Analysis
-
max time kernel
119s -
max time network
132s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 07:46
Static task
static1
Behavioral task
behavioral1
Sample
0cac94b343009d43b2d01b991e7e3ffe27094507d90880caed05610fb18f5568.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0cac94b343009d43b2d01b991e7e3ffe27094507d90880caed05610fb18f5568.exe
Resource
win10v2004-en-20220113
General
-
Target
0cac94b343009d43b2d01b991e7e3ffe27094507d90880caed05610fb18f5568.exe
-
Size
101KB
-
MD5
7d288a2605aea21b43120f84db4ae904
-
SHA1
7bac17f5729ff2f579a46cf68a2050586f61bf81
-
SHA256
0cac94b343009d43b2d01b991e7e3ffe27094507d90880caed05610fb18f5568
-
SHA512
ac680fd9a51429ec997ae546fcab9ccaa075de8f902914164f0288a0afcd4c8c517ab0a41624ac253f4e496338dc2a1d7d44c1f21c2900300b47170f91ce771e
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 948 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 728 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0cac94b343009d43b2d01b991e7e3ffe27094507d90880caed05610fb18f5568.exepid process 812 0cac94b343009d43b2d01b991e7e3ffe27094507d90880caed05610fb18f5568.exe 812 0cac94b343009d43b2d01b991e7e3ffe27094507d90880caed05610fb18f5568.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0cac94b343009d43b2d01b991e7e3ffe27094507d90880caed05610fb18f5568.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0cac94b343009d43b2d01b991e7e3ffe27094507d90880caed05610fb18f5568.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0cac94b343009d43b2d01b991e7e3ffe27094507d90880caed05610fb18f5568.exedescription pid process Token: SeIncBasePriorityPrivilege 812 0cac94b343009d43b2d01b991e7e3ffe27094507d90880caed05610fb18f5568.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0cac94b343009d43b2d01b991e7e3ffe27094507d90880caed05610fb18f5568.execmd.exedescription pid process target process PID 812 wrote to memory of 948 812 0cac94b343009d43b2d01b991e7e3ffe27094507d90880caed05610fb18f5568.exe MediaCenter.exe PID 812 wrote to memory of 948 812 0cac94b343009d43b2d01b991e7e3ffe27094507d90880caed05610fb18f5568.exe MediaCenter.exe PID 812 wrote to memory of 948 812 0cac94b343009d43b2d01b991e7e3ffe27094507d90880caed05610fb18f5568.exe MediaCenter.exe PID 812 wrote to memory of 948 812 0cac94b343009d43b2d01b991e7e3ffe27094507d90880caed05610fb18f5568.exe MediaCenter.exe PID 812 wrote to memory of 728 812 0cac94b343009d43b2d01b991e7e3ffe27094507d90880caed05610fb18f5568.exe cmd.exe PID 812 wrote to memory of 728 812 0cac94b343009d43b2d01b991e7e3ffe27094507d90880caed05610fb18f5568.exe cmd.exe PID 812 wrote to memory of 728 812 0cac94b343009d43b2d01b991e7e3ffe27094507d90880caed05610fb18f5568.exe cmd.exe PID 812 wrote to memory of 728 812 0cac94b343009d43b2d01b991e7e3ffe27094507d90880caed05610fb18f5568.exe cmd.exe PID 728 wrote to memory of 736 728 cmd.exe PING.EXE PID 728 wrote to memory of 736 728 cmd.exe PING.EXE PID 728 wrote to memory of 736 728 cmd.exe PING.EXE PID 728 wrote to memory of 736 728 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0cac94b343009d43b2d01b991e7e3ffe27094507d90880caed05610fb18f5568.exe"C:\Users\Admin\AppData\Local\Temp\0cac94b343009d43b2d01b991e7e3ffe27094507d90880caed05610fb18f5568.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:812 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:948 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0cac94b343009d43b2d01b991e7e3ffe27094507d90880caed05610fb18f5568.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:728 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:736
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
bd17262f6798656a5d0f57e72b3ad992
SHA1c74ee9e9eb9f4c24186934605c464548f4cc0619
SHA2564c05a8686277bf8831800272818e960d5ba906f8549af58e081e514d3ceb8cb2
SHA51215b5352d9825c43dfe483e9e800e0978332be5cf95058bf7096a12dc563e8adf7f3ee70333e839f41dfcb6edf62298421afbafdd0782c66f9a0847f0126bf1e4
-
MD5
bd17262f6798656a5d0f57e72b3ad992
SHA1c74ee9e9eb9f4c24186934605c464548f4cc0619
SHA2564c05a8686277bf8831800272818e960d5ba906f8549af58e081e514d3ceb8cb2
SHA51215b5352d9825c43dfe483e9e800e0978332be5cf95058bf7096a12dc563e8adf7f3ee70333e839f41dfcb6edf62298421afbafdd0782c66f9a0847f0126bf1e4
-
MD5
bd17262f6798656a5d0f57e72b3ad992
SHA1c74ee9e9eb9f4c24186934605c464548f4cc0619
SHA2564c05a8686277bf8831800272818e960d5ba906f8549af58e081e514d3ceb8cb2
SHA51215b5352d9825c43dfe483e9e800e0978332be5cf95058bf7096a12dc563e8adf7f3ee70333e839f41dfcb6edf62298421afbafdd0782c66f9a0847f0126bf1e4