Analysis
-
max time kernel
149s -
max time network
173s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 07:56
Static task
static1
Behavioral task
behavioral1
Sample
0c2d263df8526fa041d2d9dfe979df147a521726b333b27a32188068516f44bb.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0c2d263df8526fa041d2d9dfe979df147a521726b333b27a32188068516f44bb.exe
Resource
win10v2004-en-20220113
General
-
Target
0c2d263df8526fa041d2d9dfe979df147a521726b333b27a32188068516f44bb.exe
-
Size
100KB
-
MD5
690289b153a25504d55928e686b98684
-
SHA1
dd6df5c74718ca527bf5edc99fd4a3792b59e3df
-
SHA256
0c2d263df8526fa041d2d9dfe979df147a521726b333b27a32188068516f44bb
-
SHA512
02e9f1a5f91020b390495e4c0cc6fdb67103ee5d018aee57765479112d150c2b2b1ec291f1989491c0bd664dba69966bdd33332243950180f1f4a30d40e0fa95
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1548 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1796 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0c2d263df8526fa041d2d9dfe979df147a521726b333b27a32188068516f44bb.exepid process 1732 0c2d263df8526fa041d2d9dfe979df147a521726b333b27a32188068516f44bb.exe 1732 0c2d263df8526fa041d2d9dfe979df147a521726b333b27a32188068516f44bb.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0c2d263df8526fa041d2d9dfe979df147a521726b333b27a32188068516f44bb.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0c2d263df8526fa041d2d9dfe979df147a521726b333b27a32188068516f44bb.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0c2d263df8526fa041d2d9dfe979df147a521726b333b27a32188068516f44bb.exedescription pid process Token: SeIncBasePriorityPrivilege 1732 0c2d263df8526fa041d2d9dfe979df147a521726b333b27a32188068516f44bb.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0c2d263df8526fa041d2d9dfe979df147a521726b333b27a32188068516f44bb.execmd.exedescription pid process target process PID 1732 wrote to memory of 1548 1732 0c2d263df8526fa041d2d9dfe979df147a521726b333b27a32188068516f44bb.exe MediaCenter.exe PID 1732 wrote to memory of 1548 1732 0c2d263df8526fa041d2d9dfe979df147a521726b333b27a32188068516f44bb.exe MediaCenter.exe PID 1732 wrote to memory of 1548 1732 0c2d263df8526fa041d2d9dfe979df147a521726b333b27a32188068516f44bb.exe MediaCenter.exe PID 1732 wrote to memory of 1548 1732 0c2d263df8526fa041d2d9dfe979df147a521726b333b27a32188068516f44bb.exe MediaCenter.exe PID 1732 wrote to memory of 1796 1732 0c2d263df8526fa041d2d9dfe979df147a521726b333b27a32188068516f44bb.exe cmd.exe PID 1732 wrote to memory of 1796 1732 0c2d263df8526fa041d2d9dfe979df147a521726b333b27a32188068516f44bb.exe cmd.exe PID 1732 wrote to memory of 1796 1732 0c2d263df8526fa041d2d9dfe979df147a521726b333b27a32188068516f44bb.exe cmd.exe PID 1732 wrote to memory of 1796 1732 0c2d263df8526fa041d2d9dfe979df147a521726b333b27a32188068516f44bb.exe cmd.exe PID 1796 wrote to memory of 1560 1796 cmd.exe PING.EXE PID 1796 wrote to memory of 1560 1796 cmd.exe PING.EXE PID 1796 wrote to memory of 1560 1796 cmd.exe PING.EXE PID 1796 wrote to memory of 1560 1796 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0c2d263df8526fa041d2d9dfe979df147a521726b333b27a32188068516f44bb.exe"C:\Users\Admin\AppData\Local\Temp\0c2d263df8526fa041d2d9dfe979df147a521726b333b27a32188068516f44bb.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1548 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0c2d263df8526fa041d2d9dfe979df147a521726b333b27a32188068516f44bb.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1796 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1560
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
8ae0fd9dd3bf853d43cf6f2ee9f06bcf
SHA13a4b997f31fe9815aab925562477af489e9981a7
SHA2566e96bf4ca3e70af0d49248973192e2eabf1011ee80ce233ae6a16e2219f87a3c
SHA512b9f80a39a30ef96d2a7df0a38afdbff31e45686fc6ab11d57f0e17c2d1af4545613bb5ecf29aafc96963fe1d475e275a555d71b9c14cd45bd83c6f665fb72af1
-
MD5
8ae0fd9dd3bf853d43cf6f2ee9f06bcf
SHA13a4b997f31fe9815aab925562477af489e9981a7
SHA2566e96bf4ca3e70af0d49248973192e2eabf1011ee80ce233ae6a16e2219f87a3c
SHA512b9f80a39a30ef96d2a7df0a38afdbff31e45686fc6ab11d57f0e17c2d1af4545613bb5ecf29aafc96963fe1d475e275a555d71b9c14cd45bd83c6f665fb72af1
-
MD5
8ae0fd9dd3bf853d43cf6f2ee9f06bcf
SHA13a4b997f31fe9815aab925562477af489e9981a7
SHA2566e96bf4ca3e70af0d49248973192e2eabf1011ee80ce233ae6a16e2219f87a3c
SHA512b9f80a39a30ef96d2a7df0a38afdbff31e45686fc6ab11d57f0e17c2d1af4545613bb5ecf29aafc96963fe1d475e275a555d71b9c14cd45bd83c6f665fb72af1