Analysis
-
max time kernel
155s -
max time network
170s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 08:25
Static task
static1
Behavioral task
behavioral1
Sample
0b0d8d327dd7cba9afd43f018e3869b72c102504692ab76d784f5fa9b0abb8be.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0b0d8d327dd7cba9afd43f018e3869b72c102504692ab76d784f5fa9b0abb8be.exe
Resource
win10v2004-en-20220112
General
-
Target
0b0d8d327dd7cba9afd43f018e3869b72c102504692ab76d784f5fa9b0abb8be.exe
-
Size
99KB
-
MD5
e7855c7952c3b86a7feee870e616bdfe
-
SHA1
0fb98d2bbee7853d08b5a45b6d9d0952a885ee50
-
SHA256
0b0d8d327dd7cba9afd43f018e3869b72c102504692ab76d784f5fa9b0abb8be
-
SHA512
8d0544496982fdfa8e0797a8414ab9b1e5fabb94d441eab058fe4cc12e871f2d3af02489dcf942f10d0df576a10e265fcd10a884b0e77971dcec17292d03fa87
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1720 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 620 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
0b0d8d327dd7cba9afd43f018e3869b72c102504692ab76d784f5fa9b0abb8be.exepid process 1588 0b0d8d327dd7cba9afd43f018e3869b72c102504692ab76d784f5fa9b0abb8be.exe 1588 0b0d8d327dd7cba9afd43f018e3869b72c102504692ab76d784f5fa9b0abb8be.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0b0d8d327dd7cba9afd43f018e3869b72c102504692ab76d784f5fa9b0abb8be.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0b0d8d327dd7cba9afd43f018e3869b72c102504692ab76d784f5fa9b0abb8be.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0b0d8d327dd7cba9afd43f018e3869b72c102504692ab76d784f5fa9b0abb8be.exedescription pid process Token: SeIncBasePriorityPrivilege 1588 0b0d8d327dd7cba9afd43f018e3869b72c102504692ab76d784f5fa9b0abb8be.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0b0d8d327dd7cba9afd43f018e3869b72c102504692ab76d784f5fa9b0abb8be.execmd.exedescription pid process target process PID 1588 wrote to memory of 1720 1588 0b0d8d327dd7cba9afd43f018e3869b72c102504692ab76d784f5fa9b0abb8be.exe MediaCenter.exe PID 1588 wrote to memory of 1720 1588 0b0d8d327dd7cba9afd43f018e3869b72c102504692ab76d784f5fa9b0abb8be.exe MediaCenter.exe PID 1588 wrote to memory of 1720 1588 0b0d8d327dd7cba9afd43f018e3869b72c102504692ab76d784f5fa9b0abb8be.exe MediaCenter.exe PID 1588 wrote to memory of 1720 1588 0b0d8d327dd7cba9afd43f018e3869b72c102504692ab76d784f5fa9b0abb8be.exe MediaCenter.exe PID 1588 wrote to memory of 620 1588 0b0d8d327dd7cba9afd43f018e3869b72c102504692ab76d784f5fa9b0abb8be.exe cmd.exe PID 1588 wrote to memory of 620 1588 0b0d8d327dd7cba9afd43f018e3869b72c102504692ab76d784f5fa9b0abb8be.exe cmd.exe PID 1588 wrote to memory of 620 1588 0b0d8d327dd7cba9afd43f018e3869b72c102504692ab76d784f5fa9b0abb8be.exe cmd.exe PID 1588 wrote to memory of 620 1588 0b0d8d327dd7cba9afd43f018e3869b72c102504692ab76d784f5fa9b0abb8be.exe cmd.exe PID 620 wrote to memory of 1868 620 cmd.exe PING.EXE PID 620 wrote to memory of 1868 620 cmd.exe PING.EXE PID 620 wrote to memory of 1868 620 cmd.exe PING.EXE PID 620 wrote to memory of 1868 620 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0b0d8d327dd7cba9afd43f018e3869b72c102504692ab76d784f5fa9b0abb8be.exe"C:\Users\Admin\AppData\Local\Temp\0b0d8d327dd7cba9afd43f018e3869b72c102504692ab76d784f5fa9b0abb8be.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1588 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1720 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0b0d8d327dd7cba9afd43f018e3869b72c102504692ab76d784f5fa9b0abb8be.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:620 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1868
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
62e2b789c39a6f4d6a96a8a2eb2f272f
SHA132538e10432b620b4f601bac842c00f99ed9e1b3
SHA256eeca175a0dbd1ae20be5960fd0c25f6ca7d37260599cd80847189b47a4f11e89
SHA51212785636a3fb26108048a12fcc91f446c20072dab6d3d5cf5f0b0b64a977400b02157975916280533a2d5903f18cc2f8c739f8671d0e947b1e893ca96b967025
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
62e2b789c39a6f4d6a96a8a2eb2f272f
SHA132538e10432b620b4f601bac842c00f99ed9e1b3
SHA256eeca175a0dbd1ae20be5960fd0c25f6ca7d37260599cd80847189b47a4f11e89
SHA51212785636a3fb26108048a12fcc91f446c20072dab6d3d5cf5f0b0b64a977400b02157975916280533a2d5903f18cc2f8c739f8671d0e947b1e893ca96b967025
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
62e2b789c39a6f4d6a96a8a2eb2f272f
SHA132538e10432b620b4f601bac842c00f99ed9e1b3
SHA256eeca175a0dbd1ae20be5960fd0c25f6ca7d37260599cd80847189b47a4f11e89
SHA51212785636a3fb26108048a12fcc91f446c20072dab6d3d5cf5f0b0b64a977400b02157975916280533a2d5903f18cc2f8c739f8671d0e947b1e893ca96b967025
-
memory/1588-54-0x0000000076151000-0x0000000076153000-memory.dmpFilesize
8KB