Analysis
-
max time kernel
150s -
max time network
170s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
30-01-2022 23:54
Static task
static1
Behavioral task
behavioral1
Sample
19c96e06c7e5f7c19611b44ff28293a1a73b32c1a7f57149c51974ee017d3daa.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
19c96e06c7e5f7c19611b44ff28293a1a73b32c1a7f57149c51974ee017d3daa.exe
Resource
win10-en-20211208
General
-
Target
19c96e06c7e5f7c19611b44ff28293a1a73b32c1a7f57149c51974ee017d3daa.exe
-
Size
79KB
-
MD5
3b70ab484857b6e96e62e239c937dea6
-
SHA1
fae910f1d2d2797beea25d0ec4f5ce9a3fad93d5
-
SHA256
19c96e06c7e5f7c19611b44ff28293a1a73b32c1a7f57149c51974ee017d3daa
-
SHA512
edfdb43ac7cf9c48a43cd8aa819d4b7331cc374667329bc52899ed3ffbe5be87934264dfdbdd3eed4ccc55fb49a39285efec2fc87ecc854496b31461fd6cae20
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 2744 MediaCenter.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
19c96e06c7e5f7c19611b44ff28293a1a73b32c1a7f57149c51974ee017d3daa.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 19c96e06c7e5f7c19611b44ff28293a1a73b32c1a7f57149c51974ee017d3daa.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
19c96e06c7e5f7c19611b44ff28293a1a73b32c1a7f57149c51974ee017d3daa.exedescription pid process Token: SeIncBasePriorityPrivilege 2420 19c96e06c7e5f7c19611b44ff28293a1a73b32c1a7f57149c51974ee017d3daa.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
19c96e06c7e5f7c19611b44ff28293a1a73b32c1a7f57149c51974ee017d3daa.execmd.exedescription pid process target process PID 2420 wrote to memory of 2744 2420 19c96e06c7e5f7c19611b44ff28293a1a73b32c1a7f57149c51974ee017d3daa.exe MediaCenter.exe PID 2420 wrote to memory of 2744 2420 19c96e06c7e5f7c19611b44ff28293a1a73b32c1a7f57149c51974ee017d3daa.exe MediaCenter.exe PID 2420 wrote to memory of 2744 2420 19c96e06c7e5f7c19611b44ff28293a1a73b32c1a7f57149c51974ee017d3daa.exe MediaCenter.exe PID 2420 wrote to memory of 584 2420 19c96e06c7e5f7c19611b44ff28293a1a73b32c1a7f57149c51974ee017d3daa.exe cmd.exe PID 2420 wrote to memory of 584 2420 19c96e06c7e5f7c19611b44ff28293a1a73b32c1a7f57149c51974ee017d3daa.exe cmd.exe PID 2420 wrote to memory of 584 2420 19c96e06c7e5f7c19611b44ff28293a1a73b32c1a7f57149c51974ee017d3daa.exe cmd.exe PID 584 wrote to memory of 4080 584 cmd.exe PING.EXE PID 584 wrote to memory of 4080 584 cmd.exe PING.EXE PID 584 wrote to memory of 4080 584 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\19c96e06c7e5f7c19611b44ff28293a1a73b32c1a7f57149c51974ee017d3daa.exe"C:\Users\Admin\AppData\Local\Temp\19c96e06c7e5f7c19611b44ff28293a1a73b32c1a7f57149c51974ee017d3daa.exe"1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:2744 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\19c96e06c7e5f7c19611b44ff28293a1a73b32c1a7f57149c51974ee017d3daa.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:584 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:4080
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
19b32cc112520e5c17d08370bf871b98
SHA1638017751cc2067c3f5d49e6970c67871621aac5
SHA256d89d3d9a35de26503ee74b2bc2efe21b0954c6ce73986f4b596301b421b057a6
SHA51266d59401fbf1785ebc19ec57af59b40f99ee8eb8f36e860ff7cdcea0d7c33b1cb4967df905081999c3b65904de30a97cc50e331c2a858feb02fc712101909628
-
MD5
19b32cc112520e5c17d08370bf871b98
SHA1638017751cc2067c3f5d49e6970c67871621aac5
SHA256d89d3d9a35de26503ee74b2bc2efe21b0954c6ce73986f4b596301b421b057a6
SHA51266d59401fbf1785ebc19ec57af59b40f99ee8eb8f36e860ff7cdcea0d7c33b1cb4967df905081999c3b65904de30a97cc50e331c2a858feb02fc712101909628