Analysis
-
max time kernel
149s -
max time network
179s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 08:00
Static task
static1
Behavioral task
behavioral1
Sample
0c00e6751b674fd87b4795f287a1d3a426efb848c34d46112661b1a04e899a5a.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0c00e6751b674fd87b4795f287a1d3a426efb848c34d46112661b1a04e899a5a.exe
Resource
win10v2004-en-20220112
General
-
Target
0c00e6751b674fd87b4795f287a1d3a426efb848c34d46112661b1a04e899a5a.exe
-
Size
192KB
-
MD5
cd9ade9e3b0a2a7548840f32740f1db3
-
SHA1
74f1caddda2712f57783ba20f6f883780922225c
-
SHA256
0c00e6751b674fd87b4795f287a1d3a426efb848c34d46112661b1a04e899a5a
-
SHA512
ae323bf64536605ce4ff0b50d096b7c492640e202832757fa1d029551e496a3b03e484e26c611fd3ca1d69008166846621a5abda47de9615db71502281628fe4
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1600 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 944 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0c00e6751b674fd87b4795f287a1d3a426efb848c34d46112661b1a04e899a5a.exepid process 1672 0c00e6751b674fd87b4795f287a1d3a426efb848c34d46112661b1a04e899a5a.exe 1672 0c00e6751b674fd87b4795f287a1d3a426efb848c34d46112661b1a04e899a5a.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0c00e6751b674fd87b4795f287a1d3a426efb848c34d46112661b1a04e899a5a.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0c00e6751b674fd87b4795f287a1d3a426efb848c34d46112661b1a04e899a5a.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0c00e6751b674fd87b4795f287a1d3a426efb848c34d46112661b1a04e899a5a.exedescription pid process Token: SeIncBasePriorityPrivilege 1672 0c00e6751b674fd87b4795f287a1d3a426efb848c34d46112661b1a04e899a5a.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0c00e6751b674fd87b4795f287a1d3a426efb848c34d46112661b1a04e899a5a.execmd.exedescription pid process target process PID 1672 wrote to memory of 1600 1672 0c00e6751b674fd87b4795f287a1d3a426efb848c34d46112661b1a04e899a5a.exe MediaCenter.exe PID 1672 wrote to memory of 1600 1672 0c00e6751b674fd87b4795f287a1d3a426efb848c34d46112661b1a04e899a5a.exe MediaCenter.exe PID 1672 wrote to memory of 1600 1672 0c00e6751b674fd87b4795f287a1d3a426efb848c34d46112661b1a04e899a5a.exe MediaCenter.exe PID 1672 wrote to memory of 1600 1672 0c00e6751b674fd87b4795f287a1d3a426efb848c34d46112661b1a04e899a5a.exe MediaCenter.exe PID 1672 wrote to memory of 944 1672 0c00e6751b674fd87b4795f287a1d3a426efb848c34d46112661b1a04e899a5a.exe cmd.exe PID 1672 wrote to memory of 944 1672 0c00e6751b674fd87b4795f287a1d3a426efb848c34d46112661b1a04e899a5a.exe cmd.exe PID 1672 wrote to memory of 944 1672 0c00e6751b674fd87b4795f287a1d3a426efb848c34d46112661b1a04e899a5a.exe cmd.exe PID 1672 wrote to memory of 944 1672 0c00e6751b674fd87b4795f287a1d3a426efb848c34d46112661b1a04e899a5a.exe cmd.exe PID 944 wrote to memory of 948 944 cmd.exe PING.EXE PID 944 wrote to memory of 948 944 cmd.exe PING.EXE PID 944 wrote to memory of 948 944 cmd.exe PING.EXE PID 944 wrote to memory of 948 944 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0c00e6751b674fd87b4795f287a1d3a426efb848c34d46112661b1a04e899a5a.exe"C:\Users\Admin\AppData\Local\Temp\0c00e6751b674fd87b4795f287a1d3a426efb848c34d46112661b1a04e899a5a.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1672 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1600 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0c00e6751b674fd87b4795f287a1d3a426efb848c34d46112661b1a04e899a5a.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:944 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:948
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
43e53718a33beda4e7bd20b28f54642d
SHA1f095051a89b46e598862cf4d35edf73da88bb3e1
SHA256ccc653fd3a2935b354d7d0b745eec186f6e4f73f970e9b25d94d8627fa1c3fda
SHA512195cf6bc6c5b2555e2765c8daff240e2f4473a9fb3178c9cd0c73ffd95604069cd6194fc99550ea9e19975cffc05bc60e3369886e1d3083feaddc7930e5ed2c4
-
MD5
43e53718a33beda4e7bd20b28f54642d
SHA1f095051a89b46e598862cf4d35edf73da88bb3e1
SHA256ccc653fd3a2935b354d7d0b745eec186f6e4f73f970e9b25d94d8627fa1c3fda
SHA512195cf6bc6c5b2555e2765c8daff240e2f4473a9fb3178c9cd0c73ffd95604069cd6194fc99550ea9e19975cffc05bc60e3369886e1d3083feaddc7930e5ed2c4
-
MD5
43e53718a33beda4e7bd20b28f54642d
SHA1f095051a89b46e598862cf4d35edf73da88bb3e1
SHA256ccc653fd3a2935b354d7d0b745eec186f6e4f73f970e9b25d94d8627fa1c3fda
SHA512195cf6bc6c5b2555e2765c8daff240e2f4473a9fb3178c9cd0c73ffd95604069cd6194fc99550ea9e19975cffc05bc60e3369886e1d3083feaddc7930e5ed2c4