Analysis
-
max time kernel
146s -
max time network
155s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 07:39
Static task
static1
Behavioral task
behavioral1
Sample
0d02af89f980d2126637a275950193cd70c1cbbe3f51de096142a37c002330f7.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0d02af89f980d2126637a275950193cd70c1cbbe3f51de096142a37c002330f7.exe
Resource
win10v2004-en-20220112
General
-
Target
0d02af89f980d2126637a275950193cd70c1cbbe3f51de096142a37c002330f7.exe
-
Size
150KB
-
MD5
81668b5542ac253625bea6e7a195a6db
-
SHA1
f2c0dd805f567c05d80280a8a5c48a3843d5bfb1
-
SHA256
0d02af89f980d2126637a275950193cd70c1cbbe3f51de096142a37c002330f7
-
SHA512
a5c9c45e1e31155aeaac5fb63500867bca9edacd6a126c22f14b4c79fe22a6d7acf0625e60d18ca8e313c32db8968c6c429f6dd798ef3e8e5edca3100fb8fb3a
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 948 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 820 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
0d02af89f980d2126637a275950193cd70c1cbbe3f51de096142a37c002330f7.exepid process 812 0d02af89f980d2126637a275950193cd70c1cbbe3f51de096142a37c002330f7.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0d02af89f980d2126637a275950193cd70c1cbbe3f51de096142a37c002330f7.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0d02af89f980d2126637a275950193cd70c1cbbe3f51de096142a37c002330f7.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0d02af89f980d2126637a275950193cd70c1cbbe3f51de096142a37c002330f7.exedescription pid process Token: SeIncBasePriorityPrivilege 812 0d02af89f980d2126637a275950193cd70c1cbbe3f51de096142a37c002330f7.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0d02af89f980d2126637a275950193cd70c1cbbe3f51de096142a37c002330f7.execmd.exedescription pid process target process PID 812 wrote to memory of 948 812 0d02af89f980d2126637a275950193cd70c1cbbe3f51de096142a37c002330f7.exe MediaCenter.exe PID 812 wrote to memory of 948 812 0d02af89f980d2126637a275950193cd70c1cbbe3f51de096142a37c002330f7.exe MediaCenter.exe PID 812 wrote to memory of 948 812 0d02af89f980d2126637a275950193cd70c1cbbe3f51de096142a37c002330f7.exe MediaCenter.exe PID 812 wrote to memory of 948 812 0d02af89f980d2126637a275950193cd70c1cbbe3f51de096142a37c002330f7.exe MediaCenter.exe PID 812 wrote to memory of 820 812 0d02af89f980d2126637a275950193cd70c1cbbe3f51de096142a37c002330f7.exe cmd.exe PID 812 wrote to memory of 820 812 0d02af89f980d2126637a275950193cd70c1cbbe3f51de096142a37c002330f7.exe cmd.exe PID 812 wrote to memory of 820 812 0d02af89f980d2126637a275950193cd70c1cbbe3f51de096142a37c002330f7.exe cmd.exe PID 812 wrote to memory of 820 812 0d02af89f980d2126637a275950193cd70c1cbbe3f51de096142a37c002330f7.exe cmd.exe PID 820 wrote to memory of 956 820 cmd.exe PING.EXE PID 820 wrote to memory of 956 820 cmd.exe PING.EXE PID 820 wrote to memory of 956 820 cmd.exe PING.EXE PID 820 wrote to memory of 956 820 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0d02af89f980d2126637a275950193cd70c1cbbe3f51de096142a37c002330f7.exe"C:\Users\Admin\AppData\Local\Temp\0d02af89f980d2126637a275950193cd70c1cbbe3f51de096142a37c002330f7.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:812 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:948 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0d02af89f980d2126637a275950193cd70c1cbbe3f51de096142a37c002330f7.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:820 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:956
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
2ab9c80a90db8e0d3b9addf0cd12aa1c
SHA1347788cfe6606572e0c797ddd00391e591092351
SHA25623904da28386a53876c9b0de65ce7daefaa50f919de69d19331a5fff0e9b8d24
SHA51228116c9f7c374f84d18ec70bd4a4b80088d3f2361ce4c38f53f7c72ebfcfa14717e4e9c6723e9f33993218996919c6e2aa6d746df5ae601c25903c85fa915db1
-
MD5
2ab9c80a90db8e0d3b9addf0cd12aa1c
SHA1347788cfe6606572e0c797ddd00391e591092351
SHA25623904da28386a53876c9b0de65ce7daefaa50f919de69d19331a5fff0e9b8d24
SHA51228116c9f7c374f84d18ec70bd4a4b80088d3f2361ce4c38f53f7c72ebfcfa14717e4e9c6723e9f33993218996919c6e2aa6d746df5ae601c25903c85fa915db1