Analysis
-
max time kernel
125s -
max time network
150s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 07:29
Static task
static1
Behavioral task
behavioral1
Sample
0d71f3b6d495be58149cf53865307226acecc9a7bb20a4c27d7bfd9ea94128c0.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0d71f3b6d495be58149cf53865307226acecc9a7bb20a4c27d7bfd9ea94128c0.exe
Resource
win10v2004-en-20220113
General
-
Target
0d71f3b6d495be58149cf53865307226acecc9a7bb20a4c27d7bfd9ea94128c0.exe
-
Size
192KB
-
MD5
6264430f7613ad241ebcbb12b0b25e38
-
SHA1
ef5a85855ebfdceab6ab38c793f8052f49ecc3eb
-
SHA256
0d71f3b6d495be58149cf53865307226acecc9a7bb20a4c27d7bfd9ea94128c0
-
SHA512
7a80cb6ebf26cd1810c706990eb1b9352ff2aae2b7a9064dc50bf8937574a75303dc8e03b135ffda0787b9436353c154ebb97dd34fbac0ad0ad992b973a9a077
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1620 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 520 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0d71f3b6d495be58149cf53865307226acecc9a7bb20a4c27d7bfd9ea94128c0.exepid process 1652 0d71f3b6d495be58149cf53865307226acecc9a7bb20a4c27d7bfd9ea94128c0.exe 1652 0d71f3b6d495be58149cf53865307226acecc9a7bb20a4c27d7bfd9ea94128c0.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0d71f3b6d495be58149cf53865307226acecc9a7bb20a4c27d7bfd9ea94128c0.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0d71f3b6d495be58149cf53865307226acecc9a7bb20a4c27d7bfd9ea94128c0.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0d71f3b6d495be58149cf53865307226acecc9a7bb20a4c27d7bfd9ea94128c0.exedescription pid process Token: SeIncBasePriorityPrivilege 1652 0d71f3b6d495be58149cf53865307226acecc9a7bb20a4c27d7bfd9ea94128c0.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0d71f3b6d495be58149cf53865307226acecc9a7bb20a4c27d7bfd9ea94128c0.execmd.exedescription pid process target process PID 1652 wrote to memory of 1620 1652 0d71f3b6d495be58149cf53865307226acecc9a7bb20a4c27d7bfd9ea94128c0.exe MediaCenter.exe PID 1652 wrote to memory of 1620 1652 0d71f3b6d495be58149cf53865307226acecc9a7bb20a4c27d7bfd9ea94128c0.exe MediaCenter.exe PID 1652 wrote to memory of 1620 1652 0d71f3b6d495be58149cf53865307226acecc9a7bb20a4c27d7bfd9ea94128c0.exe MediaCenter.exe PID 1652 wrote to memory of 1620 1652 0d71f3b6d495be58149cf53865307226acecc9a7bb20a4c27d7bfd9ea94128c0.exe MediaCenter.exe PID 1652 wrote to memory of 520 1652 0d71f3b6d495be58149cf53865307226acecc9a7bb20a4c27d7bfd9ea94128c0.exe cmd.exe PID 1652 wrote to memory of 520 1652 0d71f3b6d495be58149cf53865307226acecc9a7bb20a4c27d7bfd9ea94128c0.exe cmd.exe PID 1652 wrote to memory of 520 1652 0d71f3b6d495be58149cf53865307226acecc9a7bb20a4c27d7bfd9ea94128c0.exe cmd.exe PID 1652 wrote to memory of 520 1652 0d71f3b6d495be58149cf53865307226acecc9a7bb20a4c27d7bfd9ea94128c0.exe cmd.exe PID 520 wrote to memory of 956 520 cmd.exe PING.EXE PID 520 wrote to memory of 956 520 cmd.exe PING.EXE PID 520 wrote to memory of 956 520 cmd.exe PING.EXE PID 520 wrote to memory of 956 520 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0d71f3b6d495be58149cf53865307226acecc9a7bb20a4c27d7bfd9ea94128c0.exe"C:\Users\Admin\AppData\Local\Temp\0d71f3b6d495be58149cf53865307226acecc9a7bb20a4c27d7bfd9ea94128c0.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1652 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1620 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0d71f3b6d495be58149cf53865307226acecc9a7bb20a4c27d7bfd9ea94128c0.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:520 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:956
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
c02c1f857d38fda09a12fc5f2126afc1
SHA14ce01a690f233b1640aa0b7685c7f2fc1c89b518
SHA256d9c9450425cd2ef8a1875ce6cc98cfbe5e2798384513ed07d1334f7817d613ba
SHA5126de77d2207bde9cab67c6f3ec338943e063971aef5db06423ed651cd9d1ae21b30381cfd72f2eb4a64fb77f05ad2993a988739a69a2fb0a6fc6e64d0fcc2ad6c
-
MD5
c02c1f857d38fda09a12fc5f2126afc1
SHA14ce01a690f233b1640aa0b7685c7f2fc1c89b518
SHA256d9c9450425cd2ef8a1875ce6cc98cfbe5e2798384513ed07d1334f7817d613ba
SHA5126de77d2207bde9cab67c6f3ec338943e063971aef5db06423ed651cd9d1ae21b30381cfd72f2eb4a64fb77f05ad2993a988739a69a2fb0a6fc6e64d0fcc2ad6c
-
MD5
c02c1f857d38fda09a12fc5f2126afc1
SHA14ce01a690f233b1640aa0b7685c7f2fc1c89b518
SHA256d9c9450425cd2ef8a1875ce6cc98cfbe5e2798384513ed07d1334f7817d613ba
SHA5126de77d2207bde9cab67c6f3ec338943e063971aef5db06423ed651cd9d1ae21b30381cfd72f2eb4a64fb77f05ad2993a988739a69a2fb0a6fc6e64d0fcc2ad6c