Analysis
-
max time kernel
118s -
max time network
139s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 08:03
Static task
static1
Behavioral task
behavioral1
Sample
0bd1010d81f63cab1642c252853ac2b64023938233f1939c89ca5fd2f9e3f59d.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0bd1010d81f63cab1642c252853ac2b64023938233f1939c89ca5fd2f9e3f59d.exe
Resource
win10v2004-en-20220113
General
-
Target
0bd1010d81f63cab1642c252853ac2b64023938233f1939c89ca5fd2f9e3f59d.exe
-
Size
192KB
-
MD5
1fd1a74faaed8e6d5817b6326a293aa5
-
SHA1
e2b907a2c4332cd28b72326f58386abcc6489416
-
SHA256
0bd1010d81f63cab1642c252853ac2b64023938233f1939c89ca5fd2f9e3f59d
-
SHA512
6e6fd3e4088b97afdcb16868e7fb1984dcd8d3e8627d8836bef278b0cfc91ce14bd39166c23ad9c7f9d40ded1972a5d8763b4d5babb4c4e5a4cc0e0c4cff6eac
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1316 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2040 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0bd1010d81f63cab1642c252853ac2b64023938233f1939c89ca5fd2f9e3f59d.exepid process 1964 0bd1010d81f63cab1642c252853ac2b64023938233f1939c89ca5fd2f9e3f59d.exe 1964 0bd1010d81f63cab1642c252853ac2b64023938233f1939c89ca5fd2f9e3f59d.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0bd1010d81f63cab1642c252853ac2b64023938233f1939c89ca5fd2f9e3f59d.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0bd1010d81f63cab1642c252853ac2b64023938233f1939c89ca5fd2f9e3f59d.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0bd1010d81f63cab1642c252853ac2b64023938233f1939c89ca5fd2f9e3f59d.exedescription pid process Token: SeIncBasePriorityPrivilege 1964 0bd1010d81f63cab1642c252853ac2b64023938233f1939c89ca5fd2f9e3f59d.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0bd1010d81f63cab1642c252853ac2b64023938233f1939c89ca5fd2f9e3f59d.execmd.exedescription pid process target process PID 1964 wrote to memory of 1316 1964 0bd1010d81f63cab1642c252853ac2b64023938233f1939c89ca5fd2f9e3f59d.exe MediaCenter.exe PID 1964 wrote to memory of 1316 1964 0bd1010d81f63cab1642c252853ac2b64023938233f1939c89ca5fd2f9e3f59d.exe MediaCenter.exe PID 1964 wrote to memory of 1316 1964 0bd1010d81f63cab1642c252853ac2b64023938233f1939c89ca5fd2f9e3f59d.exe MediaCenter.exe PID 1964 wrote to memory of 1316 1964 0bd1010d81f63cab1642c252853ac2b64023938233f1939c89ca5fd2f9e3f59d.exe MediaCenter.exe PID 1964 wrote to memory of 2040 1964 0bd1010d81f63cab1642c252853ac2b64023938233f1939c89ca5fd2f9e3f59d.exe cmd.exe PID 1964 wrote to memory of 2040 1964 0bd1010d81f63cab1642c252853ac2b64023938233f1939c89ca5fd2f9e3f59d.exe cmd.exe PID 1964 wrote to memory of 2040 1964 0bd1010d81f63cab1642c252853ac2b64023938233f1939c89ca5fd2f9e3f59d.exe cmd.exe PID 1964 wrote to memory of 2040 1964 0bd1010d81f63cab1642c252853ac2b64023938233f1939c89ca5fd2f9e3f59d.exe cmd.exe PID 2040 wrote to memory of 1060 2040 cmd.exe PING.EXE PID 2040 wrote to memory of 1060 2040 cmd.exe PING.EXE PID 2040 wrote to memory of 1060 2040 cmd.exe PING.EXE PID 2040 wrote to memory of 1060 2040 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0bd1010d81f63cab1642c252853ac2b64023938233f1939c89ca5fd2f9e3f59d.exe"C:\Users\Admin\AppData\Local\Temp\0bd1010d81f63cab1642c252853ac2b64023938233f1939c89ca5fd2f9e3f59d.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1316 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0bd1010d81f63cab1642c252853ac2b64023938233f1939c89ca5fd2f9e3f59d.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1060
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
5b0f6f48e78be4778b1b02399a8cf513
SHA1c18b39c1092f537205b2bada5c2f031385539dfd
SHA256ddcf9db4fd991e1ee92e08bb9d0aa7f422b503cb757d02034755e3144bc8d4e4
SHA512cc176428a7960be35d34bf5a7d2048fbef893de95fe9b3cd472126273edbb64b3446d15f9f6b406a743da249c72bff06a9fa398edc15e3435467f6f7786d6342
-
MD5
5b0f6f48e78be4778b1b02399a8cf513
SHA1c18b39c1092f537205b2bada5c2f031385539dfd
SHA256ddcf9db4fd991e1ee92e08bb9d0aa7f422b503cb757d02034755e3144bc8d4e4
SHA512cc176428a7960be35d34bf5a7d2048fbef893de95fe9b3cd472126273edbb64b3446d15f9f6b406a743da249c72bff06a9fa398edc15e3435467f6f7786d6342
-
MD5
5b0f6f48e78be4778b1b02399a8cf513
SHA1c18b39c1092f537205b2bada5c2f031385539dfd
SHA256ddcf9db4fd991e1ee92e08bb9d0aa7f422b503cb757d02034755e3144bc8d4e4
SHA512cc176428a7960be35d34bf5a7d2048fbef893de95fe9b3cd472126273edbb64b3446d15f9f6b406a743da249c72bff06a9fa398edc15e3435467f6f7786d6342