Analysis
-
max time kernel
148s -
max time network
161s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 07:45
Static task
static1
Behavioral task
behavioral1
Sample
0cb3676380100089abda1e6a1b223dc2ec1c37aeabb80fe487063b2cee5b2eec.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0cb3676380100089abda1e6a1b223dc2ec1c37aeabb80fe487063b2cee5b2eec.exe
Resource
win10v2004-en-20220112
General
-
Target
0cb3676380100089abda1e6a1b223dc2ec1c37aeabb80fe487063b2cee5b2eec.exe
-
Size
216KB
-
MD5
0c0c2cd9eaecd58cb47b98ca9a47d158
-
SHA1
211a2d6610e0052d39d6a2e3f4ae942bd59ce272
-
SHA256
0cb3676380100089abda1e6a1b223dc2ec1c37aeabb80fe487063b2cee5b2eec
-
SHA512
ab809fc3c58e030505204d7e7d11a7e20945a335ac9fac79e232b34dd90490018cbc0d1626574ef454c18f6e4e8d27ead8fb58b9fd928d5d4ecf75af80fa81c0
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral1/memory/960-58-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral1/memory/1612-59-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1612 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1912 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
0cb3676380100089abda1e6a1b223dc2ec1c37aeabb80fe487063b2cee5b2eec.exepid process 960 0cb3676380100089abda1e6a1b223dc2ec1c37aeabb80fe487063b2cee5b2eec.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0cb3676380100089abda1e6a1b223dc2ec1c37aeabb80fe487063b2cee5b2eec.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0cb3676380100089abda1e6a1b223dc2ec1c37aeabb80fe487063b2cee5b2eec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0cb3676380100089abda1e6a1b223dc2ec1c37aeabb80fe487063b2cee5b2eec.exedescription pid process Token: SeIncBasePriorityPrivilege 960 0cb3676380100089abda1e6a1b223dc2ec1c37aeabb80fe487063b2cee5b2eec.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0cb3676380100089abda1e6a1b223dc2ec1c37aeabb80fe487063b2cee5b2eec.execmd.exedescription pid process target process PID 960 wrote to memory of 1612 960 0cb3676380100089abda1e6a1b223dc2ec1c37aeabb80fe487063b2cee5b2eec.exe MediaCenter.exe PID 960 wrote to memory of 1612 960 0cb3676380100089abda1e6a1b223dc2ec1c37aeabb80fe487063b2cee5b2eec.exe MediaCenter.exe PID 960 wrote to memory of 1612 960 0cb3676380100089abda1e6a1b223dc2ec1c37aeabb80fe487063b2cee5b2eec.exe MediaCenter.exe PID 960 wrote to memory of 1612 960 0cb3676380100089abda1e6a1b223dc2ec1c37aeabb80fe487063b2cee5b2eec.exe MediaCenter.exe PID 960 wrote to memory of 1912 960 0cb3676380100089abda1e6a1b223dc2ec1c37aeabb80fe487063b2cee5b2eec.exe cmd.exe PID 960 wrote to memory of 1912 960 0cb3676380100089abda1e6a1b223dc2ec1c37aeabb80fe487063b2cee5b2eec.exe cmd.exe PID 960 wrote to memory of 1912 960 0cb3676380100089abda1e6a1b223dc2ec1c37aeabb80fe487063b2cee5b2eec.exe cmd.exe PID 960 wrote to memory of 1912 960 0cb3676380100089abda1e6a1b223dc2ec1c37aeabb80fe487063b2cee5b2eec.exe cmd.exe PID 1912 wrote to memory of 396 1912 cmd.exe PING.EXE PID 1912 wrote to memory of 396 1912 cmd.exe PING.EXE PID 1912 wrote to memory of 396 1912 cmd.exe PING.EXE PID 1912 wrote to memory of 396 1912 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0cb3676380100089abda1e6a1b223dc2ec1c37aeabb80fe487063b2cee5b2eec.exe"C:\Users\Admin\AppData\Local\Temp\0cb3676380100089abda1e6a1b223dc2ec1c37aeabb80fe487063b2cee5b2eec.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:960 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1612 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0cb3676380100089abda1e6a1b223dc2ec1c37aeabb80fe487063b2cee5b2eec.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1912 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:396
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
fb6dbd665f16ab62d938a53f6b36a05d
SHA1fb202050cd46a81df2690fbb5da9047292497f01
SHA2569d21e72ba072dbb14c6069ec1cf6d19cf9e1ac9d691a3987b8b51ebb858f996e
SHA512eaf06f2fe32b05ed0e45b5303b20d6a72b3ab7f8430aa24d3bdbfbcb35fc2b0de80ddd6b76706f1b39c43211fa4df6f7defbf69b697326345cc1e3f79359d8e7
-
MD5
fb6dbd665f16ab62d938a53f6b36a05d
SHA1fb202050cd46a81df2690fbb5da9047292497f01
SHA2569d21e72ba072dbb14c6069ec1cf6d19cf9e1ac9d691a3987b8b51ebb858f996e
SHA512eaf06f2fe32b05ed0e45b5303b20d6a72b3ab7f8430aa24d3bdbfbcb35fc2b0de80ddd6b76706f1b39c43211fa4df6f7defbf69b697326345cc1e3f79359d8e7