Analysis
-
max time kernel
164s -
max time network
162s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
30-01-2022 22:47
Static task
static1
Behavioral task
behavioral1
Sample
7196802e1634b56f2dda7f5c63bd4698f9084e832630ec4c2cefa8884fe023a8.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
7196802e1634b56f2dda7f5c63bd4698f9084e832630ec4c2cefa8884fe023a8.exe
Resource
win10-en-20211208
General
-
Target
7196802e1634b56f2dda7f5c63bd4698f9084e832630ec4c2cefa8884fe023a8.exe
-
Size
79KB
-
MD5
bb57362757182b928d66d4963104ffe8
-
SHA1
1973a05e8f4cdc69fcfd4cbadf80587ea701d0e4
-
SHA256
7196802e1634b56f2dda7f5c63bd4698f9084e832630ec4c2cefa8884fe023a8
-
SHA512
d5b58deaaa121789ad0452aa7da2f6810ed7035e9b51cfbc11bfae13d6f1eca2255b99ba0a902c4129455cb446e0d438d0abd56ca4e24f891ae492d0570e2a5f
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 3676 MediaCenter.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
7196802e1634b56f2dda7f5c63bd4698f9084e832630ec4c2cefa8884fe023a8.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 7196802e1634b56f2dda7f5c63bd4698f9084e832630ec4c2cefa8884fe023a8.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
7196802e1634b56f2dda7f5c63bd4698f9084e832630ec4c2cefa8884fe023a8.exedescription pid process Token: SeIncBasePriorityPrivilege 3500 7196802e1634b56f2dda7f5c63bd4698f9084e832630ec4c2cefa8884fe023a8.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
7196802e1634b56f2dda7f5c63bd4698f9084e832630ec4c2cefa8884fe023a8.execmd.exedescription pid process target process PID 3500 wrote to memory of 3676 3500 7196802e1634b56f2dda7f5c63bd4698f9084e832630ec4c2cefa8884fe023a8.exe MediaCenter.exe PID 3500 wrote to memory of 3676 3500 7196802e1634b56f2dda7f5c63bd4698f9084e832630ec4c2cefa8884fe023a8.exe MediaCenter.exe PID 3500 wrote to memory of 3676 3500 7196802e1634b56f2dda7f5c63bd4698f9084e832630ec4c2cefa8884fe023a8.exe MediaCenter.exe PID 3500 wrote to memory of 4196 3500 7196802e1634b56f2dda7f5c63bd4698f9084e832630ec4c2cefa8884fe023a8.exe cmd.exe PID 3500 wrote to memory of 4196 3500 7196802e1634b56f2dda7f5c63bd4698f9084e832630ec4c2cefa8884fe023a8.exe cmd.exe PID 3500 wrote to memory of 4196 3500 7196802e1634b56f2dda7f5c63bd4698f9084e832630ec4c2cefa8884fe023a8.exe cmd.exe PID 4196 wrote to memory of 4156 4196 cmd.exe PING.EXE PID 4196 wrote to memory of 4156 4196 cmd.exe PING.EXE PID 4196 wrote to memory of 4156 4196 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\7196802e1634b56f2dda7f5c63bd4698f9084e832630ec4c2cefa8884fe023a8.exe"C:\Users\Admin\AppData\Local\Temp\7196802e1634b56f2dda7f5c63bd4698f9084e832630ec4c2cefa8884fe023a8.exe"1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3500 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:3676 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\7196802e1634b56f2dda7f5c63bd4698f9084e832630ec4c2cefa8884fe023a8.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4196 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:4156
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
38c63b6281db945165ca2185fb57d08b
SHA1435da213cc420b3ac1dd3f4058db9566d061a963
SHA2563ae0ff0fa4c9264339293f23182309214fcd050577c3ddddec0f77aadef6380d
SHA5127d5c7918ad67dc9aa13f36d4ff4f88040317eb8f14bdb15a35996e6e88cdc7f3ce797cd55afe0b44b096bbca139ebfe63fb13f189fb8b2effb47c93f449ef88f
-
MD5
38c63b6281db945165ca2185fb57d08b
SHA1435da213cc420b3ac1dd3f4058db9566d061a963
SHA2563ae0ff0fa4c9264339293f23182309214fcd050577c3ddddec0f77aadef6380d
SHA5127d5c7918ad67dc9aa13f36d4ff4f88040317eb8f14bdb15a35996e6e88cdc7f3ce797cd55afe0b44b096bbca139ebfe63fb13f189fb8b2effb47c93f449ef88f