Analysis
-
max time kernel
127s -
max time network
157s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 07:46
Static task
static1
Behavioral task
behavioral1
Sample
0cacb6d8652eb809524f40d3409098eeb13299c7e949f00b92ae0948b7b031f2.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0cacb6d8652eb809524f40d3409098eeb13299c7e949f00b92ae0948b7b031f2.exe
Resource
win10v2004-en-20220113
General
-
Target
0cacb6d8652eb809524f40d3409098eeb13299c7e949f00b92ae0948b7b031f2.exe
-
Size
80KB
-
MD5
26f144345fcc6bcfbff07e373dade235
-
SHA1
4ddde141091b8b401a8ddf8805b3022325537f1c
-
SHA256
0cacb6d8652eb809524f40d3409098eeb13299c7e949f00b92ae0948b7b031f2
-
SHA512
b69f4e121260f00374353ef15bd0fd08905f714a705361b0449e38a018322243e8b1122e4e8dfb088e3c7c2af035e638dfb8ad42d62e5913c2ea3cbe35d555d7
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1484 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1212 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0cacb6d8652eb809524f40d3409098eeb13299c7e949f00b92ae0948b7b031f2.exepid process 1972 0cacb6d8652eb809524f40d3409098eeb13299c7e949f00b92ae0948b7b031f2.exe 1972 0cacb6d8652eb809524f40d3409098eeb13299c7e949f00b92ae0948b7b031f2.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0cacb6d8652eb809524f40d3409098eeb13299c7e949f00b92ae0948b7b031f2.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0cacb6d8652eb809524f40d3409098eeb13299c7e949f00b92ae0948b7b031f2.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0cacb6d8652eb809524f40d3409098eeb13299c7e949f00b92ae0948b7b031f2.exedescription pid process Token: SeIncBasePriorityPrivilege 1972 0cacb6d8652eb809524f40d3409098eeb13299c7e949f00b92ae0948b7b031f2.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0cacb6d8652eb809524f40d3409098eeb13299c7e949f00b92ae0948b7b031f2.execmd.exedescription pid process target process PID 1972 wrote to memory of 1484 1972 0cacb6d8652eb809524f40d3409098eeb13299c7e949f00b92ae0948b7b031f2.exe MediaCenter.exe PID 1972 wrote to memory of 1484 1972 0cacb6d8652eb809524f40d3409098eeb13299c7e949f00b92ae0948b7b031f2.exe MediaCenter.exe PID 1972 wrote to memory of 1484 1972 0cacb6d8652eb809524f40d3409098eeb13299c7e949f00b92ae0948b7b031f2.exe MediaCenter.exe PID 1972 wrote to memory of 1484 1972 0cacb6d8652eb809524f40d3409098eeb13299c7e949f00b92ae0948b7b031f2.exe MediaCenter.exe PID 1972 wrote to memory of 1212 1972 0cacb6d8652eb809524f40d3409098eeb13299c7e949f00b92ae0948b7b031f2.exe cmd.exe PID 1972 wrote to memory of 1212 1972 0cacb6d8652eb809524f40d3409098eeb13299c7e949f00b92ae0948b7b031f2.exe cmd.exe PID 1972 wrote to memory of 1212 1972 0cacb6d8652eb809524f40d3409098eeb13299c7e949f00b92ae0948b7b031f2.exe cmd.exe PID 1972 wrote to memory of 1212 1972 0cacb6d8652eb809524f40d3409098eeb13299c7e949f00b92ae0948b7b031f2.exe cmd.exe PID 1212 wrote to memory of 1968 1212 cmd.exe PING.EXE PID 1212 wrote to memory of 1968 1212 cmd.exe PING.EXE PID 1212 wrote to memory of 1968 1212 cmd.exe PING.EXE PID 1212 wrote to memory of 1968 1212 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0cacb6d8652eb809524f40d3409098eeb13299c7e949f00b92ae0948b7b031f2.exe"C:\Users\Admin\AppData\Local\Temp\0cacb6d8652eb809524f40d3409098eeb13299c7e949f00b92ae0948b7b031f2.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1972 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1484 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0cacb6d8652eb809524f40d3409098eeb13299c7e949f00b92ae0948b7b031f2.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1212 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1968
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
2960e2d7cc97713cffd09972b40038fe
SHA1fefa26d3a3a941ff8e9ec2acc57b6e7c8fae5ea7
SHA256f1f55bb0ea861cf37ced0fc082219a8b7f7d7113beca4e68936edba55e123209
SHA512b04cd6527ef11c3ef9cd775323cd30824bd9c3a5a7e21aef59b9788996852f55fa565ca9744b4b6e2e74cc7ba01baf9636509ea61adf61112b107382f04e1efe
-
MD5
2960e2d7cc97713cffd09972b40038fe
SHA1fefa26d3a3a941ff8e9ec2acc57b6e7c8fae5ea7
SHA256f1f55bb0ea861cf37ced0fc082219a8b7f7d7113beca4e68936edba55e123209
SHA512b04cd6527ef11c3ef9cd775323cd30824bd9c3a5a7e21aef59b9788996852f55fa565ca9744b4b6e2e74cc7ba01baf9636509ea61adf61112b107382f04e1efe
-
MD5
2960e2d7cc97713cffd09972b40038fe
SHA1fefa26d3a3a941ff8e9ec2acc57b6e7c8fae5ea7
SHA256f1f55bb0ea861cf37ced0fc082219a8b7f7d7113beca4e68936edba55e123209
SHA512b04cd6527ef11c3ef9cd775323cd30824bd9c3a5a7e21aef59b9788996852f55fa565ca9744b4b6e2e74cc7ba01baf9636509ea61adf61112b107382f04e1efe