Analysis
-
max time kernel
141s -
max time network
150s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
29-01-2022 19:21
Static task
static1
Behavioral task
behavioral1
Sample
2b4cc716ec23a095d831069968d951a125f40574775f466f4251c8a0a37abfca.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
2b4cc716ec23a095d831069968d951a125f40574775f466f4251c8a0a37abfca.exe
Resource
win10-en-20211208
General
-
Target
2b4cc716ec23a095d831069968d951a125f40574775f466f4251c8a0a37abfca.exe
-
Size
320KB
-
MD5
f25cc334809bd1c36fd94184177de8a4
-
SHA1
8a34521175b66e073ee34870263d55611b38b1da
-
SHA256
2b4cc716ec23a095d831069968d951a125f40574775f466f4251c8a0a37abfca
-
SHA512
65e782267c7b5ddaa21a9dfcfe2af4f9d92551022f99fc4052aa0294210bd1525d0efae01962a0e85398cc72b6c7b07e2e4e8f37575ffe464f2d340470e75983
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 3748 MediaCenter.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
2b4cc716ec23a095d831069968d951a125f40574775f466f4251c8a0a37abfca.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 2b4cc716ec23a095d831069968d951a125f40574775f466f4251c8a0a37abfca.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
2b4cc716ec23a095d831069968d951a125f40574775f466f4251c8a0a37abfca.exedescription pid process Token: SeIncBasePriorityPrivilege 2760 2b4cc716ec23a095d831069968d951a125f40574775f466f4251c8a0a37abfca.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
2b4cc716ec23a095d831069968d951a125f40574775f466f4251c8a0a37abfca.execmd.exedescription pid process target process PID 2760 wrote to memory of 3748 2760 2b4cc716ec23a095d831069968d951a125f40574775f466f4251c8a0a37abfca.exe MediaCenter.exe PID 2760 wrote to memory of 3748 2760 2b4cc716ec23a095d831069968d951a125f40574775f466f4251c8a0a37abfca.exe MediaCenter.exe PID 2760 wrote to memory of 3748 2760 2b4cc716ec23a095d831069968d951a125f40574775f466f4251c8a0a37abfca.exe MediaCenter.exe PID 2760 wrote to memory of 712 2760 2b4cc716ec23a095d831069968d951a125f40574775f466f4251c8a0a37abfca.exe cmd.exe PID 2760 wrote to memory of 712 2760 2b4cc716ec23a095d831069968d951a125f40574775f466f4251c8a0a37abfca.exe cmd.exe PID 2760 wrote to memory of 712 2760 2b4cc716ec23a095d831069968d951a125f40574775f466f4251c8a0a37abfca.exe cmd.exe PID 712 wrote to memory of 1200 712 cmd.exe PING.EXE PID 712 wrote to memory of 1200 712 cmd.exe PING.EXE PID 712 wrote to memory of 1200 712 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\2b4cc716ec23a095d831069968d951a125f40574775f466f4251c8a0a37abfca.exe"C:\Users\Admin\AppData\Local\Temp\2b4cc716ec23a095d831069968d951a125f40574775f466f4251c8a0a37abfca.exe"1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:3748 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\2b4cc716ec23a095d831069968d951a125f40574775f466f4251c8a0a37abfca.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:712 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1200
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
1d90104d03a89539cc022e0636a1cfdc
SHA1bce1761eb4070786e6b407080a71df6b53af4c28
SHA2568dbb2dfe50f2ee6b090a67fa820aab2866ad5680ff623f9ab0f5ed04233e3e59
SHA512e5cd4221b9e3a3a0c4c9bcfa861a13434af6b4ae19d56021146d7c78531242fd812fdfa4e112155f7921f0a8ad6d3e80e3fc083bb6a1a3279ffded9b064c3810
-
MD5
1d90104d03a89539cc022e0636a1cfdc
SHA1bce1761eb4070786e6b407080a71df6b53af4c28
SHA2568dbb2dfe50f2ee6b090a67fa820aab2866ad5680ff623f9ab0f5ed04233e3e59
SHA512e5cd4221b9e3a3a0c4c9bcfa861a13434af6b4ae19d56021146d7c78531242fd812fdfa4e112155f7921f0a8ad6d3e80e3fc083bb6a1a3279ffded9b064c3810