Analysis
-
max time kernel
134s -
max time network
134s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
21-01-2022 23:59
Static task
static1
Behavioral task
behavioral1
Sample
565b480e76c25f91d6762d5dcbfd4a9a2e8b6775ee50c9e2aa0682bdc1950594.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
565b480e76c25f91d6762d5dcbfd4a9a2e8b6775ee50c9e2aa0682bdc1950594.exe
Resource
win10-en-20211208
General
-
Target
565b480e76c25f91d6762d5dcbfd4a9a2e8b6775ee50c9e2aa0682bdc1950594.exe
-
Size
89KB
-
MD5
f5b9862f2d508c57b81fbaaad91030f4
-
SHA1
400b5d4cd225e35b9199b0da33cb7e5b4c729e5c
-
SHA256
565b480e76c25f91d6762d5dcbfd4a9a2e8b6775ee50c9e2aa0682bdc1950594
-
SHA512
f13bcf6118616c00501b2ccdd8c238241feb925b3a7ab46a5470e77f67f7080c0fbc813236dc97ef5b1f2da389d61502b7e0ee09b7a1fb0acf278a17f758d491
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 2468 MediaCenter.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
565b480e76c25f91d6762d5dcbfd4a9a2e8b6775ee50c9e2aa0682bdc1950594.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 565b480e76c25f91d6762d5dcbfd4a9a2e8b6775ee50c9e2aa0682bdc1950594.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
565b480e76c25f91d6762d5dcbfd4a9a2e8b6775ee50c9e2aa0682bdc1950594.exedescription pid process Token: SeIncBasePriorityPrivilege 2188 565b480e76c25f91d6762d5dcbfd4a9a2e8b6775ee50c9e2aa0682bdc1950594.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
565b480e76c25f91d6762d5dcbfd4a9a2e8b6775ee50c9e2aa0682bdc1950594.execmd.exedescription pid process target process PID 2188 wrote to memory of 2468 2188 565b480e76c25f91d6762d5dcbfd4a9a2e8b6775ee50c9e2aa0682bdc1950594.exe MediaCenter.exe PID 2188 wrote to memory of 2468 2188 565b480e76c25f91d6762d5dcbfd4a9a2e8b6775ee50c9e2aa0682bdc1950594.exe MediaCenter.exe PID 2188 wrote to memory of 2468 2188 565b480e76c25f91d6762d5dcbfd4a9a2e8b6775ee50c9e2aa0682bdc1950594.exe MediaCenter.exe PID 2188 wrote to memory of 3744 2188 565b480e76c25f91d6762d5dcbfd4a9a2e8b6775ee50c9e2aa0682bdc1950594.exe cmd.exe PID 2188 wrote to memory of 3744 2188 565b480e76c25f91d6762d5dcbfd4a9a2e8b6775ee50c9e2aa0682bdc1950594.exe cmd.exe PID 2188 wrote to memory of 3744 2188 565b480e76c25f91d6762d5dcbfd4a9a2e8b6775ee50c9e2aa0682bdc1950594.exe cmd.exe PID 3744 wrote to memory of 1156 3744 cmd.exe PING.EXE PID 3744 wrote to memory of 1156 3744 cmd.exe PING.EXE PID 3744 wrote to memory of 1156 3744 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\565b480e76c25f91d6762d5dcbfd4a9a2e8b6775ee50c9e2aa0682bdc1950594.exe"C:\Users\Admin\AppData\Local\Temp\565b480e76c25f91d6762d5dcbfd4a9a2e8b6775ee50c9e2aa0682bdc1950594.exe"1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:2468 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\565b480e76c25f91d6762d5dcbfd4a9a2e8b6775ee50c9e2aa0682bdc1950594.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3744 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1156
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
2615e5e63ea7e9ff917ad18bc4d92465
SHA15404299e82f5ec207c2004d1bc275f01847369da
SHA256f930b0e8635c999c7b09a18db64eb442052e1c1584c2d2d2b4df4008cfda63e3
SHA512b11d08023986eb84f8f75a4dd2a6211bb3a2763f7972e829e72f7c70931b6ffcad6c69e70cdfbce6c3c51c2794a3063f40d49a0f3ba7c4df67482eaf47767fbf
-
MD5
2615e5e63ea7e9ff917ad18bc4d92465
SHA15404299e82f5ec207c2004d1bc275f01847369da
SHA256f930b0e8635c999c7b09a18db64eb442052e1c1584c2d2d2b4df4008cfda63e3
SHA512b11d08023986eb84f8f75a4dd2a6211bb3a2763f7972e829e72f7c70931b6ffcad6c69e70cdfbce6c3c51c2794a3063f40d49a0f3ba7c4df67482eaf47767fbf