Analysis
-
max time kernel
143s -
max time network
143s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
22-01-2022 00:03
Static task
static1
Behavioral task
behavioral1
Sample
0077d0dd944fa58b096712a8736906ce84f1bd11c368dcceb51333de51ba7ab4.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0077d0dd944fa58b096712a8736906ce84f1bd11c368dcceb51333de51ba7ab4.exe
Resource
win10-en-20211208
General
-
Target
0077d0dd944fa58b096712a8736906ce84f1bd11c368dcceb51333de51ba7ab4.exe
-
Size
89KB
-
MD5
f06b0ee07daa7f914dec27f98a6d8850
-
SHA1
abd40af6745f6cfa51210f88beafa6e0d4340b99
-
SHA256
0077d0dd944fa58b096712a8736906ce84f1bd11c368dcceb51333de51ba7ab4
-
SHA512
fdb0a5adb5331aa6f482440c77b8a4e61333f6e08fe358247a3570084aebe66f742630bd4fde126368577149e0a51181956d37162cae09528b984ae3e8b9962d
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 2580 MediaCenter.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0077d0dd944fa58b096712a8736906ce84f1bd11c368dcceb51333de51ba7ab4.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0077d0dd944fa58b096712a8736906ce84f1bd11c368dcceb51333de51ba7ab4.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0077d0dd944fa58b096712a8736906ce84f1bd11c368dcceb51333de51ba7ab4.exedescription pid process Token: SeIncBasePriorityPrivilege 3176 0077d0dd944fa58b096712a8736906ce84f1bd11c368dcceb51333de51ba7ab4.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
0077d0dd944fa58b096712a8736906ce84f1bd11c368dcceb51333de51ba7ab4.execmd.exedescription pid process target process PID 3176 wrote to memory of 2580 3176 0077d0dd944fa58b096712a8736906ce84f1bd11c368dcceb51333de51ba7ab4.exe MediaCenter.exe PID 3176 wrote to memory of 2580 3176 0077d0dd944fa58b096712a8736906ce84f1bd11c368dcceb51333de51ba7ab4.exe MediaCenter.exe PID 3176 wrote to memory of 2580 3176 0077d0dd944fa58b096712a8736906ce84f1bd11c368dcceb51333de51ba7ab4.exe MediaCenter.exe PID 3176 wrote to memory of 740 3176 0077d0dd944fa58b096712a8736906ce84f1bd11c368dcceb51333de51ba7ab4.exe cmd.exe PID 3176 wrote to memory of 740 3176 0077d0dd944fa58b096712a8736906ce84f1bd11c368dcceb51333de51ba7ab4.exe cmd.exe PID 3176 wrote to memory of 740 3176 0077d0dd944fa58b096712a8736906ce84f1bd11c368dcceb51333de51ba7ab4.exe cmd.exe PID 740 wrote to memory of 1540 740 cmd.exe PING.EXE PID 740 wrote to memory of 1540 740 cmd.exe PING.EXE PID 740 wrote to memory of 1540 740 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0077d0dd944fa58b096712a8736906ce84f1bd11c368dcceb51333de51ba7ab4.exe"C:\Users\Admin\AppData\Local\Temp\0077d0dd944fa58b096712a8736906ce84f1bd11c368dcceb51333de51ba7ab4.exe"1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3176 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:2580 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0077d0dd944fa58b096712a8736906ce84f1bd11c368dcceb51333de51ba7ab4.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:740 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1540
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
96aa5c02089a5dea4e10fbc6c52cf311
SHA1a0a6ce28b64bdfc724787d2178f1599d5409c123
SHA25658d60196f68be6ef3fa93da53e0b03ccdd083c71855e905e62d08644f159bc3d
SHA512486cbe21fc79a23f5fd7b678efbdfd4854f7929a9fd034f2e9526534e0739941570ab5e027c05b6f30733742b158439008e6f92417cdee5d94c3e2c0ffd04359
-
MD5
96aa5c02089a5dea4e10fbc6c52cf311
SHA1a0a6ce28b64bdfc724787d2178f1599d5409c123
SHA25658d60196f68be6ef3fa93da53e0b03ccdd083c71855e905e62d08644f159bc3d
SHA512486cbe21fc79a23f5fd7b678efbdfd4854f7929a9fd034f2e9526534e0739941570ab5e027c05b6f30733742b158439008e6f92417cdee5d94c3e2c0ffd04359