Analysis
-
max time kernel
131s -
max time network
159s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 08:01
Static task
static1
Behavioral task
behavioral1
Sample
0bee9170f15bb0f118830f6d0b5642930b9f7fbc9f1b4e6c1ff93c7bb8c5f214.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0bee9170f15bb0f118830f6d0b5642930b9f7fbc9f1b4e6c1ff93c7bb8c5f214.exe
Resource
win10v2004-en-20220113
General
-
Target
0bee9170f15bb0f118830f6d0b5642930b9f7fbc9f1b4e6c1ff93c7bb8c5f214.exe
-
Size
101KB
-
MD5
69e7007a24f895182a1584d3e6e5907e
-
SHA1
be6665432dfb80746075b6b6830cbe5183c6ca85
-
SHA256
0bee9170f15bb0f118830f6d0b5642930b9f7fbc9f1b4e6c1ff93c7bb8c5f214
-
SHA512
80a56364d2a42a61ae39cecc88cab3882ea45a33f63acbcf541673ae21f2b2359c65e706f7a51570d2a64e84756eac3d44167fdf4151eeae96ffcb0be95aaa7a
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1620 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1940 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0bee9170f15bb0f118830f6d0b5642930b9f7fbc9f1b4e6c1ff93c7bb8c5f214.exepid process 964 0bee9170f15bb0f118830f6d0b5642930b9f7fbc9f1b4e6c1ff93c7bb8c5f214.exe 964 0bee9170f15bb0f118830f6d0b5642930b9f7fbc9f1b4e6c1ff93c7bb8c5f214.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0bee9170f15bb0f118830f6d0b5642930b9f7fbc9f1b4e6c1ff93c7bb8c5f214.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0bee9170f15bb0f118830f6d0b5642930b9f7fbc9f1b4e6c1ff93c7bb8c5f214.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0bee9170f15bb0f118830f6d0b5642930b9f7fbc9f1b4e6c1ff93c7bb8c5f214.exedescription pid process Token: SeIncBasePriorityPrivilege 964 0bee9170f15bb0f118830f6d0b5642930b9f7fbc9f1b4e6c1ff93c7bb8c5f214.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0bee9170f15bb0f118830f6d0b5642930b9f7fbc9f1b4e6c1ff93c7bb8c5f214.execmd.exedescription pid process target process PID 964 wrote to memory of 1620 964 0bee9170f15bb0f118830f6d0b5642930b9f7fbc9f1b4e6c1ff93c7bb8c5f214.exe MediaCenter.exe PID 964 wrote to memory of 1620 964 0bee9170f15bb0f118830f6d0b5642930b9f7fbc9f1b4e6c1ff93c7bb8c5f214.exe MediaCenter.exe PID 964 wrote to memory of 1620 964 0bee9170f15bb0f118830f6d0b5642930b9f7fbc9f1b4e6c1ff93c7bb8c5f214.exe MediaCenter.exe PID 964 wrote to memory of 1620 964 0bee9170f15bb0f118830f6d0b5642930b9f7fbc9f1b4e6c1ff93c7bb8c5f214.exe MediaCenter.exe PID 964 wrote to memory of 1940 964 0bee9170f15bb0f118830f6d0b5642930b9f7fbc9f1b4e6c1ff93c7bb8c5f214.exe cmd.exe PID 964 wrote to memory of 1940 964 0bee9170f15bb0f118830f6d0b5642930b9f7fbc9f1b4e6c1ff93c7bb8c5f214.exe cmd.exe PID 964 wrote to memory of 1940 964 0bee9170f15bb0f118830f6d0b5642930b9f7fbc9f1b4e6c1ff93c7bb8c5f214.exe cmd.exe PID 964 wrote to memory of 1940 964 0bee9170f15bb0f118830f6d0b5642930b9f7fbc9f1b4e6c1ff93c7bb8c5f214.exe cmd.exe PID 1940 wrote to memory of 1924 1940 cmd.exe PING.EXE PID 1940 wrote to memory of 1924 1940 cmd.exe PING.EXE PID 1940 wrote to memory of 1924 1940 cmd.exe PING.EXE PID 1940 wrote to memory of 1924 1940 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0bee9170f15bb0f118830f6d0b5642930b9f7fbc9f1b4e6c1ff93c7bb8c5f214.exe"C:\Users\Admin\AppData\Local\Temp\0bee9170f15bb0f118830f6d0b5642930b9f7fbc9f1b4e6c1ff93c7bb8c5f214.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:964 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1620 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0bee9170f15bb0f118830f6d0b5642930b9f7fbc9f1b4e6c1ff93c7bb8c5f214.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1940 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1924
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
504a77f435834563b471b27e738b8aef
SHA1dcb5d4bdb09a3ea06bd96852d8b2d0c7c4a11e00
SHA2561142f156c04905e1fdb151f10a32450ff0986b2a71edf66e4b0c5f4b91991fe5
SHA51200b6f5e9171561810619d0df125bf9f9f0385d344561202d6c9a797795757a57934950def3c8d247f71529a0beffd4a86157e1588d1a7f8c6b4b19cda05e678c
-
MD5
504a77f435834563b471b27e738b8aef
SHA1dcb5d4bdb09a3ea06bd96852d8b2d0c7c4a11e00
SHA2561142f156c04905e1fdb151f10a32450ff0986b2a71edf66e4b0c5f4b91991fe5
SHA51200b6f5e9171561810619d0df125bf9f9f0385d344561202d6c9a797795757a57934950def3c8d247f71529a0beffd4a86157e1588d1a7f8c6b4b19cda05e678c
-
MD5
504a77f435834563b471b27e738b8aef
SHA1dcb5d4bdb09a3ea06bd96852d8b2d0c7c4a11e00
SHA2561142f156c04905e1fdb151f10a32450ff0986b2a71edf66e4b0c5f4b91991fe5
SHA51200b6f5e9171561810619d0df125bf9f9f0385d344561202d6c9a797795757a57934950def3c8d247f71529a0beffd4a86157e1588d1a7f8c6b4b19cda05e678c