Analysis
-
max time kernel
151s -
max time network
156s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 07:55
Static task
static1
Behavioral task
behavioral1
Sample
0c39dc630d8347bb75b0491c5ddbd0c4cd29a36939fd010f607bf28f6ab9b143.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0c39dc630d8347bb75b0491c5ddbd0c4cd29a36939fd010f607bf28f6ab9b143.exe
Resource
win10v2004-en-20220113
General
-
Target
0c39dc630d8347bb75b0491c5ddbd0c4cd29a36939fd010f607bf28f6ab9b143.exe
-
Size
104KB
-
MD5
dd5dacb591a48b6f79fbf7807bb47b2b
-
SHA1
186aafc52d9f9beb1caa7214283387cfe5776a09
-
SHA256
0c39dc630d8347bb75b0491c5ddbd0c4cd29a36939fd010f607bf28f6ab9b143
-
SHA512
bb912e0c5eddaa871a07f24a2aa55cdf92b0ed3f805fecc8b038296da6c6fa7bc3f7c5c9f44cc91332f7240a20353ebc6af9b8015cfed1ba5344b2e2bc9c0565
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral1/memory/1624-58-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral1/memory/976-59-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 976 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1460 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
0c39dc630d8347bb75b0491c5ddbd0c4cd29a36939fd010f607bf28f6ab9b143.exepid process 1624 0c39dc630d8347bb75b0491c5ddbd0c4cd29a36939fd010f607bf28f6ab9b143.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0c39dc630d8347bb75b0491c5ddbd0c4cd29a36939fd010f607bf28f6ab9b143.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0c39dc630d8347bb75b0491c5ddbd0c4cd29a36939fd010f607bf28f6ab9b143.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0c39dc630d8347bb75b0491c5ddbd0c4cd29a36939fd010f607bf28f6ab9b143.exedescription pid process Token: SeIncBasePriorityPrivilege 1624 0c39dc630d8347bb75b0491c5ddbd0c4cd29a36939fd010f607bf28f6ab9b143.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0c39dc630d8347bb75b0491c5ddbd0c4cd29a36939fd010f607bf28f6ab9b143.execmd.exedescription pid process target process PID 1624 wrote to memory of 976 1624 0c39dc630d8347bb75b0491c5ddbd0c4cd29a36939fd010f607bf28f6ab9b143.exe MediaCenter.exe PID 1624 wrote to memory of 976 1624 0c39dc630d8347bb75b0491c5ddbd0c4cd29a36939fd010f607bf28f6ab9b143.exe MediaCenter.exe PID 1624 wrote to memory of 976 1624 0c39dc630d8347bb75b0491c5ddbd0c4cd29a36939fd010f607bf28f6ab9b143.exe MediaCenter.exe PID 1624 wrote to memory of 976 1624 0c39dc630d8347bb75b0491c5ddbd0c4cd29a36939fd010f607bf28f6ab9b143.exe MediaCenter.exe PID 1624 wrote to memory of 1460 1624 0c39dc630d8347bb75b0491c5ddbd0c4cd29a36939fd010f607bf28f6ab9b143.exe cmd.exe PID 1624 wrote to memory of 1460 1624 0c39dc630d8347bb75b0491c5ddbd0c4cd29a36939fd010f607bf28f6ab9b143.exe cmd.exe PID 1624 wrote to memory of 1460 1624 0c39dc630d8347bb75b0491c5ddbd0c4cd29a36939fd010f607bf28f6ab9b143.exe cmd.exe PID 1624 wrote to memory of 1460 1624 0c39dc630d8347bb75b0491c5ddbd0c4cd29a36939fd010f607bf28f6ab9b143.exe cmd.exe PID 1460 wrote to memory of 1800 1460 cmd.exe PING.EXE PID 1460 wrote to memory of 1800 1460 cmd.exe PING.EXE PID 1460 wrote to memory of 1800 1460 cmd.exe PING.EXE PID 1460 wrote to memory of 1800 1460 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0c39dc630d8347bb75b0491c5ddbd0c4cd29a36939fd010f607bf28f6ab9b143.exe"C:\Users\Admin\AppData\Local\Temp\0c39dc630d8347bb75b0491c5ddbd0c4cd29a36939fd010f607bf28f6ab9b143.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1624 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:976 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0c39dc630d8347bb75b0491c5ddbd0c4cd29a36939fd010f607bf28f6ab9b143.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1460 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1800
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
1ab9eaa9f5c2ed643b0bd2a017154062
SHA19635c1f395c148f7512953ef533405c5e6738069
SHA256cbcdd1ed6bf30cd9dc43c22941b357b2346b4e366da8556c160cdb24526e6214
SHA512ff32a988c8f83dcdef00f51dbb11236b14b84a86ca58b3633f4034029779b0487ba4dc43571652e97ccf168b4494ee85840f7f3cd09dda5756b67e2e870d9ee0
-
MD5
1ab9eaa9f5c2ed643b0bd2a017154062
SHA19635c1f395c148f7512953ef533405c5e6738069
SHA256cbcdd1ed6bf30cd9dc43c22941b357b2346b4e366da8556c160cdb24526e6214
SHA512ff32a988c8f83dcdef00f51dbb11236b14b84a86ca58b3633f4034029779b0487ba4dc43571652e97ccf168b4494ee85840f7f3cd09dda5756b67e2e870d9ee0