Analysis
-
max time kernel
173s -
max time network
173s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
30-01-2022 13:19
Static task
static1
Behavioral task
behavioral1
Sample
fd77f52378bc09a2b93c2a78af45925c8b9db53c5c6a5a378c3f4a54008d0802.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
fd77f52378bc09a2b93c2a78af45925c8b9db53c5c6a5a378c3f4a54008d0802.exe
Resource
win10-en-20211208
General
-
Target
fd77f52378bc09a2b93c2a78af45925c8b9db53c5c6a5a378c3f4a54008d0802.exe
-
Size
89KB
-
MD5
8b52cd1df70ef315bce38223ac7f4ec3
-
SHA1
d687cb101346c2f1f480dc4932fe8b6fe94c0e5c
-
SHA256
fd77f52378bc09a2b93c2a78af45925c8b9db53c5c6a5a378c3f4a54008d0802
-
SHA512
f6f7ca374421f52dc1ac800c21ecdbd6d1677fdc9cecb2b2cb3708f5f71d1377dae8ab468c438492492aea1a6fe144b620e91e701126111f3a1c88902383e8bb
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 848 MediaCenter.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
fd77f52378bc09a2b93c2a78af45925c8b9db53c5c6a5a378c3f4a54008d0802.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" fd77f52378bc09a2b93c2a78af45925c8b9db53c5c6a5a378c3f4a54008d0802.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
fd77f52378bc09a2b93c2a78af45925c8b9db53c5c6a5a378c3f4a54008d0802.exedescription pid process Token: SeIncBasePriorityPrivilege 2944 fd77f52378bc09a2b93c2a78af45925c8b9db53c5c6a5a378c3f4a54008d0802.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
fd77f52378bc09a2b93c2a78af45925c8b9db53c5c6a5a378c3f4a54008d0802.execmd.exedescription pid process target process PID 2944 wrote to memory of 848 2944 fd77f52378bc09a2b93c2a78af45925c8b9db53c5c6a5a378c3f4a54008d0802.exe MediaCenter.exe PID 2944 wrote to memory of 848 2944 fd77f52378bc09a2b93c2a78af45925c8b9db53c5c6a5a378c3f4a54008d0802.exe MediaCenter.exe PID 2944 wrote to memory of 848 2944 fd77f52378bc09a2b93c2a78af45925c8b9db53c5c6a5a378c3f4a54008d0802.exe MediaCenter.exe PID 2944 wrote to memory of 984 2944 fd77f52378bc09a2b93c2a78af45925c8b9db53c5c6a5a378c3f4a54008d0802.exe cmd.exe PID 2944 wrote to memory of 984 2944 fd77f52378bc09a2b93c2a78af45925c8b9db53c5c6a5a378c3f4a54008d0802.exe cmd.exe PID 2944 wrote to memory of 984 2944 fd77f52378bc09a2b93c2a78af45925c8b9db53c5c6a5a378c3f4a54008d0802.exe cmd.exe PID 984 wrote to memory of 4092 984 cmd.exe PING.EXE PID 984 wrote to memory of 4092 984 cmd.exe PING.EXE PID 984 wrote to memory of 4092 984 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\fd77f52378bc09a2b93c2a78af45925c8b9db53c5c6a5a378c3f4a54008d0802.exe"C:\Users\Admin\AppData\Local\Temp\fd77f52378bc09a2b93c2a78af45925c8b9db53c5c6a5a378c3f4a54008d0802.exe"1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:848 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\fd77f52378bc09a2b93c2a78af45925c8b9db53c5c6a5a378c3f4a54008d0802.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:984 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:4092
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
78d7bfc6cb9f4064235e4af02daca0d8
SHA1546aa7d2f1abe131bf2b13dbcea4d0c9d0dfe099
SHA2567efd783816fe83e27f4ad69ff7ded03c78816a77b9faf1245e9a2e884262798d
SHA5129afe6555ec268be1293691d71d65abb984b257d538678ad25663caec893392e1a3f262b9d69abe9df803d447160bf1a149abd9a8ea90acc0dec10e0189038bab
-
MD5
78d7bfc6cb9f4064235e4af02daca0d8
SHA1546aa7d2f1abe131bf2b13dbcea4d0c9d0dfe099
SHA2567efd783816fe83e27f4ad69ff7ded03c78816a77b9faf1245e9a2e884262798d
SHA5129afe6555ec268be1293691d71d65abb984b257d538678ad25663caec893392e1a3f262b9d69abe9df803d447160bf1a149abd9a8ea90acc0dec10e0189038bab