Analysis
-
max time kernel
129s -
max time network
129s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
22-01-2022 01:35
Static task
static1
Behavioral task
behavioral1
Sample
ebe46601e7afaa00a58df26f01d668a07145b0c5a3c642f728db125c8be632fd.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
ebe46601e7afaa00a58df26f01d668a07145b0c5a3c642f728db125c8be632fd.exe
Resource
win10-en-20211208
General
-
Target
ebe46601e7afaa00a58df26f01d668a07145b0c5a3c642f728db125c8be632fd.exe
-
Size
89KB
-
MD5
91569c57fc342161c479603f3b527c1d
-
SHA1
14c7a1661620f46c2943fa1ad522631638569b37
-
SHA256
ebe46601e7afaa00a58df26f01d668a07145b0c5a3c642f728db125c8be632fd
-
SHA512
f34fa95e96e774ec90222b042549b2e72f0a792a6c6cad550ba48ac0ba1740b8a5f8f15bab9e9759ba4c5648b3aa759b35d6f1b726893d5130f17f7502eff1d5
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 3400 MediaCenter.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
ebe46601e7afaa00a58df26f01d668a07145b0c5a3c642f728db125c8be632fd.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" ebe46601e7afaa00a58df26f01d668a07145b0c5a3c642f728db125c8be632fd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
ebe46601e7afaa00a58df26f01d668a07145b0c5a3c642f728db125c8be632fd.exedescription pid process Token: SeIncBasePriorityPrivilege 348 ebe46601e7afaa00a58df26f01d668a07145b0c5a3c642f728db125c8be632fd.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
ebe46601e7afaa00a58df26f01d668a07145b0c5a3c642f728db125c8be632fd.execmd.exedescription pid process target process PID 348 wrote to memory of 3400 348 ebe46601e7afaa00a58df26f01d668a07145b0c5a3c642f728db125c8be632fd.exe MediaCenter.exe PID 348 wrote to memory of 3400 348 ebe46601e7afaa00a58df26f01d668a07145b0c5a3c642f728db125c8be632fd.exe MediaCenter.exe PID 348 wrote to memory of 3400 348 ebe46601e7afaa00a58df26f01d668a07145b0c5a3c642f728db125c8be632fd.exe MediaCenter.exe PID 348 wrote to memory of 4368 348 ebe46601e7afaa00a58df26f01d668a07145b0c5a3c642f728db125c8be632fd.exe cmd.exe PID 348 wrote to memory of 4368 348 ebe46601e7afaa00a58df26f01d668a07145b0c5a3c642f728db125c8be632fd.exe cmd.exe PID 348 wrote to memory of 4368 348 ebe46601e7afaa00a58df26f01d668a07145b0c5a3c642f728db125c8be632fd.exe cmd.exe PID 4368 wrote to memory of 4412 4368 cmd.exe PING.EXE PID 4368 wrote to memory of 4412 4368 cmd.exe PING.EXE PID 4368 wrote to memory of 4412 4368 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\ebe46601e7afaa00a58df26f01d668a07145b0c5a3c642f728db125c8be632fd.exe"C:\Users\Admin\AppData\Local\Temp\ebe46601e7afaa00a58df26f01d668a07145b0c5a3c642f728db125c8be632fd.exe"1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:348 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:3400 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\ebe46601e7afaa00a58df26f01d668a07145b0c5a3c642f728db125c8be632fd.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4368 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:4412
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
980cc6f08bfcd0721374e8ab34e8d1ee
SHA1c4938a6b742bef4649691f6208ce7ff7c0cdcd21
SHA25613893d66ef6121ebd93f0f0c9265165a325dc4eb7e06d879e5982a44b49d2737
SHA512b341f9543ed31b8e226790ca528bbcd844b01c683d8e611f1c580f985f5d9b3d7465f885411db5d983e3adade426d1d7cf3ac340597fc8ad72e7f6ca35459cbc
-
MD5
980cc6f08bfcd0721374e8ab34e8d1ee
SHA1c4938a6b742bef4649691f6208ce7ff7c0cdcd21
SHA25613893d66ef6121ebd93f0f0c9265165a325dc4eb7e06d879e5982a44b49d2737
SHA512b341f9543ed31b8e226790ca528bbcd844b01c683d8e611f1c580f985f5d9b3d7465f885411db5d983e3adade426d1d7cf3ac340597fc8ad72e7f6ca35459cbc