Analysis
-
max time kernel
161s -
max time network
173s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
30-01-2022 17:34
Static task
static1
Behavioral task
behavioral1
Sample
135945912fc0869cedea5f6e7df95304ec2fa786cfa89dd30eab49aebda1fb40.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
135945912fc0869cedea5f6e7df95304ec2fa786cfa89dd30eab49aebda1fb40.exe
Resource
win10-en-20211208
General
-
Target
135945912fc0869cedea5f6e7df95304ec2fa786cfa89dd30eab49aebda1fb40.exe
-
Size
89KB
-
MD5
6c3523020a2ba0b7045060707d8833ea
-
SHA1
0826d635a8e5cba27009a7c27735efd1337bbaf8
-
SHA256
135945912fc0869cedea5f6e7df95304ec2fa786cfa89dd30eab49aebda1fb40
-
SHA512
3e056b62c95636c83670a04babfd56f4380218b64b70b00755630cb7e9d81789039f8ea8f064ea1b684b1f66dbd141e0d46408fa6ce1c702c09378c5cdb19c0f
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 2776 MediaCenter.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
135945912fc0869cedea5f6e7df95304ec2fa786cfa89dd30eab49aebda1fb40.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 135945912fc0869cedea5f6e7df95304ec2fa786cfa89dd30eab49aebda1fb40.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
135945912fc0869cedea5f6e7df95304ec2fa786cfa89dd30eab49aebda1fb40.exedescription pid process Token: SeIncBasePriorityPrivilege 2464 135945912fc0869cedea5f6e7df95304ec2fa786cfa89dd30eab49aebda1fb40.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
135945912fc0869cedea5f6e7df95304ec2fa786cfa89dd30eab49aebda1fb40.execmd.exedescription pid process target process PID 2464 wrote to memory of 2776 2464 135945912fc0869cedea5f6e7df95304ec2fa786cfa89dd30eab49aebda1fb40.exe MediaCenter.exe PID 2464 wrote to memory of 2776 2464 135945912fc0869cedea5f6e7df95304ec2fa786cfa89dd30eab49aebda1fb40.exe MediaCenter.exe PID 2464 wrote to memory of 2776 2464 135945912fc0869cedea5f6e7df95304ec2fa786cfa89dd30eab49aebda1fb40.exe MediaCenter.exe PID 2464 wrote to memory of 3300 2464 135945912fc0869cedea5f6e7df95304ec2fa786cfa89dd30eab49aebda1fb40.exe cmd.exe PID 2464 wrote to memory of 3300 2464 135945912fc0869cedea5f6e7df95304ec2fa786cfa89dd30eab49aebda1fb40.exe cmd.exe PID 2464 wrote to memory of 3300 2464 135945912fc0869cedea5f6e7df95304ec2fa786cfa89dd30eab49aebda1fb40.exe cmd.exe PID 3300 wrote to memory of 3748 3300 cmd.exe PING.EXE PID 3300 wrote to memory of 3748 3300 cmd.exe PING.EXE PID 3300 wrote to memory of 3748 3300 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\135945912fc0869cedea5f6e7df95304ec2fa786cfa89dd30eab49aebda1fb40.exe"C:\Users\Admin\AppData\Local\Temp\135945912fc0869cedea5f6e7df95304ec2fa786cfa89dd30eab49aebda1fb40.exe"1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2464 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:2776 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\135945912fc0869cedea5f6e7df95304ec2fa786cfa89dd30eab49aebda1fb40.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3300 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:3748
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
5828a2c28ea3bf41450c70b9b721db4d
SHA1ecb45b0b82fe56f04cd9aec03a3ca74ae325fe35
SHA25647a5212a58e65203c3f361c78ed488729d9ae6b19d70129221bee5fff8d550e2
SHA5121cc8901f582411b1ce71057e36fdc9cf92a3a64433639e873bb864daa5ee4c3fbb11846f80bafc4a967e93d6f5c4a526a90d6ce4b573ff0d6f949767698daf7e
-
MD5
5828a2c28ea3bf41450c70b9b721db4d
SHA1ecb45b0b82fe56f04cd9aec03a3ca74ae325fe35
SHA25647a5212a58e65203c3f361c78ed488729d9ae6b19d70129221bee5fff8d550e2
SHA5121cc8901f582411b1ce71057e36fdc9cf92a3a64433639e873bb864daa5ee4c3fbb11846f80bafc4a967e93d6f5c4a526a90d6ce4b573ff0d6f949767698daf7e