Analysis
-
max time kernel
126s -
max time network
154s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 08:03
Static task
static1
Behavioral task
behavioral1
Sample
0bd152ba7112725f0ba1c614a449df3f5bb4ad94eea831511a111f07fb458e63.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0bd152ba7112725f0ba1c614a449df3f5bb4ad94eea831511a111f07fb458e63.exe
Resource
win10v2004-en-20220113
General
-
Target
0bd152ba7112725f0ba1c614a449df3f5bb4ad94eea831511a111f07fb458e63.exe
-
Size
99KB
-
MD5
4effc4f5dc9e2ca5c3f0bafc8b8c3943
-
SHA1
b90502ff2a879ecbbaa12f7b0401d374fe81caf6
-
SHA256
0bd152ba7112725f0ba1c614a449df3f5bb4ad94eea831511a111f07fb458e63
-
SHA512
aae490a66b295c133486db4a52936c5c1eedf230d028a516852ba022dad1f0b43caabb7c7ef0d6a5a6508792cbb2b574242b51c4ad8e3f7be89e14c721357e26
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1148 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1104 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0bd152ba7112725f0ba1c614a449df3f5bb4ad94eea831511a111f07fb458e63.exepid process 1768 0bd152ba7112725f0ba1c614a449df3f5bb4ad94eea831511a111f07fb458e63.exe 1768 0bd152ba7112725f0ba1c614a449df3f5bb4ad94eea831511a111f07fb458e63.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0bd152ba7112725f0ba1c614a449df3f5bb4ad94eea831511a111f07fb458e63.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0bd152ba7112725f0ba1c614a449df3f5bb4ad94eea831511a111f07fb458e63.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0bd152ba7112725f0ba1c614a449df3f5bb4ad94eea831511a111f07fb458e63.exedescription pid process Token: SeIncBasePriorityPrivilege 1768 0bd152ba7112725f0ba1c614a449df3f5bb4ad94eea831511a111f07fb458e63.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0bd152ba7112725f0ba1c614a449df3f5bb4ad94eea831511a111f07fb458e63.execmd.exedescription pid process target process PID 1768 wrote to memory of 1148 1768 0bd152ba7112725f0ba1c614a449df3f5bb4ad94eea831511a111f07fb458e63.exe MediaCenter.exe PID 1768 wrote to memory of 1148 1768 0bd152ba7112725f0ba1c614a449df3f5bb4ad94eea831511a111f07fb458e63.exe MediaCenter.exe PID 1768 wrote to memory of 1148 1768 0bd152ba7112725f0ba1c614a449df3f5bb4ad94eea831511a111f07fb458e63.exe MediaCenter.exe PID 1768 wrote to memory of 1148 1768 0bd152ba7112725f0ba1c614a449df3f5bb4ad94eea831511a111f07fb458e63.exe MediaCenter.exe PID 1768 wrote to memory of 1104 1768 0bd152ba7112725f0ba1c614a449df3f5bb4ad94eea831511a111f07fb458e63.exe cmd.exe PID 1768 wrote to memory of 1104 1768 0bd152ba7112725f0ba1c614a449df3f5bb4ad94eea831511a111f07fb458e63.exe cmd.exe PID 1768 wrote to memory of 1104 1768 0bd152ba7112725f0ba1c614a449df3f5bb4ad94eea831511a111f07fb458e63.exe cmd.exe PID 1768 wrote to memory of 1104 1768 0bd152ba7112725f0ba1c614a449df3f5bb4ad94eea831511a111f07fb458e63.exe cmd.exe PID 1104 wrote to memory of 1204 1104 cmd.exe PING.EXE PID 1104 wrote to memory of 1204 1104 cmd.exe PING.EXE PID 1104 wrote to memory of 1204 1104 cmd.exe PING.EXE PID 1104 wrote to memory of 1204 1104 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0bd152ba7112725f0ba1c614a449df3f5bb4ad94eea831511a111f07fb458e63.exe"C:\Users\Admin\AppData\Local\Temp\0bd152ba7112725f0ba1c614a449df3f5bb4ad94eea831511a111f07fb458e63.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1768 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1148 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0bd152ba7112725f0ba1c614a449df3f5bb4ad94eea831511a111f07fb458e63.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1104 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1204
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
06ff217996cb048798cc752c740ebedb
SHA1ee1eccd36dec0f713dea2e9134728bba449dc90d
SHA256cdbbe904bb073884d651749c5c5b593f190b64923f2111aca55826fefc0e96c1
SHA5122d5ee7e23da31335d30544cd0c3832facc57162680d5bcc6f5aeea8a761845a222627908132bff20083f2fd54dc6206a835435a1a8471a180faee27b6166779b
-
MD5
06ff217996cb048798cc752c740ebedb
SHA1ee1eccd36dec0f713dea2e9134728bba449dc90d
SHA256cdbbe904bb073884d651749c5c5b593f190b64923f2111aca55826fefc0e96c1
SHA5122d5ee7e23da31335d30544cd0c3832facc57162680d5bcc6f5aeea8a761845a222627908132bff20083f2fd54dc6206a835435a1a8471a180faee27b6166779b
-
MD5
06ff217996cb048798cc752c740ebedb
SHA1ee1eccd36dec0f713dea2e9134728bba449dc90d
SHA256cdbbe904bb073884d651749c5c5b593f190b64923f2111aca55826fefc0e96c1
SHA5122d5ee7e23da31335d30544cd0c3832facc57162680d5bcc6f5aeea8a761845a222627908132bff20083f2fd54dc6206a835435a1a8471a180faee27b6166779b