Analysis
-
max time kernel
148s -
max time network
160s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 07:58
Static task
static1
Behavioral task
behavioral1
Sample
0c13536de3e09476fc94ae594eed084eaabc6d93170674a8618ed69633693e46.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0c13536de3e09476fc94ae594eed084eaabc6d93170674a8618ed69633693e46.exe
Resource
win10v2004-en-20220113
General
-
Target
0c13536de3e09476fc94ae594eed084eaabc6d93170674a8618ed69633693e46.exe
-
Size
92KB
-
MD5
3a608fc1eeb495c33e634e4d4e9ec9ca
-
SHA1
f63f6dae0e77fcadaae501b5c7aba12537324ee5
-
SHA256
0c13536de3e09476fc94ae594eed084eaabc6d93170674a8618ed69633693e46
-
SHA512
ab653eb37a9bdc4292c40c29f3742bb310caa6b1f1692cdfc330bb64fdf26342bccb738bc0031ce0cfa3d6149e68bcdb80321a4bfb5508de1a0c43e2868a819c
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1428 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1560 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
0c13536de3e09476fc94ae594eed084eaabc6d93170674a8618ed69633693e46.exepid process 1620 0c13536de3e09476fc94ae594eed084eaabc6d93170674a8618ed69633693e46.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0c13536de3e09476fc94ae594eed084eaabc6d93170674a8618ed69633693e46.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0c13536de3e09476fc94ae594eed084eaabc6d93170674a8618ed69633693e46.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0c13536de3e09476fc94ae594eed084eaabc6d93170674a8618ed69633693e46.exedescription pid process Token: SeIncBasePriorityPrivilege 1620 0c13536de3e09476fc94ae594eed084eaabc6d93170674a8618ed69633693e46.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0c13536de3e09476fc94ae594eed084eaabc6d93170674a8618ed69633693e46.execmd.exedescription pid process target process PID 1620 wrote to memory of 1428 1620 0c13536de3e09476fc94ae594eed084eaabc6d93170674a8618ed69633693e46.exe MediaCenter.exe PID 1620 wrote to memory of 1428 1620 0c13536de3e09476fc94ae594eed084eaabc6d93170674a8618ed69633693e46.exe MediaCenter.exe PID 1620 wrote to memory of 1428 1620 0c13536de3e09476fc94ae594eed084eaabc6d93170674a8618ed69633693e46.exe MediaCenter.exe PID 1620 wrote to memory of 1428 1620 0c13536de3e09476fc94ae594eed084eaabc6d93170674a8618ed69633693e46.exe MediaCenter.exe PID 1620 wrote to memory of 1560 1620 0c13536de3e09476fc94ae594eed084eaabc6d93170674a8618ed69633693e46.exe cmd.exe PID 1620 wrote to memory of 1560 1620 0c13536de3e09476fc94ae594eed084eaabc6d93170674a8618ed69633693e46.exe cmd.exe PID 1620 wrote to memory of 1560 1620 0c13536de3e09476fc94ae594eed084eaabc6d93170674a8618ed69633693e46.exe cmd.exe PID 1620 wrote to memory of 1560 1620 0c13536de3e09476fc94ae594eed084eaabc6d93170674a8618ed69633693e46.exe cmd.exe PID 1560 wrote to memory of 892 1560 cmd.exe PING.EXE PID 1560 wrote to memory of 892 1560 cmd.exe PING.EXE PID 1560 wrote to memory of 892 1560 cmd.exe PING.EXE PID 1560 wrote to memory of 892 1560 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0c13536de3e09476fc94ae594eed084eaabc6d93170674a8618ed69633693e46.exe"C:\Users\Admin\AppData\Local\Temp\0c13536de3e09476fc94ae594eed084eaabc6d93170674a8618ed69633693e46.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1428 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0c13536de3e09476fc94ae594eed084eaabc6d93170674a8618ed69633693e46.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1560 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:892
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
c0ff23dafa01213f17b250b04c732480
SHA1ed384268baad53532b5d880c0bc3cd388196f6f6
SHA2565e10a3c25797f3a401a911e949cdfdbf4c15316ea38bc93ec83b1998dec6d326
SHA512bba4f36e64e8bd16d02e7097f275682da7ca0417e740a9919034f032be67e2776c0acf5d3523f9004c6273634958cd321bf8caafa9ff32ebf7a6ee8ffff2b6fe
-
MD5
c0ff23dafa01213f17b250b04c732480
SHA1ed384268baad53532b5d880c0bc3cd388196f6f6
SHA2565e10a3c25797f3a401a911e949cdfdbf4c15316ea38bc93ec83b1998dec6d326
SHA512bba4f36e64e8bd16d02e7097f275682da7ca0417e740a9919034f032be67e2776c0acf5d3523f9004c6273634958cd321bf8caafa9ff32ebf7a6ee8ffff2b6fe