Analysis
-
max time kernel
151s -
max time network
180s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 08:02
Static task
static1
Behavioral task
behavioral1
Sample
0bda8039c3bf2f357bbda24ec2a148f1fa08377aac28d1f9a7e327d0c3c06ba7.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0bda8039c3bf2f357bbda24ec2a148f1fa08377aac28d1f9a7e327d0c3c06ba7.exe
Resource
win10v2004-en-20220113
General
-
Target
0bda8039c3bf2f357bbda24ec2a148f1fa08377aac28d1f9a7e327d0c3c06ba7.exe
-
Size
80KB
-
MD5
697e44ed9131b546896f86682ea70b00
-
SHA1
32aceccd87b4e30cd636f9f4baee5b0c32702f4e
-
SHA256
0bda8039c3bf2f357bbda24ec2a148f1fa08377aac28d1f9a7e327d0c3c06ba7
-
SHA512
f7b486ca9eee8438553ee5878987cd06ad6d59fd3874c3b91abc2fe79f7f1413c3071abda2a0953adbbd12cb2e319fa89c32893672dbe6971cc4cbab2d3ff912
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1204 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1212 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0bda8039c3bf2f357bbda24ec2a148f1fa08377aac28d1f9a7e327d0c3c06ba7.exepid process 1180 0bda8039c3bf2f357bbda24ec2a148f1fa08377aac28d1f9a7e327d0c3c06ba7.exe 1180 0bda8039c3bf2f357bbda24ec2a148f1fa08377aac28d1f9a7e327d0c3c06ba7.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0bda8039c3bf2f357bbda24ec2a148f1fa08377aac28d1f9a7e327d0c3c06ba7.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0bda8039c3bf2f357bbda24ec2a148f1fa08377aac28d1f9a7e327d0c3c06ba7.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0bda8039c3bf2f357bbda24ec2a148f1fa08377aac28d1f9a7e327d0c3c06ba7.exedescription pid process Token: SeIncBasePriorityPrivilege 1180 0bda8039c3bf2f357bbda24ec2a148f1fa08377aac28d1f9a7e327d0c3c06ba7.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0bda8039c3bf2f357bbda24ec2a148f1fa08377aac28d1f9a7e327d0c3c06ba7.execmd.exedescription pid process target process PID 1180 wrote to memory of 1204 1180 0bda8039c3bf2f357bbda24ec2a148f1fa08377aac28d1f9a7e327d0c3c06ba7.exe MediaCenter.exe PID 1180 wrote to memory of 1204 1180 0bda8039c3bf2f357bbda24ec2a148f1fa08377aac28d1f9a7e327d0c3c06ba7.exe MediaCenter.exe PID 1180 wrote to memory of 1204 1180 0bda8039c3bf2f357bbda24ec2a148f1fa08377aac28d1f9a7e327d0c3c06ba7.exe MediaCenter.exe PID 1180 wrote to memory of 1204 1180 0bda8039c3bf2f357bbda24ec2a148f1fa08377aac28d1f9a7e327d0c3c06ba7.exe MediaCenter.exe PID 1180 wrote to memory of 1212 1180 0bda8039c3bf2f357bbda24ec2a148f1fa08377aac28d1f9a7e327d0c3c06ba7.exe cmd.exe PID 1180 wrote to memory of 1212 1180 0bda8039c3bf2f357bbda24ec2a148f1fa08377aac28d1f9a7e327d0c3c06ba7.exe cmd.exe PID 1180 wrote to memory of 1212 1180 0bda8039c3bf2f357bbda24ec2a148f1fa08377aac28d1f9a7e327d0c3c06ba7.exe cmd.exe PID 1180 wrote to memory of 1212 1180 0bda8039c3bf2f357bbda24ec2a148f1fa08377aac28d1f9a7e327d0c3c06ba7.exe cmd.exe PID 1212 wrote to memory of 1568 1212 cmd.exe PING.EXE PID 1212 wrote to memory of 1568 1212 cmd.exe PING.EXE PID 1212 wrote to memory of 1568 1212 cmd.exe PING.EXE PID 1212 wrote to memory of 1568 1212 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0bda8039c3bf2f357bbda24ec2a148f1fa08377aac28d1f9a7e327d0c3c06ba7.exe"C:\Users\Admin\AppData\Local\Temp\0bda8039c3bf2f357bbda24ec2a148f1fa08377aac28d1f9a7e327d0c3c06ba7.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1180 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1204 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0bda8039c3bf2f357bbda24ec2a148f1fa08377aac28d1f9a7e327d0c3c06ba7.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1212 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1568
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
087d23d5353fef68799d1f5f8d91c366
SHA1c3c56285bc8f76e81a473337d5cba34c2ff5cc6b
SHA256a337af23722b1a39f37a51b2b8ead357c2288e739a9f0c119f3499cf7ccfaa8c
SHA512b089a6ab4096673ca1df637287024c58fe73918311652851f338f5ef964ffd743518754014eb1a2d5f49b489db1ced353e057fe48cb98686265b20c98608105d
-
MD5
087d23d5353fef68799d1f5f8d91c366
SHA1c3c56285bc8f76e81a473337d5cba34c2ff5cc6b
SHA256a337af23722b1a39f37a51b2b8ead357c2288e739a9f0c119f3499cf7ccfaa8c
SHA512b089a6ab4096673ca1df637287024c58fe73918311652851f338f5ef964ffd743518754014eb1a2d5f49b489db1ced353e057fe48cb98686265b20c98608105d
-
MD5
087d23d5353fef68799d1f5f8d91c366
SHA1c3c56285bc8f76e81a473337d5cba34c2ff5cc6b
SHA256a337af23722b1a39f37a51b2b8ead357c2288e739a9f0c119f3499cf7ccfaa8c
SHA512b089a6ab4096673ca1df637287024c58fe73918311652851f338f5ef964ffd743518754014eb1a2d5f49b489db1ced353e057fe48cb98686265b20c98608105d