Analysis
-
max time kernel
160s -
max time network
172s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 07:38
Static task
static1
Behavioral task
behavioral1
Sample
0d12d1f37947546e69ec9a60fecd4319dcb89130e37980fd79c3f0e17efbc493.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0d12d1f37947546e69ec9a60fecd4319dcb89130e37980fd79c3f0e17efbc493.exe
Resource
win10v2004-en-20220113
General
-
Target
0d12d1f37947546e69ec9a60fecd4319dcb89130e37980fd79c3f0e17efbc493.exe
-
Size
80KB
-
MD5
f2a68cc35e7527966427e3f294bc4b2e
-
SHA1
a166917428b3a0781f31a50212fc9ebfbc4b1664
-
SHA256
0d12d1f37947546e69ec9a60fecd4319dcb89130e37980fd79c3f0e17efbc493
-
SHA512
3c63cc79beb6a78d2b149b921c6e571341ef251be0d7b71eaaf8c797ff4da971d1aa1671cd3f910dc9d403d5003610696adf79f1f708bcb1c82be74f7f0a74ec
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 268 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1976 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0d12d1f37947546e69ec9a60fecd4319dcb89130e37980fd79c3f0e17efbc493.exepid process 1544 0d12d1f37947546e69ec9a60fecd4319dcb89130e37980fd79c3f0e17efbc493.exe 1544 0d12d1f37947546e69ec9a60fecd4319dcb89130e37980fd79c3f0e17efbc493.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0d12d1f37947546e69ec9a60fecd4319dcb89130e37980fd79c3f0e17efbc493.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0d12d1f37947546e69ec9a60fecd4319dcb89130e37980fd79c3f0e17efbc493.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0d12d1f37947546e69ec9a60fecd4319dcb89130e37980fd79c3f0e17efbc493.exedescription pid process Token: SeIncBasePriorityPrivilege 1544 0d12d1f37947546e69ec9a60fecd4319dcb89130e37980fd79c3f0e17efbc493.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0d12d1f37947546e69ec9a60fecd4319dcb89130e37980fd79c3f0e17efbc493.execmd.exedescription pid process target process PID 1544 wrote to memory of 268 1544 0d12d1f37947546e69ec9a60fecd4319dcb89130e37980fd79c3f0e17efbc493.exe MediaCenter.exe PID 1544 wrote to memory of 268 1544 0d12d1f37947546e69ec9a60fecd4319dcb89130e37980fd79c3f0e17efbc493.exe MediaCenter.exe PID 1544 wrote to memory of 268 1544 0d12d1f37947546e69ec9a60fecd4319dcb89130e37980fd79c3f0e17efbc493.exe MediaCenter.exe PID 1544 wrote to memory of 268 1544 0d12d1f37947546e69ec9a60fecd4319dcb89130e37980fd79c3f0e17efbc493.exe MediaCenter.exe PID 1544 wrote to memory of 1976 1544 0d12d1f37947546e69ec9a60fecd4319dcb89130e37980fd79c3f0e17efbc493.exe cmd.exe PID 1544 wrote to memory of 1976 1544 0d12d1f37947546e69ec9a60fecd4319dcb89130e37980fd79c3f0e17efbc493.exe cmd.exe PID 1544 wrote to memory of 1976 1544 0d12d1f37947546e69ec9a60fecd4319dcb89130e37980fd79c3f0e17efbc493.exe cmd.exe PID 1544 wrote to memory of 1976 1544 0d12d1f37947546e69ec9a60fecd4319dcb89130e37980fd79c3f0e17efbc493.exe cmd.exe PID 1976 wrote to memory of 1968 1976 cmd.exe PING.EXE PID 1976 wrote to memory of 1968 1976 cmd.exe PING.EXE PID 1976 wrote to memory of 1968 1976 cmd.exe PING.EXE PID 1976 wrote to memory of 1968 1976 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0d12d1f37947546e69ec9a60fecd4319dcb89130e37980fd79c3f0e17efbc493.exe"C:\Users\Admin\AppData\Local\Temp\0d12d1f37947546e69ec9a60fecd4319dcb89130e37980fd79c3f0e17efbc493.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1544 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:268 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0d12d1f37947546e69ec9a60fecd4319dcb89130e37980fd79c3f0e17efbc493.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1976 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1968
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
9e2c0308f1ff11518370bd54d98c6fa1
SHA1a74491c45bf2082b3b37769404bd5f35fa9071ed
SHA25694bc05a894de657d9e04905c906e43dcd97f010deca63e5c3d4f117696707336
SHA51279fce2f07bdb517cfabc13e451653f45b2899e3f001b891b65a29a961a0ebc720b380ea664a02788dd9320ff05e6f1ea77817253868e6f21243ef60a06d611e5
-
MD5
9e2c0308f1ff11518370bd54d98c6fa1
SHA1a74491c45bf2082b3b37769404bd5f35fa9071ed
SHA25694bc05a894de657d9e04905c906e43dcd97f010deca63e5c3d4f117696707336
SHA51279fce2f07bdb517cfabc13e451653f45b2899e3f001b891b65a29a961a0ebc720b380ea664a02788dd9320ff05e6f1ea77817253868e6f21243ef60a06d611e5
-
MD5
9e2c0308f1ff11518370bd54d98c6fa1
SHA1a74491c45bf2082b3b37769404bd5f35fa9071ed
SHA25694bc05a894de657d9e04905c906e43dcd97f010deca63e5c3d4f117696707336
SHA51279fce2f07bdb517cfabc13e451653f45b2899e3f001b891b65a29a961a0ebc720b380ea664a02788dd9320ff05e6f1ea77817253868e6f21243ef60a06d611e5