Analysis
-
max time kernel
156s -
max time network
171s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 07:32
Static task
static1
Behavioral task
behavioral1
Sample
0d4e2a0ee9ebe65330ec3bb38be8f0ac5ebc362158d7f6dd130453e210cfb0c4.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0d4e2a0ee9ebe65330ec3bb38be8f0ac5ebc362158d7f6dd130453e210cfb0c4.exe
Resource
win10v2004-en-20220112
General
-
Target
0d4e2a0ee9ebe65330ec3bb38be8f0ac5ebc362158d7f6dd130453e210cfb0c4.exe
-
Size
79KB
-
MD5
b8d649fbca202c563d22de6cce14959b
-
SHA1
841b226318f73723e58a1ab7756168e75da3ddd3
-
SHA256
0d4e2a0ee9ebe65330ec3bb38be8f0ac5ebc362158d7f6dd130453e210cfb0c4
-
SHA512
6beb14a2926ad4eeff4527efc131a40a862255a47289e6d4b3090611a7321d9263148c933d9577489cfc528c417bd3f8db7854202c5c75eee0eb74eea891b9c0
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1404 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1620 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0d4e2a0ee9ebe65330ec3bb38be8f0ac5ebc362158d7f6dd130453e210cfb0c4.exepid process 1052 0d4e2a0ee9ebe65330ec3bb38be8f0ac5ebc362158d7f6dd130453e210cfb0c4.exe 1052 0d4e2a0ee9ebe65330ec3bb38be8f0ac5ebc362158d7f6dd130453e210cfb0c4.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0d4e2a0ee9ebe65330ec3bb38be8f0ac5ebc362158d7f6dd130453e210cfb0c4.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0d4e2a0ee9ebe65330ec3bb38be8f0ac5ebc362158d7f6dd130453e210cfb0c4.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0d4e2a0ee9ebe65330ec3bb38be8f0ac5ebc362158d7f6dd130453e210cfb0c4.exedescription pid process Token: SeIncBasePriorityPrivilege 1052 0d4e2a0ee9ebe65330ec3bb38be8f0ac5ebc362158d7f6dd130453e210cfb0c4.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0d4e2a0ee9ebe65330ec3bb38be8f0ac5ebc362158d7f6dd130453e210cfb0c4.execmd.exedescription pid process target process PID 1052 wrote to memory of 1404 1052 0d4e2a0ee9ebe65330ec3bb38be8f0ac5ebc362158d7f6dd130453e210cfb0c4.exe MediaCenter.exe PID 1052 wrote to memory of 1404 1052 0d4e2a0ee9ebe65330ec3bb38be8f0ac5ebc362158d7f6dd130453e210cfb0c4.exe MediaCenter.exe PID 1052 wrote to memory of 1404 1052 0d4e2a0ee9ebe65330ec3bb38be8f0ac5ebc362158d7f6dd130453e210cfb0c4.exe MediaCenter.exe PID 1052 wrote to memory of 1404 1052 0d4e2a0ee9ebe65330ec3bb38be8f0ac5ebc362158d7f6dd130453e210cfb0c4.exe MediaCenter.exe PID 1052 wrote to memory of 1620 1052 0d4e2a0ee9ebe65330ec3bb38be8f0ac5ebc362158d7f6dd130453e210cfb0c4.exe cmd.exe PID 1052 wrote to memory of 1620 1052 0d4e2a0ee9ebe65330ec3bb38be8f0ac5ebc362158d7f6dd130453e210cfb0c4.exe cmd.exe PID 1052 wrote to memory of 1620 1052 0d4e2a0ee9ebe65330ec3bb38be8f0ac5ebc362158d7f6dd130453e210cfb0c4.exe cmd.exe PID 1052 wrote to memory of 1620 1052 0d4e2a0ee9ebe65330ec3bb38be8f0ac5ebc362158d7f6dd130453e210cfb0c4.exe cmd.exe PID 1620 wrote to memory of 1872 1620 cmd.exe PING.EXE PID 1620 wrote to memory of 1872 1620 cmd.exe PING.EXE PID 1620 wrote to memory of 1872 1620 cmd.exe PING.EXE PID 1620 wrote to memory of 1872 1620 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0d4e2a0ee9ebe65330ec3bb38be8f0ac5ebc362158d7f6dd130453e210cfb0c4.exe"C:\Users\Admin\AppData\Local\Temp\0d4e2a0ee9ebe65330ec3bb38be8f0ac5ebc362158d7f6dd130453e210cfb0c4.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1052 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1404 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0d4e2a0ee9ebe65330ec3bb38be8f0ac5ebc362158d7f6dd130453e210cfb0c4.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1872
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
83a6e632ccc19e304d430bc0a346e5e8
SHA1902a254a6d808ca8a6cf1a4168993d1a96dc4831
SHA25653021e6c3118f6e61304595c8ff495f20293231840d347dcb1cbb5e3e6d4cb5d
SHA512d1b2e03a90a1c907eb8a47b1dd1bfe815b29be8804f9792fe736e26f3b76ab6cbc5188ee2ab2b0311d7562763b0f888afc8b2de661fbaff940cfeb8a53601341
-
MD5
83a6e632ccc19e304d430bc0a346e5e8
SHA1902a254a6d808ca8a6cf1a4168993d1a96dc4831
SHA25653021e6c3118f6e61304595c8ff495f20293231840d347dcb1cbb5e3e6d4cb5d
SHA512d1b2e03a90a1c907eb8a47b1dd1bfe815b29be8804f9792fe736e26f3b76ab6cbc5188ee2ab2b0311d7562763b0f888afc8b2de661fbaff940cfeb8a53601341
-
MD5
83a6e632ccc19e304d430bc0a346e5e8
SHA1902a254a6d808ca8a6cf1a4168993d1a96dc4831
SHA25653021e6c3118f6e61304595c8ff495f20293231840d347dcb1cbb5e3e6d4cb5d
SHA512d1b2e03a90a1c907eb8a47b1dd1bfe815b29be8804f9792fe736e26f3b76ab6cbc5188ee2ab2b0311d7562763b0f888afc8b2de661fbaff940cfeb8a53601341