Analysis
-
max time kernel
131s -
max time network
161s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 07:42
Static task
static1
Behavioral task
behavioral1
Sample
0ce15a3443c08ffbe710f4b356325ec7eef45513ba02b7cecdc44e44c10c1091.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0ce15a3443c08ffbe710f4b356325ec7eef45513ba02b7cecdc44e44c10c1091.exe
Resource
win10v2004-en-20220113
General
-
Target
0ce15a3443c08ffbe710f4b356325ec7eef45513ba02b7cecdc44e44c10c1091.exe
-
Size
99KB
-
MD5
3c3dcbe3e3cb8b23205316e3d65a2240
-
SHA1
27d346d38865c766b3b93a00271cb65341c9cee7
-
SHA256
0ce15a3443c08ffbe710f4b356325ec7eef45513ba02b7cecdc44e44c10c1091
-
SHA512
e118e034c95718a1b886f70947bbf75ab51e5e3a70a76c44c596d084252b80e075a3f50fd473418e0f85604bcb8b4f12a8ad951afdd0347854722007c57cdeed
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1752 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1380 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0ce15a3443c08ffbe710f4b356325ec7eef45513ba02b7cecdc44e44c10c1091.exepid process 952 0ce15a3443c08ffbe710f4b356325ec7eef45513ba02b7cecdc44e44c10c1091.exe 952 0ce15a3443c08ffbe710f4b356325ec7eef45513ba02b7cecdc44e44c10c1091.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0ce15a3443c08ffbe710f4b356325ec7eef45513ba02b7cecdc44e44c10c1091.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0ce15a3443c08ffbe710f4b356325ec7eef45513ba02b7cecdc44e44c10c1091.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0ce15a3443c08ffbe710f4b356325ec7eef45513ba02b7cecdc44e44c10c1091.exedescription pid process Token: SeIncBasePriorityPrivilege 952 0ce15a3443c08ffbe710f4b356325ec7eef45513ba02b7cecdc44e44c10c1091.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0ce15a3443c08ffbe710f4b356325ec7eef45513ba02b7cecdc44e44c10c1091.execmd.exedescription pid process target process PID 952 wrote to memory of 1752 952 0ce15a3443c08ffbe710f4b356325ec7eef45513ba02b7cecdc44e44c10c1091.exe MediaCenter.exe PID 952 wrote to memory of 1752 952 0ce15a3443c08ffbe710f4b356325ec7eef45513ba02b7cecdc44e44c10c1091.exe MediaCenter.exe PID 952 wrote to memory of 1752 952 0ce15a3443c08ffbe710f4b356325ec7eef45513ba02b7cecdc44e44c10c1091.exe MediaCenter.exe PID 952 wrote to memory of 1752 952 0ce15a3443c08ffbe710f4b356325ec7eef45513ba02b7cecdc44e44c10c1091.exe MediaCenter.exe PID 952 wrote to memory of 1380 952 0ce15a3443c08ffbe710f4b356325ec7eef45513ba02b7cecdc44e44c10c1091.exe cmd.exe PID 952 wrote to memory of 1380 952 0ce15a3443c08ffbe710f4b356325ec7eef45513ba02b7cecdc44e44c10c1091.exe cmd.exe PID 952 wrote to memory of 1380 952 0ce15a3443c08ffbe710f4b356325ec7eef45513ba02b7cecdc44e44c10c1091.exe cmd.exe PID 952 wrote to memory of 1380 952 0ce15a3443c08ffbe710f4b356325ec7eef45513ba02b7cecdc44e44c10c1091.exe cmd.exe PID 1380 wrote to memory of 428 1380 cmd.exe PING.EXE PID 1380 wrote to memory of 428 1380 cmd.exe PING.EXE PID 1380 wrote to memory of 428 1380 cmd.exe PING.EXE PID 1380 wrote to memory of 428 1380 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0ce15a3443c08ffbe710f4b356325ec7eef45513ba02b7cecdc44e44c10c1091.exe"C:\Users\Admin\AppData\Local\Temp\0ce15a3443c08ffbe710f4b356325ec7eef45513ba02b7cecdc44e44c10c1091.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:952 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1752 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0ce15a3443c08ffbe710f4b356325ec7eef45513ba02b7cecdc44e44c10c1091.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1380 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:428
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
2429790e8fccf03d33018603523654a4
SHA19f72c05baa33a3f8cd80456ae51d507d0a0166d6
SHA25643a09451c749f26015fd493ef1ec609fa3139b766e64e1f8008dfe0e3a7bb2fd
SHA512606f66908108525c1d47c86791e10875c5c0e335dd7fc660e564ebe639576c8eb87e7bf6bccba6e64e729a214d53276e0704641362e3f88b9db765bf364bddf4
-
MD5
2429790e8fccf03d33018603523654a4
SHA19f72c05baa33a3f8cd80456ae51d507d0a0166d6
SHA25643a09451c749f26015fd493ef1ec609fa3139b766e64e1f8008dfe0e3a7bb2fd
SHA512606f66908108525c1d47c86791e10875c5c0e335dd7fc660e564ebe639576c8eb87e7bf6bccba6e64e729a214d53276e0704641362e3f88b9db765bf364bddf4
-
MD5
2429790e8fccf03d33018603523654a4
SHA19f72c05baa33a3f8cd80456ae51d507d0a0166d6
SHA25643a09451c749f26015fd493ef1ec609fa3139b766e64e1f8008dfe0e3a7bb2fd
SHA512606f66908108525c1d47c86791e10875c5c0e335dd7fc660e564ebe639576c8eb87e7bf6bccba6e64e729a214d53276e0704641362e3f88b9db765bf364bddf4