Analysis
-
max time kernel
145s -
max time network
171s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
22-01-2022 00:01
Static task
static1
Behavioral task
behavioral1
Sample
5237b0fdd9522d8e5ea6de336d4cc24daeb5823454f9b5d42d16a4656ef8f114.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
5237b0fdd9522d8e5ea6de336d4cc24daeb5823454f9b5d42d16a4656ef8f114.exe
Resource
win10-en-20211208
General
-
Target
5237b0fdd9522d8e5ea6de336d4cc24daeb5823454f9b5d42d16a4656ef8f114.exe
-
Size
89KB
-
MD5
f2d59757a9795531796df91097d5fa2b
-
SHA1
42c647d83abe1e5438b8176b9e90db08282a8bbb
-
SHA256
5237b0fdd9522d8e5ea6de336d4cc24daeb5823454f9b5d42d16a4656ef8f114
-
SHA512
5d8b65b4654bfbcf4b507c376a762d2182a5394e0e4f7474bdc490eff74710f260486e469a9952ebce9300f28c879531411c28f6fcb96cf9d5e08646beae9a67
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 768 MediaCenter.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
5237b0fdd9522d8e5ea6de336d4cc24daeb5823454f9b5d42d16a4656ef8f114.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 5237b0fdd9522d8e5ea6de336d4cc24daeb5823454f9b5d42d16a4656ef8f114.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
5237b0fdd9522d8e5ea6de336d4cc24daeb5823454f9b5d42d16a4656ef8f114.exedescription pid process Token: SeIncBasePriorityPrivilege 2324 5237b0fdd9522d8e5ea6de336d4cc24daeb5823454f9b5d42d16a4656ef8f114.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
5237b0fdd9522d8e5ea6de336d4cc24daeb5823454f9b5d42d16a4656ef8f114.execmd.exedescription pid process target process PID 2324 wrote to memory of 768 2324 5237b0fdd9522d8e5ea6de336d4cc24daeb5823454f9b5d42d16a4656ef8f114.exe MediaCenter.exe PID 2324 wrote to memory of 768 2324 5237b0fdd9522d8e5ea6de336d4cc24daeb5823454f9b5d42d16a4656ef8f114.exe MediaCenter.exe PID 2324 wrote to memory of 768 2324 5237b0fdd9522d8e5ea6de336d4cc24daeb5823454f9b5d42d16a4656ef8f114.exe MediaCenter.exe PID 2324 wrote to memory of 3604 2324 5237b0fdd9522d8e5ea6de336d4cc24daeb5823454f9b5d42d16a4656ef8f114.exe cmd.exe PID 2324 wrote to memory of 3604 2324 5237b0fdd9522d8e5ea6de336d4cc24daeb5823454f9b5d42d16a4656ef8f114.exe cmd.exe PID 2324 wrote to memory of 3604 2324 5237b0fdd9522d8e5ea6de336d4cc24daeb5823454f9b5d42d16a4656ef8f114.exe cmd.exe PID 3604 wrote to memory of 4012 3604 cmd.exe PING.EXE PID 3604 wrote to memory of 4012 3604 cmd.exe PING.EXE PID 3604 wrote to memory of 4012 3604 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\5237b0fdd9522d8e5ea6de336d4cc24daeb5823454f9b5d42d16a4656ef8f114.exe"C:\Users\Admin\AppData\Local\Temp\5237b0fdd9522d8e5ea6de336d4cc24daeb5823454f9b5d42d16a4656ef8f114.exe"1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:768 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\5237b0fdd9522d8e5ea6de336d4cc24daeb5823454f9b5d42d16a4656ef8f114.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3604 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:4012
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
a6e055672c249f87f5fdf32b98f1881d
SHA104d3e59791c76442c3476a63183cf2547125f459
SHA256de80b040f4bedaf82c143fec212e226f8dc8c8a639896e9e07db9c155f47fd15
SHA512a76f89aa8c2c19fbf36409e95cf88c1f1dbf48122b01f70cf68199ee4804a10bf2a23a0974560cb92eea983957bbe1d966fcd641bd8d9a8bac0ecd275ef988be
-
MD5
a6e055672c249f87f5fdf32b98f1881d
SHA104d3e59791c76442c3476a63183cf2547125f459
SHA256de80b040f4bedaf82c143fec212e226f8dc8c8a639896e9e07db9c155f47fd15
SHA512a76f89aa8c2c19fbf36409e95cf88c1f1dbf48122b01f70cf68199ee4804a10bf2a23a0974560cb92eea983957bbe1d966fcd641bd8d9a8bac0ecd275ef988be