Analysis
-
max time kernel
138s -
max time network
153s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
30-01-2022 22:48
Static task
static1
Behavioral task
behavioral1
Sample
aae00d6fbdae1f415927ca95f3451032b3cab7384a5aab5b087ebd8601942d80.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
aae00d6fbdae1f415927ca95f3451032b3cab7384a5aab5b087ebd8601942d80.exe
Resource
win10-en-20211208
General
-
Target
aae00d6fbdae1f415927ca95f3451032b3cab7384a5aab5b087ebd8601942d80.exe
-
Size
79KB
-
MD5
b7e3f853e98ea9db74bf3429803f7a4b
-
SHA1
9076608ecf15dbd0fdff609c51842e38479dc55e
-
SHA256
aae00d6fbdae1f415927ca95f3451032b3cab7384a5aab5b087ebd8601942d80
-
SHA512
9b76ebef8b6eaec4464393f811b5715987b3530b2f119f7bef017a5f9896a6407417185bf54c21813f6e87dc5905cb39ba9adb533de64c08462a16e2c8207fe6
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 2740 MediaCenter.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
aae00d6fbdae1f415927ca95f3451032b3cab7384a5aab5b087ebd8601942d80.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" aae00d6fbdae1f415927ca95f3451032b3cab7384a5aab5b087ebd8601942d80.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
aae00d6fbdae1f415927ca95f3451032b3cab7384a5aab5b087ebd8601942d80.exedescription pid process Token: SeIncBasePriorityPrivilege 2356 aae00d6fbdae1f415927ca95f3451032b3cab7384a5aab5b087ebd8601942d80.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
aae00d6fbdae1f415927ca95f3451032b3cab7384a5aab5b087ebd8601942d80.execmd.exedescription pid process target process PID 2356 wrote to memory of 2740 2356 aae00d6fbdae1f415927ca95f3451032b3cab7384a5aab5b087ebd8601942d80.exe MediaCenter.exe PID 2356 wrote to memory of 2740 2356 aae00d6fbdae1f415927ca95f3451032b3cab7384a5aab5b087ebd8601942d80.exe MediaCenter.exe PID 2356 wrote to memory of 2740 2356 aae00d6fbdae1f415927ca95f3451032b3cab7384a5aab5b087ebd8601942d80.exe MediaCenter.exe PID 2356 wrote to memory of 504 2356 aae00d6fbdae1f415927ca95f3451032b3cab7384a5aab5b087ebd8601942d80.exe cmd.exe PID 2356 wrote to memory of 504 2356 aae00d6fbdae1f415927ca95f3451032b3cab7384a5aab5b087ebd8601942d80.exe cmd.exe PID 2356 wrote to memory of 504 2356 aae00d6fbdae1f415927ca95f3451032b3cab7384a5aab5b087ebd8601942d80.exe cmd.exe PID 504 wrote to memory of 3308 504 cmd.exe PING.EXE PID 504 wrote to memory of 3308 504 cmd.exe PING.EXE PID 504 wrote to memory of 3308 504 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\aae00d6fbdae1f415927ca95f3451032b3cab7384a5aab5b087ebd8601942d80.exe"C:\Users\Admin\AppData\Local\Temp\aae00d6fbdae1f415927ca95f3451032b3cab7384a5aab5b087ebd8601942d80.exe"1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2356 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:2740 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\aae00d6fbdae1f415927ca95f3451032b3cab7384a5aab5b087ebd8601942d80.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:504 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:3308
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
e51b119bf2d016345b1bb69ece22b32f
SHA1f0d7041812a0ed3e039a29cfc5f8b7f582f0dc23
SHA256a63ee0b9e2e2ac41345782d3adbf5dc14f547f393cdf68b6cd524706784ca0eb
SHA512fdb28f1c1d77ef550c4c06180ebcffeb67ba41f4d31b81085fb45df6400f83adec7aef17c7e109fd958ea2f7cf5b0d9ae568fc66bf4e33b6208cf4107bd013f8
-
MD5
e51b119bf2d016345b1bb69ece22b32f
SHA1f0d7041812a0ed3e039a29cfc5f8b7f582f0dc23
SHA256a63ee0b9e2e2ac41345782d3adbf5dc14f547f393cdf68b6cd524706784ca0eb
SHA512fdb28f1c1d77ef550c4c06180ebcffeb67ba41f4d31b81085fb45df6400f83adec7aef17c7e109fd958ea2f7cf5b0d9ae568fc66bf4e33b6208cf4107bd013f8