Analysis
-
max time kernel
147s -
max time network
165s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 07:31
Static task
static1
Behavioral task
behavioral1
Sample
0d5528fe2890f8451a9ea3c1b70878b2a9f1787769500932f78be2d419b0c17a.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0d5528fe2890f8451a9ea3c1b70878b2a9f1787769500932f78be2d419b0c17a.exe
Resource
win10v2004-en-20220113
General
-
Target
0d5528fe2890f8451a9ea3c1b70878b2a9f1787769500932f78be2d419b0c17a.exe
-
Size
89KB
-
MD5
b4af6c589f78a3798c5d8db01e29b5e9
-
SHA1
5bf902599a1d23da28ab33afc9ad9aeab7a0df25
-
SHA256
0d5528fe2890f8451a9ea3c1b70878b2a9f1787769500932f78be2d419b0c17a
-
SHA512
e523eb5d871b834be35539bbf9056ea4e98f34dd30a2a40392ab144bf5391f80872a3e274ec5246140f09fecbaddb07f3355b1ff280c0aeb492031eb6faa515c
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 380 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1588 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
0d5528fe2890f8451a9ea3c1b70878b2a9f1787769500932f78be2d419b0c17a.exepid process 756 0d5528fe2890f8451a9ea3c1b70878b2a9f1787769500932f78be2d419b0c17a.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0d5528fe2890f8451a9ea3c1b70878b2a9f1787769500932f78be2d419b0c17a.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0d5528fe2890f8451a9ea3c1b70878b2a9f1787769500932f78be2d419b0c17a.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0d5528fe2890f8451a9ea3c1b70878b2a9f1787769500932f78be2d419b0c17a.exedescription pid process Token: SeIncBasePriorityPrivilege 756 0d5528fe2890f8451a9ea3c1b70878b2a9f1787769500932f78be2d419b0c17a.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0d5528fe2890f8451a9ea3c1b70878b2a9f1787769500932f78be2d419b0c17a.execmd.exedescription pid process target process PID 756 wrote to memory of 380 756 0d5528fe2890f8451a9ea3c1b70878b2a9f1787769500932f78be2d419b0c17a.exe MediaCenter.exe PID 756 wrote to memory of 380 756 0d5528fe2890f8451a9ea3c1b70878b2a9f1787769500932f78be2d419b0c17a.exe MediaCenter.exe PID 756 wrote to memory of 380 756 0d5528fe2890f8451a9ea3c1b70878b2a9f1787769500932f78be2d419b0c17a.exe MediaCenter.exe PID 756 wrote to memory of 380 756 0d5528fe2890f8451a9ea3c1b70878b2a9f1787769500932f78be2d419b0c17a.exe MediaCenter.exe PID 756 wrote to memory of 1588 756 0d5528fe2890f8451a9ea3c1b70878b2a9f1787769500932f78be2d419b0c17a.exe cmd.exe PID 756 wrote to memory of 1588 756 0d5528fe2890f8451a9ea3c1b70878b2a9f1787769500932f78be2d419b0c17a.exe cmd.exe PID 756 wrote to memory of 1588 756 0d5528fe2890f8451a9ea3c1b70878b2a9f1787769500932f78be2d419b0c17a.exe cmd.exe PID 756 wrote to memory of 1588 756 0d5528fe2890f8451a9ea3c1b70878b2a9f1787769500932f78be2d419b0c17a.exe cmd.exe PID 1588 wrote to memory of 1460 1588 cmd.exe PING.EXE PID 1588 wrote to memory of 1460 1588 cmd.exe PING.EXE PID 1588 wrote to memory of 1460 1588 cmd.exe PING.EXE PID 1588 wrote to memory of 1460 1588 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0d5528fe2890f8451a9ea3c1b70878b2a9f1787769500932f78be2d419b0c17a.exe"C:\Users\Admin\AppData\Local\Temp\0d5528fe2890f8451a9ea3c1b70878b2a9f1787769500932f78be2d419b0c17a.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:756 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:380 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0d5528fe2890f8451a9ea3c1b70878b2a9f1787769500932f78be2d419b0c17a.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1588 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1460
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
de137c5d3091c7e9b1a8eb143f741d21
SHA180828c84b4c6bc2dd159a9f0df259f10d1b9d1ee
SHA256574b0a10bad06e0beb734f3f81a57fc58de70fb80a65e8843c3e876b2294a97b
SHA5120ca6baf3e946b950091d33489b8cd18b5b4b7a21c7dba055ae033c375b3ce6585bfae63f61c3fa2b19388819deab22b276738dd90c79fcef00bad19153137f00
-
MD5
de137c5d3091c7e9b1a8eb143f741d21
SHA180828c84b4c6bc2dd159a9f0df259f10d1b9d1ee
SHA256574b0a10bad06e0beb734f3f81a57fc58de70fb80a65e8843c3e876b2294a97b
SHA5120ca6baf3e946b950091d33489b8cd18b5b4b7a21c7dba055ae033c375b3ce6585bfae63f61c3fa2b19388819deab22b276738dd90c79fcef00bad19153137f00