Analysis
-
max time kernel
155s -
max time network
184s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 08:06
Static task
static1
Behavioral task
behavioral1
Sample
0bb0352ee53dc4d18995e273f4e922d0279a8e73d3289bc489f634befcf64e5a.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0bb0352ee53dc4d18995e273f4e922d0279a8e73d3289bc489f634befcf64e5a.exe
Resource
win10v2004-en-20220112
General
-
Target
0bb0352ee53dc4d18995e273f4e922d0279a8e73d3289bc489f634befcf64e5a.exe
-
Size
80KB
-
MD5
6f2b361c3591aea040ed85673bc456ff
-
SHA1
f8c67ff3b51383da1548f3e2ec9b48385f12ecb2
-
SHA256
0bb0352ee53dc4d18995e273f4e922d0279a8e73d3289bc489f634befcf64e5a
-
SHA512
3b6d05187446b2f5fa3bce6e7751aa166f169f11f1fbad69b8c65327e8e9796ca19eaaa26fdce0a2e7803e66d76957177516502a3a995839dc83487aad13b29d
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1552 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1376 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0bb0352ee53dc4d18995e273f4e922d0279a8e73d3289bc489f634befcf64e5a.exepid process 1272 0bb0352ee53dc4d18995e273f4e922d0279a8e73d3289bc489f634befcf64e5a.exe 1272 0bb0352ee53dc4d18995e273f4e922d0279a8e73d3289bc489f634befcf64e5a.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0bb0352ee53dc4d18995e273f4e922d0279a8e73d3289bc489f634befcf64e5a.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0bb0352ee53dc4d18995e273f4e922d0279a8e73d3289bc489f634befcf64e5a.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0bb0352ee53dc4d18995e273f4e922d0279a8e73d3289bc489f634befcf64e5a.exedescription pid process Token: SeIncBasePriorityPrivilege 1272 0bb0352ee53dc4d18995e273f4e922d0279a8e73d3289bc489f634befcf64e5a.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0bb0352ee53dc4d18995e273f4e922d0279a8e73d3289bc489f634befcf64e5a.execmd.exedescription pid process target process PID 1272 wrote to memory of 1552 1272 0bb0352ee53dc4d18995e273f4e922d0279a8e73d3289bc489f634befcf64e5a.exe MediaCenter.exe PID 1272 wrote to memory of 1552 1272 0bb0352ee53dc4d18995e273f4e922d0279a8e73d3289bc489f634befcf64e5a.exe MediaCenter.exe PID 1272 wrote to memory of 1552 1272 0bb0352ee53dc4d18995e273f4e922d0279a8e73d3289bc489f634befcf64e5a.exe MediaCenter.exe PID 1272 wrote to memory of 1552 1272 0bb0352ee53dc4d18995e273f4e922d0279a8e73d3289bc489f634befcf64e5a.exe MediaCenter.exe PID 1272 wrote to memory of 1376 1272 0bb0352ee53dc4d18995e273f4e922d0279a8e73d3289bc489f634befcf64e5a.exe cmd.exe PID 1272 wrote to memory of 1376 1272 0bb0352ee53dc4d18995e273f4e922d0279a8e73d3289bc489f634befcf64e5a.exe cmd.exe PID 1272 wrote to memory of 1376 1272 0bb0352ee53dc4d18995e273f4e922d0279a8e73d3289bc489f634befcf64e5a.exe cmd.exe PID 1272 wrote to memory of 1376 1272 0bb0352ee53dc4d18995e273f4e922d0279a8e73d3289bc489f634befcf64e5a.exe cmd.exe PID 1376 wrote to memory of 360 1376 cmd.exe PING.EXE PID 1376 wrote to memory of 360 1376 cmd.exe PING.EXE PID 1376 wrote to memory of 360 1376 cmd.exe PING.EXE PID 1376 wrote to memory of 360 1376 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0bb0352ee53dc4d18995e273f4e922d0279a8e73d3289bc489f634befcf64e5a.exe"C:\Users\Admin\AppData\Local\Temp\0bb0352ee53dc4d18995e273f4e922d0279a8e73d3289bc489f634befcf64e5a.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1272 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1552 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0bb0352ee53dc4d18995e273f4e922d0279a8e73d3289bc489f634befcf64e5a.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1376 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:360
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
c51b44cb914bb9a259f727f3a5753f21
SHA1b13848e91467f38c25bcacb3dcfa3e3bb27076b6
SHA256be343f1f2e214cc866bdd6619e54edfc86b9c404a98a3b76f8fec3e95ab68d9e
SHA512baac2dc14dd65c90daaed45664963e2647e7b709ede47df78f507cc5efab0a60b82efa98e747775925d8f22652a371a7bf0267287742ce48e9d6af15bf57d563
-
MD5
c51b44cb914bb9a259f727f3a5753f21
SHA1b13848e91467f38c25bcacb3dcfa3e3bb27076b6
SHA256be343f1f2e214cc866bdd6619e54edfc86b9c404a98a3b76f8fec3e95ab68d9e
SHA512baac2dc14dd65c90daaed45664963e2647e7b709ede47df78f507cc5efab0a60b82efa98e747775925d8f22652a371a7bf0267287742ce48e9d6af15bf57d563
-
MD5
c51b44cb914bb9a259f727f3a5753f21
SHA1b13848e91467f38c25bcacb3dcfa3e3bb27076b6
SHA256be343f1f2e214cc866bdd6619e54edfc86b9c404a98a3b76f8fec3e95ab68d9e
SHA512baac2dc14dd65c90daaed45664963e2647e7b709ede47df78f507cc5efab0a60b82efa98e747775925d8f22652a371a7bf0267287742ce48e9d6af15bf57d563