Analysis
-
max time kernel
153s -
max time network
162s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
30-01-2022 18:34
Static task
static1
Behavioral task
behavioral1
Sample
834b4e2cb213740f4bde30273c12c4e6e1aeeb6d9f61f100bac0a68731d25681.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
834b4e2cb213740f4bde30273c12c4e6e1aeeb6d9f61f100bac0a68731d25681.exe
Resource
win10-en-20211208
General
-
Target
834b4e2cb213740f4bde30273c12c4e6e1aeeb6d9f61f100bac0a68731d25681.exe
-
Size
89KB
-
MD5
5a843bc0b9f4525b1ee512e1eba95641
-
SHA1
b74c828dc6f726c42e92e660294f9c549a244b7e
-
SHA256
834b4e2cb213740f4bde30273c12c4e6e1aeeb6d9f61f100bac0a68731d25681
-
SHA512
32e60201eb43a5e52b66564d10d904e4a847cd5ca13bf7321860ecae81bfba1e76863f3abfa1f02ee05dab4f0b78ec0640d85f6ba06dd52c7f60e1afab871696
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 4052 MediaCenter.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
834b4e2cb213740f4bde30273c12c4e6e1aeeb6d9f61f100bac0a68731d25681.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 834b4e2cb213740f4bde30273c12c4e6e1aeeb6d9f61f100bac0a68731d25681.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
834b4e2cb213740f4bde30273c12c4e6e1aeeb6d9f61f100bac0a68731d25681.exedescription pid process Token: SeIncBasePriorityPrivilege 3424 834b4e2cb213740f4bde30273c12c4e6e1aeeb6d9f61f100bac0a68731d25681.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
834b4e2cb213740f4bde30273c12c4e6e1aeeb6d9f61f100bac0a68731d25681.execmd.exedescription pid process target process PID 3424 wrote to memory of 4052 3424 834b4e2cb213740f4bde30273c12c4e6e1aeeb6d9f61f100bac0a68731d25681.exe MediaCenter.exe PID 3424 wrote to memory of 4052 3424 834b4e2cb213740f4bde30273c12c4e6e1aeeb6d9f61f100bac0a68731d25681.exe MediaCenter.exe PID 3424 wrote to memory of 4052 3424 834b4e2cb213740f4bde30273c12c4e6e1aeeb6d9f61f100bac0a68731d25681.exe MediaCenter.exe PID 3424 wrote to memory of 2280 3424 834b4e2cb213740f4bde30273c12c4e6e1aeeb6d9f61f100bac0a68731d25681.exe cmd.exe PID 3424 wrote to memory of 2280 3424 834b4e2cb213740f4bde30273c12c4e6e1aeeb6d9f61f100bac0a68731d25681.exe cmd.exe PID 3424 wrote to memory of 2280 3424 834b4e2cb213740f4bde30273c12c4e6e1aeeb6d9f61f100bac0a68731d25681.exe cmd.exe PID 2280 wrote to memory of 428 2280 cmd.exe PING.EXE PID 2280 wrote to memory of 428 2280 cmd.exe PING.EXE PID 2280 wrote to memory of 428 2280 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\834b4e2cb213740f4bde30273c12c4e6e1aeeb6d9f61f100bac0a68731d25681.exe"C:\Users\Admin\AppData\Local\Temp\834b4e2cb213740f4bde30273c12c4e6e1aeeb6d9f61f100bac0a68731d25681.exe"1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3424 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:4052 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\834b4e2cb213740f4bde30273c12c4e6e1aeeb6d9f61f100bac0a68731d25681.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:428
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
1c7f9035f6a81302b4b66aca352bb2f2
SHA1cdc4e1c3db4c1f8c0bcac4bc58ed22d5de567bf4
SHA256ab9496c30de25a47bea384b5b057091796ad3b9e653e9e858aa08344f347fc7a
SHA512453c6e236670e5cff1db04acf54af390ed0860a5a787ec644926def37c3dbde5a72518e124e651cff9734784b6cda5c5e32218c9db41e4a710cf2e2b501e4963
-
MD5
1c7f9035f6a81302b4b66aca352bb2f2
SHA1cdc4e1c3db4c1f8c0bcac4bc58ed22d5de567bf4
SHA256ab9496c30de25a47bea384b5b057091796ad3b9e653e9e858aa08344f347fc7a
SHA512453c6e236670e5cff1db04acf54af390ed0860a5a787ec644926def37c3dbde5a72518e124e651cff9734784b6cda5c5e32218c9db41e4a710cf2e2b501e4963