a2e5236b9facabd44e2291c6fe7289a1022f1a461db2894c99e3fc91c51e5c24

General
Target

a2e5236b9facabd44e2291c6fe7289a1022f1a461db2894c99e3fc91c51e5c24.exe

Filesize

58KB

Completed

24-09-2021 06:18

Score
10/10
MD5

eb8e2d67cde387d87a3d78a52a477fb4

SHA1

4138900c2fd72ddfa8fbeedb74bdc460d9a3a42b

SHA256

a2e5236b9facabd44e2291c6fe7289a1022f1a461db2894c99e3fc91c51e5c24

Malware Config
Signatures 9

Filter: none

Defense Evasion
Discovery
Persistence
  • Sakula

    Description

    Sakula is a remote access trojan with various capabilities.

    Tags

  • Executes dropped EXE
    MediaCenter.exe

    Reported IOCs

    pidprocess
    1652MediaCenter.exe
  • Deletes itself
    cmd.exe

    Reported IOCs

    pidprocess
    1732cmd.exe
  • Loads dropped DLL
    a2e5236b9facabd44e2291c6fe7289a1022f1a461db2894c99e3fc91c51e5c24.exe

    Reported IOCs

    pidprocess
    1096a2e5236b9facabd44e2291c6fe7289a1022f1a461db2894c99e3fc91c51e5c24.exe
    1096a2e5236b9facabd44e2291c6fe7289a1022f1a461db2894c99e3fc91c51e5c24.exe
  • Adds Run key to start application
    a2e5236b9facabd44e2291c6fe7289a1022f1a461db2894c99e3fc91c51e5c24.exe

    Tags

    TTPs

    Registry Run Keys / Startup FolderModify Registry

    Reported IOCs

    descriptioniocprocess
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"a2e5236b9facabd44e2291c6fe7289a1022f1a461db2894c99e3fc91c51e5c24.exe
  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    TTPs

    System Information Discovery
  • Runs ping.exe
    PING.EXE

    TTPs

    Remote System Discovery

    Reported IOCs

    pidprocess
    1772PING.EXE
  • Suspicious use of AdjustPrivilegeToken
    a2e5236b9facabd44e2291c6fe7289a1022f1a461db2894c99e3fc91c51e5c24.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeIncBasePriorityPrivilege1096a2e5236b9facabd44e2291c6fe7289a1022f1a461db2894c99e3fc91c51e5c24.exe
  • Suspicious use of WriteProcessMemory
    a2e5236b9facabd44e2291c6fe7289a1022f1a461db2894c99e3fc91c51e5c24.execmd.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1096 wrote to memory of 16521096a2e5236b9facabd44e2291c6fe7289a1022f1a461db2894c99e3fc91c51e5c24.exeMediaCenter.exe
    PID 1096 wrote to memory of 16521096a2e5236b9facabd44e2291c6fe7289a1022f1a461db2894c99e3fc91c51e5c24.exeMediaCenter.exe
    PID 1096 wrote to memory of 16521096a2e5236b9facabd44e2291c6fe7289a1022f1a461db2894c99e3fc91c51e5c24.exeMediaCenter.exe
    PID 1096 wrote to memory of 16521096a2e5236b9facabd44e2291c6fe7289a1022f1a461db2894c99e3fc91c51e5c24.exeMediaCenter.exe
    PID 1096 wrote to memory of 17321096a2e5236b9facabd44e2291c6fe7289a1022f1a461db2894c99e3fc91c51e5c24.execmd.exe
    PID 1096 wrote to memory of 17321096a2e5236b9facabd44e2291c6fe7289a1022f1a461db2894c99e3fc91c51e5c24.execmd.exe
    PID 1096 wrote to memory of 17321096a2e5236b9facabd44e2291c6fe7289a1022f1a461db2894c99e3fc91c51e5c24.execmd.exe
    PID 1096 wrote to memory of 17321096a2e5236b9facabd44e2291c6fe7289a1022f1a461db2894c99e3fc91c51e5c24.execmd.exe
    PID 1732 wrote to memory of 17721732cmd.exePING.EXE
    PID 1732 wrote to memory of 17721732cmd.exePING.EXE
    PID 1732 wrote to memory of 17721732cmd.exePING.EXE
    PID 1732 wrote to memory of 17721732cmd.exePING.EXE
Processes 4
  • C:\Users\Admin\AppData\Local\Temp\a2e5236b9facabd44e2291c6fe7289a1022f1a461db2894c99e3fc91c51e5c24.exe
    "C:\Users\Admin\AppData\Local\Temp\a2e5236b9facabd44e2291c6fe7289a1022f1a461db2894c99e3fc91c51e5c24.exe"
    Loads dropped DLL
    Adds Run key to start application
    Suspicious use of AdjustPrivilegeToken
    Suspicious use of WriteProcessMemory
    PID:1096
    • C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
      C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
      Executes dropped EXE
      PID:1652
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\a2e5236b9facabd44e2291c6fe7289a1022f1a461db2894c99e3fc91c51e5c24.exe"
      Deletes itself
      Suspicious use of WriteProcessMemory
      PID:1732
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1
        Runs ping.exe
        PID:1772
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Discovery
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Persistence
                  Privilege Escalation
                    Replay Monitor
                    00:00 00:00
                    Downloads

                    • C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

                      MD5

                      dcab89bff5bb009b7403d8a24b280c0c

                      SHA1

                      c0e6d6578766822f3a5b01a6807f31344eefaee6

                      SHA256

                      5403e7abacf526eb1b72835f8245dbc8477ba65dca6ba599061c59ed54081948

                      SHA512

                      b1ecf17af09f76599df5cde43caad3a11422a80521aa9bca150d55f0bb90f95e45e1b31822005ddd0944c903b59b33c7feca963d6f8b4cac5c5fa825d8177a19

                      Download Submit

                    • \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

                      MD5

                      dcab89bff5bb009b7403d8a24b280c0c

                      SHA1

                      c0e6d6578766822f3a5b01a6807f31344eefaee6

                      SHA256

                      5403e7abacf526eb1b72835f8245dbc8477ba65dca6ba599061c59ed54081948

                      SHA512

                      b1ecf17af09f76599df5cde43caad3a11422a80521aa9bca150d55f0bb90f95e45e1b31822005ddd0944c903b59b33c7feca963d6f8b4cac5c5fa825d8177a19

                      Download Submit

                    • \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

                      MD5

                      dcab89bff5bb009b7403d8a24b280c0c

                      SHA1

                      c0e6d6578766822f3a5b01a6807f31344eefaee6

                      SHA256

                      5403e7abacf526eb1b72835f8245dbc8477ba65dca6ba599061c59ed54081948

                      SHA512

                      b1ecf17af09f76599df5cde43caad3a11422a80521aa9bca150d55f0bb90f95e45e1b31822005ddd0944c903b59b33c7feca963d6f8b4cac5c5fa825d8177a19

                      Download Submit

                    • memory/1096-60-0x0000000075201000-0x0000000075203000-memory.dmp

                      Download

                    • memory/1652-63-0x0000000000000000-mapping.dmp

                      Download

                    • memory/1732-66-0x0000000000000000-mapping.dmp

                      Download

                    • memory/1772-67-0x0000000000000000-mapping.dmp

                      Download