Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
22-01-2022 00:00
Static task
static1
Behavioral task
behavioral1
Sample
48459e241cccaf0c4ada704f7f3dae691c89cd10a60f808d8d402a9df05448d5.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
48459e241cccaf0c4ada704f7f3dae691c89cd10a60f808d8d402a9df05448d5.exe
Resource
win10-en-20211208
General
-
Target
48459e241cccaf0c4ada704f7f3dae691c89cd10a60f808d8d402a9df05448d5.exe
-
Size
89KB
-
MD5
f349ee3706c815a79a60d2534284935d
-
SHA1
13ff314b0f85e4a5c76c2d332842b7a541dd2606
-
SHA256
48459e241cccaf0c4ada704f7f3dae691c89cd10a60f808d8d402a9df05448d5
-
SHA512
dc017f851e92dce7c63183a98626579c72b60d5c283cf8d8abd0ccc0f227407a29c223bef5bc3f80cf23340013800584fd56630de78badd3cfd4716566877550
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 3152 MediaCenter.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
48459e241cccaf0c4ada704f7f3dae691c89cd10a60f808d8d402a9df05448d5.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 48459e241cccaf0c4ada704f7f3dae691c89cd10a60f808d8d402a9df05448d5.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
48459e241cccaf0c4ada704f7f3dae691c89cd10a60f808d8d402a9df05448d5.exedescription pid process Token: SeIncBasePriorityPrivilege 2680 48459e241cccaf0c4ada704f7f3dae691c89cd10a60f808d8d402a9df05448d5.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
48459e241cccaf0c4ada704f7f3dae691c89cd10a60f808d8d402a9df05448d5.execmd.exedescription pid process target process PID 2680 wrote to memory of 3152 2680 48459e241cccaf0c4ada704f7f3dae691c89cd10a60f808d8d402a9df05448d5.exe MediaCenter.exe PID 2680 wrote to memory of 3152 2680 48459e241cccaf0c4ada704f7f3dae691c89cd10a60f808d8d402a9df05448d5.exe MediaCenter.exe PID 2680 wrote to memory of 3152 2680 48459e241cccaf0c4ada704f7f3dae691c89cd10a60f808d8d402a9df05448d5.exe MediaCenter.exe PID 2680 wrote to memory of 2180 2680 48459e241cccaf0c4ada704f7f3dae691c89cd10a60f808d8d402a9df05448d5.exe cmd.exe PID 2680 wrote to memory of 2180 2680 48459e241cccaf0c4ada704f7f3dae691c89cd10a60f808d8d402a9df05448d5.exe cmd.exe PID 2680 wrote to memory of 2180 2680 48459e241cccaf0c4ada704f7f3dae691c89cd10a60f808d8d402a9df05448d5.exe cmd.exe PID 2180 wrote to memory of 1060 2180 cmd.exe PING.EXE PID 2180 wrote to memory of 1060 2180 cmd.exe PING.EXE PID 2180 wrote to memory of 1060 2180 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\48459e241cccaf0c4ada704f7f3dae691c89cd10a60f808d8d402a9df05448d5.exe"C:\Users\Admin\AppData\Local\Temp\48459e241cccaf0c4ada704f7f3dae691c89cd10a60f808d8d402a9df05448d5.exe"1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:3152 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\48459e241cccaf0c4ada704f7f3dae691c89cd10a60f808d8d402a9df05448d5.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1060
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
5b70502e0c9b8d83808806004b96945b
SHA11fb9337d6fc5cb9c55bde3ad7b532146719c3eb9
SHA256f593f6e31a358d4a8ca84c7a67e7727bd038e96e19830d15108a3a297ae9f351
SHA5121a16933108f88ccbe7b5cff6206fe680c70725860493c18d7c9d3b1823d46dce21bf1d49b158cc5d6f5de9f1385996c6c205c8ddcf2cc9caf9d51e6435426d5c
-
MD5
5b70502e0c9b8d83808806004b96945b
SHA11fb9337d6fc5cb9c55bde3ad7b532146719c3eb9
SHA256f593f6e31a358d4a8ca84c7a67e7727bd038e96e19830d15108a3a297ae9f351
SHA5121a16933108f88ccbe7b5cff6206fe680c70725860493c18d7c9d3b1823d46dce21bf1d49b158cc5d6f5de9f1385996c6c205c8ddcf2cc9caf9d51e6435426d5c