Analysis
-
max time kernel
126s -
max time network
147s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 08:25
Static task
static1
Behavioral task
behavioral1
Sample
0b157aa12e10331cc9d9e5fec96eebb195fd0e2cbd1195a50953193d61c99e43.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0b157aa12e10331cc9d9e5fec96eebb195fd0e2cbd1195a50953193d61c99e43.exe
Resource
win10v2004-en-20220113
General
-
Target
0b157aa12e10331cc9d9e5fec96eebb195fd0e2cbd1195a50953193d61c99e43.exe
-
Size
80KB
-
MD5
b4c87a3b0ba0bccf206b48f178b59c25
-
SHA1
6286c1a04dea66cfdb733b0ed3515bc23af78105
-
SHA256
0b157aa12e10331cc9d9e5fec96eebb195fd0e2cbd1195a50953193d61c99e43
-
SHA512
ce7f70324c31feba038367c9c89bc43aa24b1dde9e5ab7924ca70613900554481b68e894315553fbc6c4eff4d4562caedfef158cf2fd2052071668dd10304e62
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1316 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1080 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0b157aa12e10331cc9d9e5fec96eebb195fd0e2cbd1195a50953193d61c99e43.exepid process 1600 0b157aa12e10331cc9d9e5fec96eebb195fd0e2cbd1195a50953193d61c99e43.exe 1600 0b157aa12e10331cc9d9e5fec96eebb195fd0e2cbd1195a50953193d61c99e43.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0b157aa12e10331cc9d9e5fec96eebb195fd0e2cbd1195a50953193d61c99e43.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0b157aa12e10331cc9d9e5fec96eebb195fd0e2cbd1195a50953193d61c99e43.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0b157aa12e10331cc9d9e5fec96eebb195fd0e2cbd1195a50953193d61c99e43.exedescription pid process Token: SeIncBasePriorityPrivilege 1600 0b157aa12e10331cc9d9e5fec96eebb195fd0e2cbd1195a50953193d61c99e43.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0b157aa12e10331cc9d9e5fec96eebb195fd0e2cbd1195a50953193d61c99e43.execmd.exedescription pid process target process PID 1600 wrote to memory of 1316 1600 0b157aa12e10331cc9d9e5fec96eebb195fd0e2cbd1195a50953193d61c99e43.exe MediaCenter.exe PID 1600 wrote to memory of 1316 1600 0b157aa12e10331cc9d9e5fec96eebb195fd0e2cbd1195a50953193d61c99e43.exe MediaCenter.exe PID 1600 wrote to memory of 1316 1600 0b157aa12e10331cc9d9e5fec96eebb195fd0e2cbd1195a50953193d61c99e43.exe MediaCenter.exe PID 1600 wrote to memory of 1316 1600 0b157aa12e10331cc9d9e5fec96eebb195fd0e2cbd1195a50953193d61c99e43.exe MediaCenter.exe PID 1600 wrote to memory of 1080 1600 0b157aa12e10331cc9d9e5fec96eebb195fd0e2cbd1195a50953193d61c99e43.exe cmd.exe PID 1600 wrote to memory of 1080 1600 0b157aa12e10331cc9d9e5fec96eebb195fd0e2cbd1195a50953193d61c99e43.exe cmd.exe PID 1600 wrote to memory of 1080 1600 0b157aa12e10331cc9d9e5fec96eebb195fd0e2cbd1195a50953193d61c99e43.exe cmd.exe PID 1600 wrote to memory of 1080 1600 0b157aa12e10331cc9d9e5fec96eebb195fd0e2cbd1195a50953193d61c99e43.exe cmd.exe PID 1080 wrote to memory of 1040 1080 cmd.exe PING.EXE PID 1080 wrote to memory of 1040 1080 cmd.exe PING.EXE PID 1080 wrote to memory of 1040 1080 cmd.exe PING.EXE PID 1080 wrote to memory of 1040 1080 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0b157aa12e10331cc9d9e5fec96eebb195fd0e2cbd1195a50953193d61c99e43.exe"C:\Users\Admin\AppData\Local\Temp\0b157aa12e10331cc9d9e5fec96eebb195fd0e2cbd1195a50953193d61c99e43.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1600 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1316 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0b157aa12e10331cc9d9e5fec96eebb195fd0e2cbd1195a50953193d61c99e43.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1080 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1040
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
b5bbbf6d62c5d3c0e44a25026042a6be
SHA10598cee7a98e210599d03d61607ab720f25ce708
SHA2568adc80cd106d1f76e3c5b4c69dcd9d67da14f8ba195192def9d89c13bfdb9f55
SHA512e68a2ea4b8f58e7a44af88c8ebced87f0037cca3463ec5f57e1d51255d4b1ff7e50707352b757911a1f4aece6f70287ad1169925f162fd28efb2b21d988b2285
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
b5bbbf6d62c5d3c0e44a25026042a6be
SHA10598cee7a98e210599d03d61607ab720f25ce708
SHA2568adc80cd106d1f76e3c5b4c69dcd9d67da14f8ba195192def9d89c13bfdb9f55
SHA512e68a2ea4b8f58e7a44af88c8ebced87f0037cca3463ec5f57e1d51255d4b1ff7e50707352b757911a1f4aece6f70287ad1169925f162fd28efb2b21d988b2285
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
b5bbbf6d62c5d3c0e44a25026042a6be
SHA10598cee7a98e210599d03d61607ab720f25ce708
SHA2568adc80cd106d1f76e3c5b4c69dcd9d67da14f8ba195192def9d89c13bfdb9f55
SHA512e68a2ea4b8f58e7a44af88c8ebced87f0037cca3463ec5f57e1d51255d4b1ff7e50707352b757911a1f4aece6f70287ad1169925f162fd28efb2b21d988b2285
-
memory/1600-55-0x0000000075801000-0x0000000075803000-memory.dmpFilesize
8KB