Analysis
-
max time kernel
135s -
max time network
156s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 07:53
Static task
static1
Behavioral task
behavioral1
Sample
0c6912995f6fdbd78fb7ad70a3c642c195e4391f75295e32e1fc0916b4e7fc44.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0c6912995f6fdbd78fb7ad70a3c642c195e4391f75295e32e1fc0916b4e7fc44.exe
Resource
win10v2004-en-20220112
General
-
Target
0c6912995f6fdbd78fb7ad70a3c642c195e4391f75295e32e1fc0916b4e7fc44.exe
-
Size
92KB
-
MD5
cb6e65e37366e138f8b5087cb756eaa6
-
SHA1
4544ba23005f87c87579bee692ba0432386b1465
-
SHA256
0c6912995f6fdbd78fb7ad70a3c642c195e4391f75295e32e1fc0916b4e7fc44
-
SHA512
08045a87c996948885d0684233fdc4834dcf3ac43da8f9aeddf2d2eb5b729a07893646663d5e3b3a206a3852dd06cf9bb8b16a775f41030441c483a15775554a
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1664 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1644 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
0c6912995f6fdbd78fb7ad70a3c642c195e4391f75295e32e1fc0916b4e7fc44.exepid process 1588 0c6912995f6fdbd78fb7ad70a3c642c195e4391f75295e32e1fc0916b4e7fc44.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0c6912995f6fdbd78fb7ad70a3c642c195e4391f75295e32e1fc0916b4e7fc44.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0c6912995f6fdbd78fb7ad70a3c642c195e4391f75295e32e1fc0916b4e7fc44.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0c6912995f6fdbd78fb7ad70a3c642c195e4391f75295e32e1fc0916b4e7fc44.exedescription pid process Token: SeIncBasePriorityPrivilege 1588 0c6912995f6fdbd78fb7ad70a3c642c195e4391f75295e32e1fc0916b4e7fc44.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0c6912995f6fdbd78fb7ad70a3c642c195e4391f75295e32e1fc0916b4e7fc44.execmd.exedescription pid process target process PID 1588 wrote to memory of 1664 1588 0c6912995f6fdbd78fb7ad70a3c642c195e4391f75295e32e1fc0916b4e7fc44.exe MediaCenter.exe PID 1588 wrote to memory of 1664 1588 0c6912995f6fdbd78fb7ad70a3c642c195e4391f75295e32e1fc0916b4e7fc44.exe MediaCenter.exe PID 1588 wrote to memory of 1664 1588 0c6912995f6fdbd78fb7ad70a3c642c195e4391f75295e32e1fc0916b4e7fc44.exe MediaCenter.exe PID 1588 wrote to memory of 1664 1588 0c6912995f6fdbd78fb7ad70a3c642c195e4391f75295e32e1fc0916b4e7fc44.exe MediaCenter.exe PID 1588 wrote to memory of 1644 1588 0c6912995f6fdbd78fb7ad70a3c642c195e4391f75295e32e1fc0916b4e7fc44.exe cmd.exe PID 1588 wrote to memory of 1644 1588 0c6912995f6fdbd78fb7ad70a3c642c195e4391f75295e32e1fc0916b4e7fc44.exe cmd.exe PID 1588 wrote to memory of 1644 1588 0c6912995f6fdbd78fb7ad70a3c642c195e4391f75295e32e1fc0916b4e7fc44.exe cmd.exe PID 1588 wrote to memory of 1644 1588 0c6912995f6fdbd78fb7ad70a3c642c195e4391f75295e32e1fc0916b4e7fc44.exe cmd.exe PID 1644 wrote to memory of 1640 1644 cmd.exe PING.EXE PID 1644 wrote to memory of 1640 1644 cmd.exe PING.EXE PID 1644 wrote to memory of 1640 1644 cmd.exe PING.EXE PID 1644 wrote to memory of 1640 1644 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0c6912995f6fdbd78fb7ad70a3c642c195e4391f75295e32e1fc0916b4e7fc44.exe"C:\Users\Admin\AppData\Local\Temp\0c6912995f6fdbd78fb7ad70a3c642c195e4391f75295e32e1fc0916b4e7fc44.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1588 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1664 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0c6912995f6fdbd78fb7ad70a3c642c195e4391f75295e32e1fc0916b4e7fc44.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1644 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1640
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
8c6360db73279feabc79331f3abcffa6
SHA1b9fa36e2293ba7ecabd77f43450b9d790a319584
SHA256555bb320f6224c6c378ca3975f44e06a2583ac58ad9addd3cba892a1cfd3d54c
SHA5125d3b7e36f3b30a914b7f59effec73dc55572b8388a7e071c88b6a79f076745fc3c39c88812c37f7cf8adc01114f9e99ba1040c1459ce1fd13b8783187f00f89b
-
MD5
8c6360db73279feabc79331f3abcffa6
SHA1b9fa36e2293ba7ecabd77f43450b9d790a319584
SHA256555bb320f6224c6c378ca3975f44e06a2583ac58ad9addd3cba892a1cfd3d54c
SHA5125d3b7e36f3b30a914b7f59effec73dc55572b8388a7e071c88b6a79f076745fc3c39c88812c37f7cf8adc01114f9e99ba1040c1459ce1fd13b8783187f00f89b