Analysis
-
max time kernel
141s -
max time network
161s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 07:34
Static task
static1
Behavioral task
behavioral1
Sample
0d31d429c66960623d9bf1252bd5939a94a4b5502a1cfbb7672c43c491dfa695.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0d31d429c66960623d9bf1252bd5939a94a4b5502a1cfbb7672c43c491dfa695.exe
Resource
win10v2004-en-20220112
General
-
Target
0d31d429c66960623d9bf1252bd5939a94a4b5502a1cfbb7672c43c491dfa695.exe
-
Size
216KB
-
MD5
1ab1d666c3a70e3590f8afbd871755de
-
SHA1
0a4dae8245b663f2b1b990cb54f8d712e4c4a352
-
SHA256
0d31d429c66960623d9bf1252bd5939a94a4b5502a1cfbb7672c43c491dfa695
-
SHA512
9fc9d848e18a87c511930fba542193fe61c6c1bd3eae466ccbfa7d4b8a9252dc788e71b248bae4347ee4792af9279631d56fccbb38a5dafb0b6e166cd440081d
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral1/memory/1316-59-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral1/memory/1672-60-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1672 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2028 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
0d31d429c66960623d9bf1252bd5939a94a4b5502a1cfbb7672c43c491dfa695.exepid process 1316 0d31d429c66960623d9bf1252bd5939a94a4b5502a1cfbb7672c43c491dfa695.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0d31d429c66960623d9bf1252bd5939a94a4b5502a1cfbb7672c43c491dfa695.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0d31d429c66960623d9bf1252bd5939a94a4b5502a1cfbb7672c43c491dfa695.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0d31d429c66960623d9bf1252bd5939a94a4b5502a1cfbb7672c43c491dfa695.exedescription pid process Token: SeIncBasePriorityPrivilege 1316 0d31d429c66960623d9bf1252bd5939a94a4b5502a1cfbb7672c43c491dfa695.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0d31d429c66960623d9bf1252bd5939a94a4b5502a1cfbb7672c43c491dfa695.execmd.exedescription pid process target process PID 1316 wrote to memory of 1672 1316 0d31d429c66960623d9bf1252bd5939a94a4b5502a1cfbb7672c43c491dfa695.exe MediaCenter.exe PID 1316 wrote to memory of 1672 1316 0d31d429c66960623d9bf1252bd5939a94a4b5502a1cfbb7672c43c491dfa695.exe MediaCenter.exe PID 1316 wrote to memory of 1672 1316 0d31d429c66960623d9bf1252bd5939a94a4b5502a1cfbb7672c43c491dfa695.exe MediaCenter.exe PID 1316 wrote to memory of 1672 1316 0d31d429c66960623d9bf1252bd5939a94a4b5502a1cfbb7672c43c491dfa695.exe MediaCenter.exe PID 1316 wrote to memory of 2028 1316 0d31d429c66960623d9bf1252bd5939a94a4b5502a1cfbb7672c43c491dfa695.exe cmd.exe PID 1316 wrote to memory of 2028 1316 0d31d429c66960623d9bf1252bd5939a94a4b5502a1cfbb7672c43c491dfa695.exe cmd.exe PID 1316 wrote to memory of 2028 1316 0d31d429c66960623d9bf1252bd5939a94a4b5502a1cfbb7672c43c491dfa695.exe cmd.exe PID 1316 wrote to memory of 2028 1316 0d31d429c66960623d9bf1252bd5939a94a4b5502a1cfbb7672c43c491dfa695.exe cmd.exe PID 2028 wrote to memory of 1060 2028 cmd.exe PING.EXE PID 2028 wrote to memory of 1060 2028 cmd.exe PING.EXE PID 2028 wrote to memory of 1060 2028 cmd.exe PING.EXE PID 2028 wrote to memory of 1060 2028 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0d31d429c66960623d9bf1252bd5939a94a4b5502a1cfbb7672c43c491dfa695.exe"C:\Users\Admin\AppData\Local\Temp\0d31d429c66960623d9bf1252bd5939a94a4b5502a1cfbb7672c43c491dfa695.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1316 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1672 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0d31d429c66960623d9bf1252bd5939a94a4b5502a1cfbb7672c43c491dfa695.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1060
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
47560d3fec9b881029ffa7576a91b9dc
SHA17143b97d3ffe9295d33930676f591734bf3ec41d
SHA256dac6224af786f3cc15395c9de2842eeed9e9d592eae2dbfcb7a21ad70fad3487
SHA5129fa3b07b7daf7425a4de2ffeba66c2917003b48d3642fa569d9e2da805a8ec7be511becf3f14717da8ed795104e9d45e60344e2db41a9c86a3a52c1f0b00f838
-
MD5
47560d3fec9b881029ffa7576a91b9dc
SHA17143b97d3ffe9295d33930676f591734bf3ec41d
SHA256dac6224af786f3cc15395c9de2842eeed9e9d592eae2dbfcb7a21ad70fad3487
SHA5129fa3b07b7daf7425a4de2ffeba66c2917003b48d3642fa569d9e2da805a8ec7be511becf3f14717da8ed795104e9d45e60344e2db41a9c86a3a52c1f0b00f838