Analysis
-
max time kernel
163s -
max time network
164s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
30-01-2022 22:49
Static task
static1
Behavioral task
behavioral1
Sample
518707434ba01c53a40928e45f1ce8ddef92b4b6c910fd46bac8528020100b5c.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
518707434ba01c53a40928e45f1ce8ddef92b4b6c910fd46bac8528020100b5c.exe
Resource
win10-en-20211208
General
-
Target
518707434ba01c53a40928e45f1ce8ddef92b4b6c910fd46bac8528020100b5c.exe
-
Size
79KB
-
MD5
b38c4766ec0c5fb9b9e70af0b7414e78
-
SHA1
dd28c979bfa39a9aae496930f3604852fabf1505
-
SHA256
518707434ba01c53a40928e45f1ce8ddef92b4b6c910fd46bac8528020100b5c
-
SHA512
57ce3838b16bdcddc07e5bf37a71a7f1a86c7ac3ad83fc1bbebc848a912bbf634afb932fb179a2ddcdca97df1aa0f6ef29b23cfd92a3feac559393613c95e111
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1172 MediaCenter.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
518707434ba01c53a40928e45f1ce8ddef92b4b6c910fd46bac8528020100b5c.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 518707434ba01c53a40928e45f1ce8ddef92b4b6c910fd46bac8528020100b5c.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
518707434ba01c53a40928e45f1ce8ddef92b4b6c910fd46bac8528020100b5c.exedescription pid process Token: SeIncBasePriorityPrivilege 384 518707434ba01c53a40928e45f1ce8ddef92b4b6c910fd46bac8528020100b5c.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
518707434ba01c53a40928e45f1ce8ddef92b4b6c910fd46bac8528020100b5c.execmd.exedescription pid process target process PID 384 wrote to memory of 1172 384 518707434ba01c53a40928e45f1ce8ddef92b4b6c910fd46bac8528020100b5c.exe MediaCenter.exe PID 384 wrote to memory of 1172 384 518707434ba01c53a40928e45f1ce8ddef92b4b6c910fd46bac8528020100b5c.exe MediaCenter.exe PID 384 wrote to memory of 1172 384 518707434ba01c53a40928e45f1ce8ddef92b4b6c910fd46bac8528020100b5c.exe MediaCenter.exe PID 384 wrote to memory of 4088 384 518707434ba01c53a40928e45f1ce8ddef92b4b6c910fd46bac8528020100b5c.exe cmd.exe PID 384 wrote to memory of 4088 384 518707434ba01c53a40928e45f1ce8ddef92b4b6c910fd46bac8528020100b5c.exe cmd.exe PID 384 wrote to memory of 4088 384 518707434ba01c53a40928e45f1ce8ddef92b4b6c910fd46bac8528020100b5c.exe cmd.exe PID 4088 wrote to memory of 900 4088 cmd.exe PING.EXE PID 4088 wrote to memory of 900 4088 cmd.exe PING.EXE PID 4088 wrote to memory of 900 4088 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\518707434ba01c53a40928e45f1ce8ddef92b4b6c910fd46bac8528020100b5c.exe"C:\Users\Admin\AppData\Local\Temp\518707434ba01c53a40928e45f1ce8ddef92b4b6c910fd46bac8528020100b5c.exe"1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:384 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1172 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\518707434ba01c53a40928e45f1ce8ddef92b4b6c910fd46bac8528020100b5c.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4088 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:900
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
17dd1281e8142a29e7b819c2b7bc4a0a
SHA18bd98b2a34b706ddfc04f7253c83418ecb420c18
SHA2560c920bce97db6263ec72ff2fc0f3b4ec5766e66aa98dccd0468df0eab86c712c
SHA5125016ab052b78861509b8bc761c0b367f621fb859a14dfbf1cf91b5c50c228e9dccc4d5643722c6c9404e8991446a345e97d434fdc1537f8265e2916f268a76c4
-
MD5
17dd1281e8142a29e7b819c2b7bc4a0a
SHA18bd98b2a34b706ddfc04f7253c83418ecb420c18
SHA2560c920bce97db6263ec72ff2fc0f3b4ec5766e66aa98dccd0468df0eab86c712c
SHA5125016ab052b78861509b8bc761c0b367f621fb859a14dfbf1cf91b5c50c228e9dccc4d5643722c6c9404e8991446a345e97d434fdc1537f8265e2916f268a76c4