Analysis
-
max time kernel
155s -
max time network
175s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
30-01-2022 22:51
Static task
static1
Behavioral task
behavioral1
Sample
d2a627abb4e73e3e0b479e4da45c10751992f5c438aa10b18a7a94e2481e1828.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
d2a627abb4e73e3e0b479e4da45c10751992f5c438aa10b18a7a94e2481e1828.exe
Resource
win10-en-20211208
General
-
Target
d2a627abb4e73e3e0b479e4da45c10751992f5c438aa10b18a7a94e2481e1828.exe
-
Size
79KB
-
MD5
aca2756917024c859d1f13ca1cdcb843
-
SHA1
eb95ecbf4e382aba4fd02862dfcb69a2a839324d
-
SHA256
d2a627abb4e73e3e0b479e4da45c10751992f5c438aa10b18a7a94e2481e1828
-
SHA512
d2437eb2a47fb2671a16be8e0cd74f6aa77b7548eccd768b9f0b16b19e080eb462d73ddf967d0da0735bf5b2e8a2819185092efc1c789fd18116cb615f081dda
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 708 MediaCenter.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
d2a627abb4e73e3e0b479e4da45c10751992f5c438aa10b18a7a94e2481e1828.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" d2a627abb4e73e3e0b479e4da45c10751992f5c438aa10b18a7a94e2481e1828.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
d2a627abb4e73e3e0b479e4da45c10751992f5c438aa10b18a7a94e2481e1828.exedescription pid process Token: SeIncBasePriorityPrivilege 2712 d2a627abb4e73e3e0b479e4da45c10751992f5c438aa10b18a7a94e2481e1828.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
d2a627abb4e73e3e0b479e4da45c10751992f5c438aa10b18a7a94e2481e1828.execmd.exedescription pid process target process PID 2712 wrote to memory of 708 2712 d2a627abb4e73e3e0b479e4da45c10751992f5c438aa10b18a7a94e2481e1828.exe MediaCenter.exe PID 2712 wrote to memory of 708 2712 d2a627abb4e73e3e0b479e4da45c10751992f5c438aa10b18a7a94e2481e1828.exe MediaCenter.exe PID 2712 wrote to memory of 708 2712 d2a627abb4e73e3e0b479e4da45c10751992f5c438aa10b18a7a94e2481e1828.exe MediaCenter.exe PID 2712 wrote to memory of 2952 2712 d2a627abb4e73e3e0b479e4da45c10751992f5c438aa10b18a7a94e2481e1828.exe cmd.exe PID 2712 wrote to memory of 2952 2712 d2a627abb4e73e3e0b479e4da45c10751992f5c438aa10b18a7a94e2481e1828.exe cmd.exe PID 2712 wrote to memory of 2952 2712 d2a627abb4e73e3e0b479e4da45c10751992f5c438aa10b18a7a94e2481e1828.exe cmd.exe PID 2952 wrote to memory of 3952 2952 cmd.exe PING.EXE PID 2952 wrote to memory of 3952 2952 cmd.exe PING.EXE PID 2952 wrote to memory of 3952 2952 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\d2a627abb4e73e3e0b479e4da45c10751992f5c438aa10b18a7a94e2481e1828.exe"C:\Users\Admin\AppData\Local\Temp\d2a627abb4e73e3e0b479e4da45c10751992f5c438aa10b18a7a94e2481e1828.exe"1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:708 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\d2a627abb4e73e3e0b479e4da45c10751992f5c438aa10b18a7a94e2481e1828.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:3952
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
c1773724ec9a626f35d3cf3d1e7e96b5
SHA1b1da687d1cb3aa9d554b7ee2f1507a09eda5579e
SHA256f062aa51294b912266f82abea31e9f07136a3336fbdcc7c90703f78f97ca839f
SHA512a1d489967365f4d2f3e314a7325f66eb1f16f60e0a38e3d937f613d09e4b79b0c5f813857cfc41ee543ddee060cc2b5f8358d3cf0959b1289c603e052ab97113
-
MD5
c1773724ec9a626f35d3cf3d1e7e96b5
SHA1b1da687d1cb3aa9d554b7ee2f1507a09eda5579e
SHA256f062aa51294b912266f82abea31e9f07136a3336fbdcc7c90703f78f97ca839f
SHA512a1d489967365f4d2f3e314a7325f66eb1f16f60e0a38e3d937f613d09e4b79b0c5f813857cfc41ee543ddee060cc2b5f8358d3cf0959b1289c603e052ab97113