Analysis
-
max time kernel
151s -
max time network
173s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
30-01-2022 00:07
Static task
static1
Behavioral task
behavioral1
Sample
98b2fa93b884c2708f8a3eafeb3c203711e64e718d0a91fe456146612db3b987.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
98b2fa93b884c2708f8a3eafeb3c203711e64e718d0a91fe456146612db3b987.exe
Resource
win10-en-20211208
General
-
Target
98b2fa93b884c2708f8a3eafeb3c203711e64e718d0a91fe456146612db3b987.exe
-
Size
79KB
-
MD5
023ef99bc3c84b8df3f837454c0e1629
-
SHA1
a6c4a242ef5f5657d4c39ed7de075f0d6bcbaadf
-
SHA256
98b2fa93b884c2708f8a3eafeb3c203711e64e718d0a91fe456146612db3b987
-
SHA512
9da14aed7b424b1d046b2b7d27a596d807b48186943f2dc338e07245a0f7bfaa7c52bd0f999562616925c4f5c601e2e62afdba808e674ad6dad1e010bed769d4
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1208 MediaCenter.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
98b2fa93b884c2708f8a3eafeb3c203711e64e718d0a91fe456146612db3b987.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 98b2fa93b884c2708f8a3eafeb3c203711e64e718d0a91fe456146612db3b987.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
98b2fa93b884c2708f8a3eafeb3c203711e64e718d0a91fe456146612db3b987.exedescription pid process Token: SeIncBasePriorityPrivilege 2452 98b2fa93b884c2708f8a3eafeb3c203711e64e718d0a91fe456146612db3b987.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
98b2fa93b884c2708f8a3eafeb3c203711e64e718d0a91fe456146612db3b987.execmd.exedescription pid process target process PID 2452 wrote to memory of 1208 2452 98b2fa93b884c2708f8a3eafeb3c203711e64e718d0a91fe456146612db3b987.exe MediaCenter.exe PID 2452 wrote to memory of 1208 2452 98b2fa93b884c2708f8a3eafeb3c203711e64e718d0a91fe456146612db3b987.exe MediaCenter.exe PID 2452 wrote to memory of 1208 2452 98b2fa93b884c2708f8a3eafeb3c203711e64e718d0a91fe456146612db3b987.exe MediaCenter.exe PID 2452 wrote to memory of 2240 2452 98b2fa93b884c2708f8a3eafeb3c203711e64e718d0a91fe456146612db3b987.exe cmd.exe PID 2452 wrote to memory of 2240 2452 98b2fa93b884c2708f8a3eafeb3c203711e64e718d0a91fe456146612db3b987.exe cmd.exe PID 2452 wrote to memory of 2240 2452 98b2fa93b884c2708f8a3eafeb3c203711e64e718d0a91fe456146612db3b987.exe cmd.exe PID 2240 wrote to memory of 2212 2240 cmd.exe PING.EXE PID 2240 wrote to memory of 2212 2240 cmd.exe PING.EXE PID 2240 wrote to memory of 2212 2240 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\98b2fa93b884c2708f8a3eafeb3c203711e64e718d0a91fe456146612db3b987.exe"C:\Users\Admin\AppData\Local\Temp\98b2fa93b884c2708f8a3eafeb3c203711e64e718d0a91fe456146612db3b987.exe"1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2452 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1208 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\98b2fa93b884c2708f8a3eafeb3c203711e64e718d0a91fe456146612db3b987.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:2212
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
d9824f732ddb607b52b968397cb39bf7
SHA121ec815e2fef042f3fe1f36e7fa59b793aca66bc
SHA256d512a89456e85f40635f6bc3dfdbebb6cb96b07cb02fe5f2a6dfb4dc9780106f
SHA5122cb08b769ae9627ba1f3b36611ad0e9315987b7c1e69f03416a1e158172c1f74f02e32385ac5eef9dce80b15a27fd9794aa1e4a393e2a57d71f0f77ee14128a4
-
MD5
d9824f732ddb607b52b968397cb39bf7
SHA121ec815e2fef042f3fe1f36e7fa59b793aca66bc
SHA256d512a89456e85f40635f6bc3dfdbebb6cb96b07cb02fe5f2a6dfb4dc9780106f
SHA5122cb08b769ae9627ba1f3b36611ad0e9315987b7c1e69f03416a1e158172c1f74f02e32385ac5eef9dce80b15a27fd9794aa1e4a393e2a57d71f0f77ee14128a4