Analysis
-
max time kernel
142s -
max time network
142s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
22-01-2022 01:28
Static task
static1
Behavioral task
behavioral1
Sample
b48dff9eb8b13b208541e454f04ad30dd0fbef9b9982e7194e80dadbc682c8fe.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
b48dff9eb8b13b208541e454f04ad30dd0fbef9b9982e7194e80dadbc682c8fe.exe
Resource
win10-en-20211208
General
-
Target
b48dff9eb8b13b208541e454f04ad30dd0fbef9b9982e7194e80dadbc682c8fe.exe
-
Size
89KB
-
MD5
97479fa13d9b96da33cdb49749fc2baf
-
SHA1
8a89a1cc1d9f7a1891e9523b80c21ac530554e66
-
SHA256
b48dff9eb8b13b208541e454f04ad30dd0fbef9b9982e7194e80dadbc682c8fe
-
SHA512
d6dd18a629e5f974132c80e83d3e033fb7fdbca026d101fa3dca9fb8270acc2efcbd9a360ee393fca42ea3e28d365165d523cb02b2d01a3ad05fec06667a8567
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 4148 MediaCenter.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
b48dff9eb8b13b208541e454f04ad30dd0fbef9b9982e7194e80dadbc682c8fe.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" b48dff9eb8b13b208541e454f04ad30dd0fbef9b9982e7194e80dadbc682c8fe.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
b48dff9eb8b13b208541e454f04ad30dd0fbef9b9982e7194e80dadbc682c8fe.exedescription pid process Token: SeIncBasePriorityPrivilege 3448 b48dff9eb8b13b208541e454f04ad30dd0fbef9b9982e7194e80dadbc682c8fe.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
b48dff9eb8b13b208541e454f04ad30dd0fbef9b9982e7194e80dadbc682c8fe.execmd.exedescription pid process target process PID 3448 wrote to memory of 4148 3448 b48dff9eb8b13b208541e454f04ad30dd0fbef9b9982e7194e80dadbc682c8fe.exe MediaCenter.exe PID 3448 wrote to memory of 4148 3448 b48dff9eb8b13b208541e454f04ad30dd0fbef9b9982e7194e80dadbc682c8fe.exe MediaCenter.exe PID 3448 wrote to memory of 4148 3448 b48dff9eb8b13b208541e454f04ad30dd0fbef9b9982e7194e80dadbc682c8fe.exe MediaCenter.exe PID 3448 wrote to memory of 4340 3448 b48dff9eb8b13b208541e454f04ad30dd0fbef9b9982e7194e80dadbc682c8fe.exe cmd.exe PID 3448 wrote to memory of 4340 3448 b48dff9eb8b13b208541e454f04ad30dd0fbef9b9982e7194e80dadbc682c8fe.exe cmd.exe PID 3448 wrote to memory of 4340 3448 b48dff9eb8b13b208541e454f04ad30dd0fbef9b9982e7194e80dadbc682c8fe.exe cmd.exe PID 4340 wrote to memory of 744 4340 cmd.exe PING.EXE PID 4340 wrote to memory of 744 4340 cmd.exe PING.EXE PID 4340 wrote to memory of 744 4340 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\b48dff9eb8b13b208541e454f04ad30dd0fbef9b9982e7194e80dadbc682c8fe.exe"C:\Users\Admin\AppData\Local\Temp\b48dff9eb8b13b208541e454f04ad30dd0fbef9b9982e7194e80dadbc682c8fe.exe"1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3448 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:4148 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\b48dff9eb8b13b208541e454f04ad30dd0fbef9b9982e7194e80dadbc682c8fe.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4340 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:744
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
8b910c0b427465d8a262cc1c17743b28
SHA1038488babfc5102bf9b0572caa99acb9dc50f17e
SHA256d70eed34c5a69d399ac1644633572fb3d6c254fe057d786afc0f4abc09ebdf91
SHA5120e24950b693d8cf07f9798992157dd13ff95c40ba4af5e2d322bee488b235c9dc8f239e0b00ac5cc41f2da948df8fd1c286e693bb7bd39ccbe3d27c85face1d6
-
MD5
8b910c0b427465d8a262cc1c17743b28
SHA1038488babfc5102bf9b0572caa99acb9dc50f17e
SHA256d70eed34c5a69d399ac1644633572fb3d6c254fe057d786afc0f4abc09ebdf91
SHA5120e24950b693d8cf07f9798992157dd13ff95c40ba4af5e2d322bee488b235c9dc8f239e0b00ac5cc41f2da948df8fd1c286e693bb7bd39ccbe3d27c85face1d6