1548 0d72e4987ffcbd8f5e540c0b2529b16a16ef5ad300f42650e4b875e265274424.exe MediaCenter.exe PID 1548 wrote to memory of 904 1548 0d72e4987ffcbd8f5e540c0b2529b16a16ef5ad300f42650e4b875e265274424.exe cmd.exe PID 1548 wrote to memory of 904 1548 0d72e4987ffcbd8f5e540c0b2529b16a16ef5ad300f42650e4b875e265274424.exe cmd.exe PID 1548 wrote to memory of 904 1548 0d72e4987ffcbd8f5e540c0b2529b16a16ef5ad300f42650e4b875e265274424.exe cmd.exe PID 1548 wrote to memory of 904 1548 0d72e4987ffcbd8f5e540c0b2529b16a16ef5ad300f42650e4b875e265274424.exe cmd.exe PID 904 wrote to memory of 1768 904 cmd.exe PING.EXE PID 904 wrote to memory of 1768 904 cmd.exe PING.EXE PID 904 wrote to memory of 1768 904 cmd.exe PING.EXE PID 904 wrote to memory of 1768 904 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0d72e4987ffcbd8f5e540c0b2529b16a16ef5ad300f42650e4b875e265274424.exe"C:\Users\Admin\AppData\Local\Temp\0d72e4987ffcbd8f5e540c0b2529b16a16ef5ad300f42650e4b875e265274424.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1548 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:868 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0d72e4987ffcbd8f5e540c0b2529b16a16ef5ad300f42650e4b875e265274424.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:904 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1768
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
4b5cb622994cc5cfd0120646be09c7a8
SHA1020d811d9226f74de4bb0b4234420a0ebb15a86c
SHA2565113956130c63adba17239919af57b8d500579e7402fdba5c3d3c43a20d9faef
SHA512a2cabea265545a2a9ed11db5471e144e78d1130fad597ff83759c97a52cccda58b98bd0e45ce4f0db3aac45311a12b2d6d05c16d9556c6a783b80634c074db32
-
MD5
4b5cb622994cc5cfd0120646be09c7a8
SHA1020d811d9226f74de4bb0b4234420a0ebb15a86c
SHA2565113956130c63adba17239919af57b8d500579e7402fdba5c3d3c43a20d9faef
SHA512a2cabea265545a2a9ed11db5471e144e78d1130fad597ff83759c97a52cccda58b98bd0e45ce4f0db3aac45311a12b2d6d05c16d9556c6a783b80634c074db32
-
MD5
4b5cb622994cc5cfd0120646be09c7a8
SHA1020d811d9226f74de4bb0b4234420a0ebb15a86c
SHA2565113956130c63adba17239919af57b8d500579e7402fdba5c3d3c43a20d9faef
SHA512a2cabea265545a2a9ed11db5471e144e78d1130fad597ff83759c97a52cccda58b98bd0e45ce4f0db3aac45311a12b2d6d05c16d9556c6a783b80634c074db32