Analysis
-
max time kernel
115s -
max time network
124s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
30-01-2022 00:09
Static task
static1
Behavioral task
behavioral1
Sample
e345c7232badd34dcd327c6442bb72aa40211bfd6e5f84adc0f06f19a2c53fc2.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
e345c7232badd34dcd327c6442bb72aa40211bfd6e5f84adc0f06f19a2c53fc2.exe
Resource
win10-en-20211208
General
-
Target
e345c7232badd34dcd327c6442bb72aa40211bfd6e5f84adc0f06f19a2c53fc2.exe
-
Size
79KB
-
MD5
019a5f531f324d5528ccc09faa617f42
-
SHA1
c3be3a8a181f5b26fe816effe8c90453e3fd6278
-
SHA256
e345c7232badd34dcd327c6442bb72aa40211bfd6e5f84adc0f06f19a2c53fc2
-
SHA512
1fd0759d49b3867282b6a5eef50bb23e77e1c7df80ebedaf2e69a7d12ad104317fefa494288d8240dbe7fb9a71240632e23b1965376631fa737a8ce3d54a9d89
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 4060 MediaCenter.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
e345c7232badd34dcd327c6442bb72aa40211bfd6e5f84adc0f06f19a2c53fc2.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" e345c7232badd34dcd327c6442bb72aa40211bfd6e5f84adc0f06f19a2c53fc2.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
e345c7232badd34dcd327c6442bb72aa40211bfd6e5f84adc0f06f19a2c53fc2.exedescription pid process Token: SeIncBasePriorityPrivilege 4080 e345c7232badd34dcd327c6442bb72aa40211bfd6e5f84adc0f06f19a2c53fc2.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
e345c7232badd34dcd327c6442bb72aa40211bfd6e5f84adc0f06f19a2c53fc2.execmd.exedescription pid process target process PID 4080 wrote to memory of 4060 4080 e345c7232badd34dcd327c6442bb72aa40211bfd6e5f84adc0f06f19a2c53fc2.exe MediaCenter.exe PID 4080 wrote to memory of 4060 4080 e345c7232badd34dcd327c6442bb72aa40211bfd6e5f84adc0f06f19a2c53fc2.exe MediaCenter.exe PID 4080 wrote to memory of 4060 4080 e345c7232badd34dcd327c6442bb72aa40211bfd6e5f84adc0f06f19a2c53fc2.exe MediaCenter.exe PID 4080 wrote to memory of 4488 4080 e345c7232badd34dcd327c6442bb72aa40211bfd6e5f84adc0f06f19a2c53fc2.exe cmd.exe PID 4080 wrote to memory of 4488 4080 e345c7232badd34dcd327c6442bb72aa40211bfd6e5f84adc0f06f19a2c53fc2.exe cmd.exe PID 4080 wrote to memory of 4488 4080 e345c7232badd34dcd327c6442bb72aa40211bfd6e5f84adc0f06f19a2c53fc2.exe cmd.exe PID 4488 wrote to memory of 4624 4488 cmd.exe PING.EXE PID 4488 wrote to memory of 4624 4488 cmd.exe PING.EXE PID 4488 wrote to memory of 4624 4488 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\e345c7232badd34dcd327c6442bb72aa40211bfd6e5f84adc0f06f19a2c53fc2.exe"C:\Users\Admin\AppData\Local\Temp\e345c7232badd34dcd327c6442bb72aa40211bfd6e5f84adc0f06f19a2c53fc2.exe"1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4080 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:4060 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\e345c7232badd34dcd327c6442bb72aa40211bfd6e5f84adc0f06f19a2c53fc2.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4488 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:4624
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
35444d3ea91f07091f5ab0609a8dbf2e
SHA1cbab0b6a2f7b9b4b8c91245d264a248237001696
SHA2562631469e2825e357ea6d8c3d9e59912627fae0bb7ce08449649ece21df0a6074
SHA5120550e99eb50ec7f14df8a8ef16939ad92dd3f467016110560035cfcd62e99874aa1e6009e5018e843108f1b2cbaa1121dd9dbdfe179dd79e8492f9e2a1ab0e12
-
MD5
35444d3ea91f07091f5ab0609a8dbf2e
SHA1cbab0b6a2f7b9b4b8c91245d264a248237001696
SHA2562631469e2825e357ea6d8c3d9e59912627fae0bb7ce08449649ece21df0a6074
SHA5120550e99eb50ec7f14df8a8ef16939ad92dd3f467016110560035cfcd62e99874aa1e6009e5018e843108f1b2cbaa1121dd9dbdfe179dd79e8492f9e2a1ab0e12