Analysis
-
max time kernel
149s -
max time network
162s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 07:35
Static task
static1
Behavioral task
behavioral1
Sample
0d314fba2e6c6251b5becf66e959567bb82707445d58a3d522544e6162aaec10.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0d314fba2e6c6251b5becf66e959567bb82707445d58a3d522544e6162aaec10.exe
Resource
win10v2004-en-20220112
General
-
Target
0d314fba2e6c6251b5becf66e959567bb82707445d58a3d522544e6162aaec10.exe
-
Size
99KB
-
MD5
f168edd3a72720aa9d342283291bd14c
-
SHA1
121fafd6538d9a49ccbe69fdc93d21dc92d27386
-
SHA256
0d314fba2e6c6251b5becf66e959567bb82707445d58a3d522544e6162aaec10
-
SHA512
91440c638f12f2514bbfdecb0b210472c7b8b85d39fc42b15f6f855f50bc767efe3dd6f2c2e04992f2670e843745f7bdbcc36cda99a8b2c9c922f71f1f6c2925
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 848 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1180 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0d314fba2e6c6251b5becf66e959567bb82707445d58a3d522544e6162aaec10.exepid process 1340 0d314fba2e6c6251b5becf66e959567bb82707445d58a3d522544e6162aaec10.exe 1340 0d314fba2e6c6251b5becf66e959567bb82707445d58a3d522544e6162aaec10.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0d314fba2e6c6251b5becf66e959567bb82707445d58a3d522544e6162aaec10.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0d314fba2e6c6251b5becf66e959567bb82707445d58a3d522544e6162aaec10.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0d314fba2e6c6251b5becf66e959567bb82707445d58a3d522544e6162aaec10.exedescription pid process Token: SeIncBasePriorityPrivilege 1340 0d314fba2e6c6251b5becf66e959567bb82707445d58a3d522544e6162aaec10.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0d314fba2e6c6251b5becf66e959567bb82707445d58a3d522544e6162aaec10.execmd.exedescription pid process target process PID 1340 wrote to memory of 848 1340 0d314fba2e6c6251b5becf66e959567bb82707445d58a3d522544e6162aaec10.exe MediaCenter.exe PID 1340 wrote to memory of 848 1340 0d314fba2e6c6251b5becf66e959567bb82707445d58a3d522544e6162aaec10.exe MediaCenter.exe PID 1340 wrote to memory of 848 1340 0d314fba2e6c6251b5becf66e959567bb82707445d58a3d522544e6162aaec10.exe MediaCenter.exe PID 1340 wrote to memory of 848 1340 0d314fba2e6c6251b5becf66e959567bb82707445d58a3d522544e6162aaec10.exe MediaCenter.exe PID 1340 wrote to memory of 1180 1340 0d314fba2e6c6251b5becf66e959567bb82707445d58a3d522544e6162aaec10.exe cmd.exe PID 1340 wrote to memory of 1180 1340 0d314fba2e6c6251b5becf66e959567bb82707445d58a3d522544e6162aaec10.exe cmd.exe PID 1340 wrote to memory of 1180 1340 0d314fba2e6c6251b5becf66e959567bb82707445d58a3d522544e6162aaec10.exe cmd.exe PID 1340 wrote to memory of 1180 1340 0d314fba2e6c6251b5becf66e959567bb82707445d58a3d522544e6162aaec10.exe cmd.exe PID 1180 wrote to memory of 1060 1180 cmd.exe PING.EXE PID 1180 wrote to memory of 1060 1180 cmd.exe PING.EXE PID 1180 wrote to memory of 1060 1180 cmd.exe PING.EXE PID 1180 wrote to memory of 1060 1180 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0d314fba2e6c6251b5becf66e959567bb82707445d58a3d522544e6162aaec10.exe"C:\Users\Admin\AppData\Local\Temp\0d314fba2e6c6251b5becf66e959567bb82707445d58a3d522544e6162aaec10.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1340 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:848 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0d314fba2e6c6251b5becf66e959567bb82707445d58a3d522544e6162aaec10.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1180 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1060
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
f8e1574cfef143a483f6438412fa0293
SHA14922ba3b1df163dfa867d98e7ae2bf670432f777
SHA25678df3dc5e2e0c07abd69882ab37adef96b8b1bee4956d50158974159bb704da7
SHA5122b9c2923ba03984265f297f7f9d5ac2a547a9384c2775b35f5d3720c22cfa14821729d7f996eb399326541758a53257a8286f10cb819e94679e5df5d618a251a
-
MD5
f8e1574cfef143a483f6438412fa0293
SHA14922ba3b1df163dfa867d98e7ae2bf670432f777
SHA25678df3dc5e2e0c07abd69882ab37adef96b8b1bee4956d50158974159bb704da7
SHA5122b9c2923ba03984265f297f7f9d5ac2a547a9384c2775b35f5d3720c22cfa14821729d7f996eb399326541758a53257a8286f10cb819e94679e5df5d618a251a
-
MD5
f8e1574cfef143a483f6438412fa0293
SHA14922ba3b1df163dfa867d98e7ae2bf670432f777
SHA25678df3dc5e2e0c07abd69882ab37adef96b8b1bee4956d50158974159bb704da7
SHA5122b9c2923ba03984265f297f7f9d5ac2a547a9384c2775b35f5d3720c22cfa14821729d7f996eb399326541758a53257a8286f10cb819e94679e5df5d618a251a