Analysis
-
max time kernel
127s -
max time network
141s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 07:31
Static task
static1
Behavioral task
behavioral1
Sample
0d5287506a0f09796727ce2cd29a3ab71f0734bbe0eb834ccd7293a2766ef4ad.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0d5287506a0f09796727ce2cd29a3ab71f0734bbe0eb834ccd7293a2766ef4ad.exe
Resource
win10v2004-en-20220113
General
-
Target
0d5287506a0f09796727ce2cd29a3ab71f0734bbe0eb834ccd7293a2766ef4ad.exe
-
Size
150KB
-
MD5
311648d1f51a5e6aa79d0d82b7e12419
-
SHA1
537ea891f3cc383ee0ca52c544f91ebc36e0adba
-
SHA256
0d5287506a0f09796727ce2cd29a3ab71f0734bbe0eb834ccd7293a2766ef4ad
-
SHA512
e11ba0d6823584f16080f2fa1d2ae8f02f2c5110810627b52bc956a1de44467caaf7e92e7a469de79431f0d673444fd1bc39c73d94c31eb03f19ef42ce224b17
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 472 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 820 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
0d5287506a0f09796727ce2cd29a3ab71f0734bbe0eb834ccd7293a2766ef4ad.exepid process 268 0d5287506a0f09796727ce2cd29a3ab71f0734bbe0eb834ccd7293a2766ef4ad.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0d5287506a0f09796727ce2cd29a3ab71f0734bbe0eb834ccd7293a2766ef4ad.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0d5287506a0f09796727ce2cd29a3ab71f0734bbe0eb834ccd7293a2766ef4ad.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0d5287506a0f09796727ce2cd29a3ab71f0734bbe0eb834ccd7293a2766ef4ad.exedescription pid process Token: SeIncBasePriorityPrivilege 268 0d5287506a0f09796727ce2cd29a3ab71f0734bbe0eb834ccd7293a2766ef4ad.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0d5287506a0f09796727ce2cd29a3ab71f0734bbe0eb834ccd7293a2766ef4ad.execmd.exedescription pid process target process PID 268 wrote to memory of 472 268 0d5287506a0f09796727ce2cd29a3ab71f0734bbe0eb834ccd7293a2766ef4ad.exe MediaCenter.exe PID 268 wrote to memory of 472 268 0d5287506a0f09796727ce2cd29a3ab71f0734bbe0eb834ccd7293a2766ef4ad.exe MediaCenter.exe PID 268 wrote to memory of 472 268 0d5287506a0f09796727ce2cd29a3ab71f0734bbe0eb834ccd7293a2766ef4ad.exe MediaCenter.exe PID 268 wrote to memory of 472 268 0d5287506a0f09796727ce2cd29a3ab71f0734bbe0eb834ccd7293a2766ef4ad.exe MediaCenter.exe PID 268 wrote to memory of 820 268 0d5287506a0f09796727ce2cd29a3ab71f0734bbe0eb834ccd7293a2766ef4ad.exe cmd.exe PID 268 wrote to memory of 820 268 0d5287506a0f09796727ce2cd29a3ab71f0734bbe0eb834ccd7293a2766ef4ad.exe cmd.exe PID 268 wrote to memory of 820 268 0d5287506a0f09796727ce2cd29a3ab71f0734bbe0eb834ccd7293a2766ef4ad.exe cmd.exe PID 268 wrote to memory of 820 268 0d5287506a0f09796727ce2cd29a3ab71f0734bbe0eb834ccd7293a2766ef4ad.exe cmd.exe PID 820 wrote to memory of 1976 820 cmd.exe PING.EXE PID 820 wrote to memory of 1976 820 cmd.exe PING.EXE PID 820 wrote to memory of 1976 820 cmd.exe PING.EXE PID 820 wrote to memory of 1976 820 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0d5287506a0f09796727ce2cd29a3ab71f0734bbe0eb834ccd7293a2766ef4ad.exe"C:\Users\Admin\AppData\Local\Temp\0d5287506a0f09796727ce2cd29a3ab71f0734bbe0eb834ccd7293a2766ef4ad.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:268 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:472 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0d5287506a0f09796727ce2cd29a3ab71f0734bbe0eb834ccd7293a2766ef4ad.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:820 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1976
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
dc590b66cb79ca49c508062677a665d0
SHA1f3039bf132dcfa2219a2e74677a28cd6d2012bb7
SHA256bfd1e4e5c8fa649e86d15273f344a63c6eca0fcef8a1558ba22fb6eabc5bbe97
SHA5127a0b6bb18cd06d1fc05eab09652dd405b22be108ba7b4aaf41bd8bc2bc1c9f4f8d31961e19650feedf65c60d583d4d9b3023c5ed50eaf1848e3f8235294b880f
-
MD5
dc590b66cb79ca49c508062677a665d0
SHA1f3039bf132dcfa2219a2e74677a28cd6d2012bb7
SHA256bfd1e4e5c8fa649e86d15273f344a63c6eca0fcef8a1558ba22fb6eabc5bbe97
SHA5127a0b6bb18cd06d1fc05eab09652dd405b22be108ba7b4aaf41bd8bc2bc1c9f4f8d31961e19650feedf65c60d583d4d9b3023c5ed50eaf1848e3f8235294b880f