Analysis
-
max time kernel
135s -
max time network
150s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 07:41
Static task
static1
Behavioral task
behavioral1
Sample
0ce312c3d29bcba8b4ccd73acd08f0527c424b5314059dd564b01907c9eeb97c.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0ce312c3d29bcba8b4ccd73acd08f0527c424b5314059dd564b01907c9eeb97c.exe
Resource
win10v2004-en-20220113
General
-
Target
0ce312c3d29bcba8b4ccd73acd08f0527c424b5314059dd564b01907c9eeb97c.exe
-
Size
176KB
-
MD5
488ed43f4ae2ea455b0877a61295c5aa
-
SHA1
b4fca0d052b20d9d19467837ed646abf941ee7fb
-
SHA256
0ce312c3d29bcba8b4ccd73acd08f0527c424b5314059dd564b01907c9eeb97c
-
SHA512
409b8e5093d0c851e78abf8ab02c50e61f80dd9da22df479095a7a2ceaf8a85b006ed6ac9c98b002c673725378447c2302b357f32d060c1f7fa7cc1fe26154f5
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral1/memory/2028-59-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral1/memory/576-60-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 576 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1052 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
0ce312c3d29bcba8b4ccd73acd08f0527c424b5314059dd564b01907c9eeb97c.exepid process 2028 0ce312c3d29bcba8b4ccd73acd08f0527c424b5314059dd564b01907c9eeb97c.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0ce312c3d29bcba8b4ccd73acd08f0527c424b5314059dd564b01907c9eeb97c.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0ce312c3d29bcba8b4ccd73acd08f0527c424b5314059dd564b01907c9eeb97c.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0ce312c3d29bcba8b4ccd73acd08f0527c424b5314059dd564b01907c9eeb97c.exedescription pid process Token: SeIncBasePriorityPrivilege 2028 0ce312c3d29bcba8b4ccd73acd08f0527c424b5314059dd564b01907c9eeb97c.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0ce312c3d29bcba8b4ccd73acd08f0527c424b5314059dd564b01907c9eeb97c.execmd.exedescription pid process target process PID 2028 wrote to memory of 576 2028 0ce312c3d29bcba8b4ccd73acd08f0527c424b5314059dd564b01907c9eeb97c.exe MediaCenter.exe PID 2028 wrote to memory of 576 2028 0ce312c3d29bcba8b4ccd73acd08f0527c424b5314059dd564b01907c9eeb97c.exe MediaCenter.exe PID 2028 wrote to memory of 576 2028 0ce312c3d29bcba8b4ccd73acd08f0527c424b5314059dd564b01907c9eeb97c.exe MediaCenter.exe PID 2028 wrote to memory of 576 2028 0ce312c3d29bcba8b4ccd73acd08f0527c424b5314059dd564b01907c9eeb97c.exe MediaCenter.exe PID 2028 wrote to memory of 1052 2028 0ce312c3d29bcba8b4ccd73acd08f0527c424b5314059dd564b01907c9eeb97c.exe cmd.exe PID 2028 wrote to memory of 1052 2028 0ce312c3d29bcba8b4ccd73acd08f0527c424b5314059dd564b01907c9eeb97c.exe cmd.exe PID 2028 wrote to memory of 1052 2028 0ce312c3d29bcba8b4ccd73acd08f0527c424b5314059dd564b01907c9eeb97c.exe cmd.exe PID 2028 wrote to memory of 1052 2028 0ce312c3d29bcba8b4ccd73acd08f0527c424b5314059dd564b01907c9eeb97c.exe cmd.exe PID 1052 wrote to memory of 1508 1052 cmd.exe PING.EXE PID 1052 wrote to memory of 1508 1052 cmd.exe PING.EXE PID 1052 wrote to memory of 1508 1052 cmd.exe PING.EXE PID 1052 wrote to memory of 1508 1052 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0ce312c3d29bcba8b4ccd73acd08f0527c424b5314059dd564b01907c9eeb97c.exe"C:\Users\Admin\AppData\Local\Temp\0ce312c3d29bcba8b4ccd73acd08f0527c424b5314059dd564b01907c9eeb97c.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:576 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0ce312c3d29bcba8b4ccd73acd08f0527c424b5314059dd564b01907c9eeb97c.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1052 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1508
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
4eee92901ecd181d7c6ed3cb82df3b98
SHA13f93ff7d96fee5c28b985852b247388c548e3fa7
SHA256ab63d52ea5206d010939a03ed4fc4e1745f3665a88415b97581c43c898443ec8
SHA512d61b4f2979b1e263d3ea2ad2a6c96b546c5daff8e2e0804b0397f9ce3b3b78147bd36d53df51320cf6425265f50cf0159ced62748aba934ee45741ca56a103cf
-
MD5
4eee92901ecd181d7c6ed3cb82df3b98
SHA13f93ff7d96fee5c28b985852b247388c548e3fa7
SHA256ab63d52ea5206d010939a03ed4fc4e1745f3665a88415b97581c43c898443ec8
SHA512d61b4f2979b1e263d3ea2ad2a6c96b546c5daff8e2e0804b0397f9ce3b3b78147bd36d53df51320cf6425265f50cf0159ced62748aba934ee45741ca56a103cf