Analysis
-
max time kernel
176s -
max time network
191s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
21-01-2022 23:51
Static task
static1
Behavioral task
behavioral1
Sample
6b0b6bd87264f526e5e30e69ddcf644ff5bbccf927c90681c42a1f7d6a736ea3.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
6b0b6bd87264f526e5e30e69ddcf644ff5bbccf927c90681c42a1f7d6a736ea3.exe
Resource
win10-en-20211208
General
-
Target
6b0b6bd87264f526e5e30e69ddcf644ff5bbccf927c90681c42a1f7d6a736ea3.exe
-
Size
89KB
-
MD5
ff1d5c6a476a56eb7ca4e38b57761a4e
-
SHA1
d28b488ba651777790f824385aaf0d9acf02c9c2
-
SHA256
6b0b6bd87264f526e5e30e69ddcf644ff5bbccf927c90681c42a1f7d6a736ea3
-
SHA512
6e63b9d03419b3a801de63ff5ccd04d5a32a5b554c988083038d292f2d7a23b692bf0bd5816a5d2507d27b59f41c538caa70ad4313292505107f6f7d7a56fcf4
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 592 MediaCenter.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
6b0b6bd87264f526e5e30e69ddcf644ff5bbccf927c90681c42a1f7d6a736ea3.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 6b0b6bd87264f526e5e30e69ddcf644ff5bbccf927c90681c42a1f7d6a736ea3.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
6b0b6bd87264f526e5e30e69ddcf644ff5bbccf927c90681c42a1f7d6a736ea3.exedescription pid process Token: SeIncBasePriorityPrivilege 3320 6b0b6bd87264f526e5e30e69ddcf644ff5bbccf927c90681c42a1f7d6a736ea3.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
6b0b6bd87264f526e5e30e69ddcf644ff5bbccf927c90681c42a1f7d6a736ea3.execmd.exedescription pid process target process PID 3320 wrote to memory of 592 3320 6b0b6bd87264f526e5e30e69ddcf644ff5bbccf927c90681c42a1f7d6a736ea3.exe MediaCenter.exe PID 3320 wrote to memory of 592 3320 6b0b6bd87264f526e5e30e69ddcf644ff5bbccf927c90681c42a1f7d6a736ea3.exe MediaCenter.exe PID 3320 wrote to memory of 592 3320 6b0b6bd87264f526e5e30e69ddcf644ff5bbccf927c90681c42a1f7d6a736ea3.exe MediaCenter.exe PID 3320 wrote to memory of 3404 3320 6b0b6bd87264f526e5e30e69ddcf644ff5bbccf927c90681c42a1f7d6a736ea3.exe cmd.exe PID 3320 wrote to memory of 3404 3320 6b0b6bd87264f526e5e30e69ddcf644ff5bbccf927c90681c42a1f7d6a736ea3.exe cmd.exe PID 3320 wrote to memory of 3404 3320 6b0b6bd87264f526e5e30e69ddcf644ff5bbccf927c90681c42a1f7d6a736ea3.exe cmd.exe PID 3404 wrote to memory of 3184 3404 cmd.exe PING.EXE PID 3404 wrote to memory of 3184 3404 cmd.exe PING.EXE PID 3404 wrote to memory of 3184 3404 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\6b0b6bd87264f526e5e30e69ddcf644ff5bbccf927c90681c42a1f7d6a736ea3.exe"C:\Users\Admin\AppData\Local\Temp\6b0b6bd87264f526e5e30e69ddcf644ff5bbccf927c90681c42a1f7d6a736ea3.exe"1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3320 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:592 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\6b0b6bd87264f526e5e30e69ddcf644ff5bbccf927c90681c42a1f7d6a736ea3.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3404 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:3184
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
63ef5cf2ffd6e322d3438159052ecd0e
SHA18c60ce1eb55b49fd43b0d8097afc934fd9e5d098
SHA256f41a4c671b7c6d9db6c026cc6d40eb1b36ea77c55f665870b3fc347a68a2f312
SHA5128dcc91f5be939cdb9e3927e24eeaecb5e39a56acf1cc45c04d47209399442ab9d465ac27820542c20ef03423e6699ecb85a26aff0fb0d5e674f5af0d3e02f007
-
MD5
63ef5cf2ffd6e322d3438159052ecd0e
SHA18c60ce1eb55b49fd43b0d8097afc934fd9e5d098
SHA256f41a4c671b7c6d9db6c026cc6d40eb1b36ea77c55f665870b3fc347a68a2f312
SHA5128dcc91f5be939cdb9e3927e24eeaecb5e39a56acf1cc45c04d47209399442ab9d465ac27820542c20ef03423e6699ecb85a26aff0fb0d5e674f5af0d3e02f007