Analysis
-
max time kernel
146s -
max time network
172s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 07:36
Static task
static1
Behavioral task
behavioral1
Sample
0d1b43d6d361d8066f0f9f46d261de8955ec319dadf851282652be042fd45be6.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0d1b43d6d361d8066f0f9f46d261de8955ec319dadf851282652be042fd45be6.exe
Resource
win10v2004-en-20220113
General
-
Target
0d1b43d6d361d8066f0f9f46d261de8955ec319dadf851282652be042fd45be6.exe
-
Size
99KB
-
MD5
b33ceb1ff46243065a515eb902b85e69
-
SHA1
a70a7a54f83cf4fc261ec62e918f01ccf23ccf22
-
SHA256
0d1b43d6d361d8066f0f9f46d261de8955ec319dadf851282652be042fd45be6
-
SHA512
ab106a381912a50642609241bfbd5909bcd4b4d7a43021cf981e0af9f25bf0601d987bee1896d87ddeaf9521cc66320c8ebc7be5df5a6ff0110be24baf83a813
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1620 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 520 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0d1b43d6d361d8066f0f9f46d261de8955ec319dadf851282652be042fd45be6.exepid process 1652 0d1b43d6d361d8066f0f9f46d261de8955ec319dadf851282652be042fd45be6.exe 1652 0d1b43d6d361d8066f0f9f46d261de8955ec319dadf851282652be042fd45be6.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0d1b43d6d361d8066f0f9f46d261de8955ec319dadf851282652be042fd45be6.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0d1b43d6d361d8066f0f9f46d261de8955ec319dadf851282652be042fd45be6.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0d1b43d6d361d8066f0f9f46d261de8955ec319dadf851282652be042fd45be6.exedescription pid process Token: SeIncBasePriorityPrivilege 1652 0d1b43d6d361d8066f0f9f46d261de8955ec319dadf851282652be042fd45be6.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0d1b43d6d361d8066f0f9f46d261de8955ec319dadf851282652be042fd45be6.execmd.exedescription pid process target process PID 1652 wrote to memory of 1620 1652 0d1b43d6d361d8066f0f9f46d261de8955ec319dadf851282652be042fd45be6.exe MediaCenter.exe PID 1652 wrote to memory of 1620 1652 0d1b43d6d361d8066f0f9f46d261de8955ec319dadf851282652be042fd45be6.exe MediaCenter.exe PID 1652 wrote to memory of 1620 1652 0d1b43d6d361d8066f0f9f46d261de8955ec319dadf851282652be042fd45be6.exe MediaCenter.exe PID 1652 wrote to memory of 1620 1652 0d1b43d6d361d8066f0f9f46d261de8955ec319dadf851282652be042fd45be6.exe MediaCenter.exe PID 1652 wrote to memory of 520 1652 0d1b43d6d361d8066f0f9f46d261de8955ec319dadf851282652be042fd45be6.exe cmd.exe PID 1652 wrote to memory of 520 1652 0d1b43d6d361d8066f0f9f46d261de8955ec319dadf851282652be042fd45be6.exe cmd.exe PID 1652 wrote to memory of 520 1652 0d1b43d6d361d8066f0f9f46d261de8955ec319dadf851282652be042fd45be6.exe cmd.exe PID 1652 wrote to memory of 520 1652 0d1b43d6d361d8066f0f9f46d261de8955ec319dadf851282652be042fd45be6.exe cmd.exe PID 520 wrote to memory of 956 520 cmd.exe PING.EXE PID 520 wrote to memory of 956 520 cmd.exe PING.EXE PID 520 wrote to memory of 956 520 cmd.exe PING.EXE PID 520 wrote to memory of 956 520 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0d1b43d6d361d8066f0f9f46d261de8955ec319dadf851282652be042fd45be6.exe"C:\Users\Admin\AppData\Local\Temp\0d1b43d6d361d8066f0f9f46d261de8955ec319dadf851282652be042fd45be6.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1652 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1620 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0d1b43d6d361d8066f0f9f46d261de8955ec319dadf851282652be042fd45be6.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:520 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:956
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
4fd1746d67eceb4cedd02f6e2d40ddf7
SHA115ba06bd604f11b96c9793cfef0a4cd6ca3b1cf7
SHA256d93b58d3707599f7d8daf2e84edf6bdada6a98141bc1f9bb790dd93669fcd8ea
SHA5125249ac87617195da5e163727b9bf4d541d29a6ffd6c18d60ee197eec6a07559c43690cf094208ddc690dc0b5280584fc40409dca94ce5d6c06ad8917a24ac2bc
-
MD5
4fd1746d67eceb4cedd02f6e2d40ddf7
SHA115ba06bd604f11b96c9793cfef0a4cd6ca3b1cf7
SHA256d93b58d3707599f7d8daf2e84edf6bdada6a98141bc1f9bb790dd93669fcd8ea
SHA5125249ac87617195da5e163727b9bf4d541d29a6ffd6c18d60ee197eec6a07559c43690cf094208ddc690dc0b5280584fc40409dca94ce5d6c06ad8917a24ac2bc
-
MD5
4fd1746d67eceb4cedd02f6e2d40ddf7
SHA115ba06bd604f11b96c9793cfef0a4cd6ca3b1cf7
SHA256d93b58d3707599f7d8daf2e84edf6bdada6a98141bc1f9bb790dd93669fcd8ea
SHA5125249ac87617195da5e163727b9bf4d541d29a6ffd6c18d60ee197eec6a07559c43690cf094208ddc690dc0b5280584fc40409dca94ce5d6c06ad8917a24ac2bc