Analysis
-
max time kernel
142s -
max time network
142s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
30-01-2022 13:41
Static task
static1
Behavioral task
behavioral1
Sample
621cabafa0320c01dc1eb106071b1cc5d0fd0a181bf0fab6e0ab2e4bd7d14751.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
621cabafa0320c01dc1eb106071b1cc5d0fd0a181bf0fab6e0ab2e4bd7d14751.exe
Resource
win10-en-20211208
General
-
Target
621cabafa0320c01dc1eb106071b1cc5d0fd0a181bf0fab6e0ab2e4bd7d14751.exe
-
Size
89KB
-
MD5
8542cf0d32b7c711d92089a7d442333e
-
SHA1
e9ff8095d747309492c97a9c18e323a30fe358e6
-
SHA256
621cabafa0320c01dc1eb106071b1cc5d0fd0a181bf0fab6e0ab2e4bd7d14751
-
SHA512
0d61a722eff62be08db9190be28b844bea6d6bc195be19528641fea28fc6bd733805bb5b2f93f84c6fd8297e8b50b940742d568b9d039532def3f25268c729bb
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 2716 MediaCenter.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
621cabafa0320c01dc1eb106071b1cc5d0fd0a181bf0fab6e0ab2e4bd7d14751.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 621cabafa0320c01dc1eb106071b1cc5d0fd0a181bf0fab6e0ab2e4bd7d14751.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
621cabafa0320c01dc1eb106071b1cc5d0fd0a181bf0fab6e0ab2e4bd7d14751.exedescription pid process Token: SeIncBasePriorityPrivilege 2656 621cabafa0320c01dc1eb106071b1cc5d0fd0a181bf0fab6e0ab2e4bd7d14751.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
621cabafa0320c01dc1eb106071b1cc5d0fd0a181bf0fab6e0ab2e4bd7d14751.execmd.exedescription pid process target process PID 2656 wrote to memory of 2716 2656 621cabafa0320c01dc1eb106071b1cc5d0fd0a181bf0fab6e0ab2e4bd7d14751.exe MediaCenter.exe PID 2656 wrote to memory of 2716 2656 621cabafa0320c01dc1eb106071b1cc5d0fd0a181bf0fab6e0ab2e4bd7d14751.exe MediaCenter.exe PID 2656 wrote to memory of 2716 2656 621cabafa0320c01dc1eb106071b1cc5d0fd0a181bf0fab6e0ab2e4bd7d14751.exe MediaCenter.exe PID 2656 wrote to memory of 3608 2656 621cabafa0320c01dc1eb106071b1cc5d0fd0a181bf0fab6e0ab2e4bd7d14751.exe cmd.exe PID 2656 wrote to memory of 3608 2656 621cabafa0320c01dc1eb106071b1cc5d0fd0a181bf0fab6e0ab2e4bd7d14751.exe cmd.exe PID 2656 wrote to memory of 3608 2656 621cabafa0320c01dc1eb106071b1cc5d0fd0a181bf0fab6e0ab2e4bd7d14751.exe cmd.exe PID 3608 wrote to memory of 644 3608 cmd.exe PING.EXE PID 3608 wrote to memory of 644 3608 cmd.exe PING.EXE PID 3608 wrote to memory of 644 3608 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\621cabafa0320c01dc1eb106071b1cc5d0fd0a181bf0fab6e0ab2e4bd7d14751.exe"C:\Users\Admin\AppData\Local\Temp\621cabafa0320c01dc1eb106071b1cc5d0fd0a181bf0fab6e0ab2e4bd7d14751.exe"1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:2716 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\621cabafa0320c01dc1eb106071b1cc5d0fd0a181bf0fab6e0ab2e4bd7d14751.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3608 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:644
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
3645c5319f02d4f90f7789b0e4011f29
SHA141b7a0e07194929a75fa312054269d1cf4d6764b
SHA256cb577dd610f2b55839d319803a124c0e09c02f6ad329569ab82da888e1f2869d
SHA51203c90a382dfab64e0fcf7e56e0be886d4562f0fdbacf4f3d81ff7f0368c29ea81d1802f384d8bd24a4aadeb7501b3d74e32fb8e27f20bba8e3464264fdef7ab3
-
MD5
3645c5319f02d4f90f7789b0e4011f29
SHA141b7a0e07194929a75fa312054269d1cf4d6764b
SHA256cb577dd610f2b55839d319803a124c0e09c02f6ad329569ab82da888e1f2869d
SHA51203c90a382dfab64e0fcf7e56e0be886d4562f0fdbacf4f3d81ff7f0368c29ea81d1802f384d8bd24a4aadeb7501b3d74e32fb8e27f20bba8e3464264fdef7ab3