Analysis
-
max time kernel
164s -
max time network
163s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
30-01-2022 21:49
Static task
static1
Behavioral task
behavioral1
Sample
57375c715fe06101d88029f3f54ad8e1059d55e1e886aa151ff38a5cbfa868fc.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
57375c715fe06101d88029f3f54ad8e1059d55e1e886aa151ff38a5cbfa868fc.exe
Resource
win10-en-20211208
General
-
Target
57375c715fe06101d88029f3f54ad8e1059d55e1e886aa151ff38a5cbfa868fc.exe
-
Size
89KB
-
MD5
21ee6c85f431c2aa085b91ac0c86d27f
-
SHA1
c2b9b78952575e8b6d4a66e9f31b611f10adc5e6
-
SHA256
57375c715fe06101d88029f3f54ad8e1059d55e1e886aa151ff38a5cbfa868fc
-
SHA512
4afd9a4f2c7ea67242da5d188afc48bbb05278bc0a3ad313807575a7a88590a777e4fe1d6104c3c197728d31fe31e0a0f31a3b03daf22eaa87a1c3c707f5318e
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 2676 MediaCenter.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
57375c715fe06101d88029f3f54ad8e1059d55e1e886aa151ff38a5cbfa868fc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 57375c715fe06101d88029f3f54ad8e1059d55e1e886aa151ff38a5cbfa868fc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
57375c715fe06101d88029f3f54ad8e1059d55e1e886aa151ff38a5cbfa868fc.exedescription pid process Token: SeIncBasePriorityPrivilege 2400 57375c715fe06101d88029f3f54ad8e1059d55e1e886aa151ff38a5cbfa868fc.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
57375c715fe06101d88029f3f54ad8e1059d55e1e886aa151ff38a5cbfa868fc.execmd.exedescription pid process target process PID 2400 wrote to memory of 2676 2400 57375c715fe06101d88029f3f54ad8e1059d55e1e886aa151ff38a5cbfa868fc.exe MediaCenter.exe PID 2400 wrote to memory of 2676 2400 57375c715fe06101d88029f3f54ad8e1059d55e1e886aa151ff38a5cbfa868fc.exe MediaCenter.exe PID 2400 wrote to memory of 2676 2400 57375c715fe06101d88029f3f54ad8e1059d55e1e886aa151ff38a5cbfa868fc.exe MediaCenter.exe PID 2400 wrote to memory of 3816 2400 57375c715fe06101d88029f3f54ad8e1059d55e1e886aa151ff38a5cbfa868fc.exe cmd.exe PID 2400 wrote to memory of 3816 2400 57375c715fe06101d88029f3f54ad8e1059d55e1e886aa151ff38a5cbfa868fc.exe cmd.exe PID 2400 wrote to memory of 3816 2400 57375c715fe06101d88029f3f54ad8e1059d55e1e886aa151ff38a5cbfa868fc.exe cmd.exe PID 3816 wrote to memory of 988 3816 cmd.exe PING.EXE PID 3816 wrote to memory of 988 3816 cmd.exe PING.EXE PID 3816 wrote to memory of 988 3816 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\57375c715fe06101d88029f3f54ad8e1059d55e1e886aa151ff38a5cbfa868fc.exe"C:\Users\Admin\AppData\Local\Temp\57375c715fe06101d88029f3f54ad8e1059d55e1e886aa151ff38a5cbfa868fc.exe"1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2400 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:2676 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\57375c715fe06101d88029f3f54ad8e1059d55e1e886aa151ff38a5cbfa868fc.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3816 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:988
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
dfe89ded68409dc1d8ffa6eb82fb68ff
SHA134ba681dcc846507e55dfec59bd175ab07692833
SHA256777a62c30cf7da22df2f3b53664f447453062a834b9043ba5354ab2a607534d3
SHA5128ec547adb26a1fc610ed707309f0e4f063f74ce6015680bf741c484af04f50f07390260bce4ca665418069cd9d990a7ac00c6ebc65151a98494f2b2d12710846
-
MD5
dfe89ded68409dc1d8ffa6eb82fb68ff
SHA134ba681dcc846507e55dfec59bd175ab07692833
SHA256777a62c30cf7da22df2f3b53664f447453062a834b9043ba5354ab2a607534d3
SHA5128ec547adb26a1fc610ed707309f0e4f063f74ce6015680bf741c484af04f50f07390260bce4ca665418069cd9d990a7ac00c6ebc65151a98494f2b2d12710846