Analysis
-
max time kernel
154s -
max time network
166s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
30-01-2022 23:58
Static task
static1
Behavioral task
behavioral1
Sample
ada21030c1ba9014e72f08de9974b947091bec01855411743042f75c81d4f2b3.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
ada21030c1ba9014e72f08de9974b947091bec01855411743042f75c81d4f2b3.exe
Resource
win10-en-20211208
General
-
Target
ada21030c1ba9014e72f08de9974b947091bec01855411743042f75c81d4f2b3.exe
-
Size
89KB
-
MD5
2ff61b170821191c99d8b75bd01726f2
-
SHA1
320cf1c0efad979d0028f504f7274bbc7790fdde
-
SHA256
ada21030c1ba9014e72f08de9974b947091bec01855411743042f75c81d4f2b3
-
SHA512
c66e64652cef2fe5fee8dcf71742aa25389627eff4eee1d7e6270d41e01a62c286b74e7bf04aa496af94aad182cde292358e249f17e6704c9d17cbc9df51b517
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 3048 MediaCenter.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
ada21030c1ba9014e72f08de9974b947091bec01855411743042f75c81d4f2b3.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" ada21030c1ba9014e72f08de9974b947091bec01855411743042f75c81d4f2b3.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
ada21030c1ba9014e72f08de9974b947091bec01855411743042f75c81d4f2b3.exedescription pid process Token: SeIncBasePriorityPrivilege 2700 ada21030c1ba9014e72f08de9974b947091bec01855411743042f75c81d4f2b3.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
ada21030c1ba9014e72f08de9974b947091bec01855411743042f75c81d4f2b3.execmd.exedescription pid process target process PID 2700 wrote to memory of 3048 2700 ada21030c1ba9014e72f08de9974b947091bec01855411743042f75c81d4f2b3.exe MediaCenter.exe PID 2700 wrote to memory of 3048 2700 ada21030c1ba9014e72f08de9974b947091bec01855411743042f75c81d4f2b3.exe MediaCenter.exe PID 2700 wrote to memory of 3048 2700 ada21030c1ba9014e72f08de9974b947091bec01855411743042f75c81d4f2b3.exe MediaCenter.exe PID 2700 wrote to memory of 4092 2700 ada21030c1ba9014e72f08de9974b947091bec01855411743042f75c81d4f2b3.exe cmd.exe PID 2700 wrote to memory of 4092 2700 ada21030c1ba9014e72f08de9974b947091bec01855411743042f75c81d4f2b3.exe cmd.exe PID 2700 wrote to memory of 4092 2700 ada21030c1ba9014e72f08de9974b947091bec01855411743042f75c81d4f2b3.exe cmd.exe PID 4092 wrote to memory of 3380 4092 cmd.exe PING.EXE PID 4092 wrote to memory of 3380 4092 cmd.exe PING.EXE PID 4092 wrote to memory of 3380 4092 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\ada21030c1ba9014e72f08de9974b947091bec01855411743042f75c81d4f2b3.exe"C:\Users\Admin\AppData\Local\Temp\ada21030c1ba9014e72f08de9974b947091bec01855411743042f75c81d4f2b3.exe"1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:3048 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\ada21030c1ba9014e72f08de9974b947091bec01855411743042f75c81d4f2b3.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4092 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:3380
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
eefbac054aff3d92507acd0e0e0c58b8
SHA1e46d509676a3004e8f1b000da044df5ab3cfc2bb
SHA256f8b3d959deb0600e714feb89697134a45ddf194917dd98d9f78e7b1bed96fe23
SHA51253c486d73bc0c2cbd7f34c9c7cee55ae70ec8b4067c38ed394b6c1767123a1eb79edf4d260e0bc1d9da3b02b98879beecb4bcf73933c7301fc058e1d20b66d7e
-
MD5
eefbac054aff3d92507acd0e0e0c58b8
SHA1e46d509676a3004e8f1b000da044df5ab3cfc2bb
SHA256f8b3d959deb0600e714feb89697134a45ddf194917dd98d9f78e7b1bed96fe23
SHA51253c486d73bc0c2cbd7f34c9c7cee55ae70ec8b4067c38ed394b6c1767123a1eb79edf4d260e0bc1d9da3b02b98879beecb4bcf73933c7301fc058e1d20b66d7e