Analysis
-
max time kernel
144s -
max time network
145s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
30-01-2022 23:58
Static task
static1
Behavioral task
behavioral1
Sample
ada21030c1ba9014e72f08de9974b947091bec01855411743042f75c81d4f2b3.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
ada21030c1ba9014e72f08de9974b947091bec01855411743042f75c81d4f2b3.exe
Resource
win10-en-20211208
General
-
Target
ada21030c1ba9014e72f08de9974b947091bec01855411743042f75c81d4f2b3.exe
-
Size
89KB
-
MD5
2ff61b170821191c99d8b75bd01726f2
-
SHA1
320cf1c0efad979d0028f504f7274bbc7790fdde
-
SHA256
ada21030c1ba9014e72f08de9974b947091bec01855411743042f75c81d4f2b3
-
SHA512
c66e64652cef2fe5fee8dcf71742aa25389627eff4eee1d7e6270d41e01a62c286b74e7bf04aa496af94aad182cde292358e249f17e6704c9d17cbc9df51b517
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 268 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1992 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
ada21030c1ba9014e72f08de9974b947091bec01855411743042f75c81d4f2b3.exepid process 1860 ada21030c1ba9014e72f08de9974b947091bec01855411743042f75c81d4f2b3.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
ada21030c1ba9014e72f08de9974b947091bec01855411743042f75c81d4f2b3.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" ada21030c1ba9014e72f08de9974b947091bec01855411743042f75c81d4f2b3.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
ada21030c1ba9014e72f08de9974b947091bec01855411743042f75c81d4f2b3.exedescription pid process Token: SeIncBasePriorityPrivilege 1860 ada21030c1ba9014e72f08de9974b947091bec01855411743042f75c81d4f2b3.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
ada21030c1ba9014e72f08de9974b947091bec01855411743042f75c81d4f2b3.execmd.exedescription pid process target process PID 1860 wrote to memory of 268 1860 ada21030c1ba9014e72f08de9974b947091bec01855411743042f75c81d4f2b3.exe MediaCenter.exe PID 1860 wrote to memory of 268 1860 ada21030c1ba9014e72f08de9974b947091bec01855411743042f75c81d4f2b3.exe MediaCenter.exe PID 1860 wrote to memory of 268 1860 ada21030c1ba9014e72f08de9974b947091bec01855411743042f75c81d4f2b3.exe MediaCenter.exe PID 1860 wrote to memory of 268 1860 ada21030c1ba9014e72f08de9974b947091bec01855411743042f75c81d4f2b3.exe MediaCenter.exe PID 1860 wrote to memory of 1992 1860 ada21030c1ba9014e72f08de9974b947091bec01855411743042f75c81d4f2b3.exe cmd.exe PID 1860 wrote to memory of 1992 1860 ada21030c1ba9014e72f08de9974b947091bec01855411743042f75c81d4f2b3.exe cmd.exe PID 1860 wrote to memory of 1992 1860 ada21030c1ba9014e72f08de9974b947091bec01855411743042f75c81d4f2b3.exe cmd.exe PID 1860 wrote to memory of 1992 1860 ada21030c1ba9014e72f08de9974b947091bec01855411743042f75c81d4f2b3.exe cmd.exe PID 1992 wrote to memory of 1048 1992 cmd.exe PING.EXE PID 1992 wrote to memory of 1048 1992 cmd.exe PING.EXE PID 1992 wrote to memory of 1048 1992 cmd.exe PING.EXE PID 1992 wrote to memory of 1048 1992 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\ada21030c1ba9014e72f08de9974b947091bec01855411743042f75c81d4f2b3.exe"C:\Users\Admin\AppData\Local\Temp\ada21030c1ba9014e72f08de9974b947091bec01855411743042f75c81d4f2b3.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1860 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:268 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\ada21030c1ba9014e72f08de9974b947091bec01855411743042f75c81d4f2b3.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1992 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1048
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
ef70e2f63ee322e4f9ba884751ddfc65
SHA144be0a46bcec53093737db85df0bcf3839fc8bc9
SHA256e84b6d79d41cb889712f62c0406a53eaf8ca0bed323fbec871823ad396672729
SHA5125517d0addcf4e40b89e4227aa4c77360656e13bcefc02bd111e64003a8138ca00a72e57aa2e0354c52444d56aa6e491df88f8591c26aebe892e547b6da6a6c1f
-
MD5
ef70e2f63ee322e4f9ba884751ddfc65
SHA144be0a46bcec53093737db85df0bcf3839fc8bc9
SHA256e84b6d79d41cb889712f62c0406a53eaf8ca0bed323fbec871823ad396672729
SHA5125517d0addcf4e40b89e4227aa4c77360656e13bcefc02bd111e64003a8138ca00a72e57aa2e0354c52444d56aa6e491df88f8591c26aebe892e547b6da6a6c1f