Analysis
-
max time kernel
147s -
max time network
146s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
30-01-2022 17:43
Static task
static1
Behavioral task
behavioral1
Sample
8a819e450fbd2edc9716dbdea0f56bafc9dbb8274e502cdb9aff3f7c6bfd9b56.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
8a819e450fbd2edc9716dbdea0f56bafc9dbb8274e502cdb9aff3f7c6bfd9b56.exe
Resource
win10-en-20211208
General
-
Target
8a819e450fbd2edc9716dbdea0f56bafc9dbb8274e502cdb9aff3f7c6bfd9b56.exe
-
Size
320KB
-
MD5
69314300da7a4a0e95be545b804565dd
-
SHA1
514a30aef41f24b74e34225858863897c5220eb6
-
SHA256
8a819e450fbd2edc9716dbdea0f56bafc9dbb8274e502cdb9aff3f7c6bfd9b56
-
SHA512
1dc5cd0196ebd22b0b23a1908edc6af84bbd70827b0281b7a13387d191153c34c4e37c8449e8e91cf8585591f9d3bc8b3b8afdfc5786034cd7f9ecafe89037c0
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 3404 MediaCenter.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
8a819e450fbd2edc9716dbdea0f56bafc9dbb8274e502cdb9aff3f7c6bfd9b56.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 8a819e450fbd2edc9716dbdea0f56bafc9dbb8274e502cdb9aff3f7c6bfd9b56.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
8a819e450fbd2edc9716dbdea0f56bafc9dbb8274e502cdb9aff3f7c6bfd9b56.exedescription pid process Token: SeIncBasePriorityPrivilege 1672 8a819e450fbd2edc9716dbdea0f56bafc9dbb8274e502cdb9aff3f7c6bfd9b56.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
8a819e450fbd2edc9716dbdea0f56bafc9dbb8274e502cdb9aff3f7c6bfd9b56.execmd.exedescription pid process target process PID 1672 wrote to memory of 3404 1672 8a819e450fbd2edc9716dbdea0f56bafc9dbb8274e502cdb9aff3f7c6bfd9b56.exe MediaCenter.exe PID 1672 wrote to memory of 3404 1672 8a819e450fbd2edc9716dbdea0f56bafc9dbb8274e502cdb9aff3f7c6bfd9b56.exe MediaCenter.exe PID 1672 wrote to memory of 3404 1672 8a819e450fbd2edc9716dbdea0f56bafc9dbb8274e502cdb9aff3f7c6bfd9b56.exe MediaCenter.exe PID 1672 wrote to memory of 4288 1672 8a819e450fbd2edc9716dbdea0f56bafc9dbb8274e502cdb9aff3f7c6bfd9b56.exe cmd.exe PID 1672 wrote to memory of 4288 1672 8a819e450fbd2edc9716dbdea0f56bafc9dbb8274e502cdb9aff3f7c6bfd9b56.exe cmd.exe PID 1672 wrote to memory of 4288 1672 8a819e450fbd2edc9716dbdea0f56bafc9dbb8274e502cdb9aff3f7c6bfd9b56.exe cmd.exe PID 4288 wrote to memory of 4236 4288 cmd.exe PING.EXE PID 4288 wrote to memory of 4236 4288 cmd.exe PING.EXE PID 4288 wrote to memory of 4236 4288 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\8a819e450fbd2edc9716dbdea0f56bafc9dbb8274e502cdb9aff3f7c6bfd9b56.exe"C:\Users\Admin\AppData\Local\Temp\8a819e450fbd2edc9716dbdea0f56bafc9dbb8274e502cdb9aff3f7c6bfd9b56.exe"1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1672 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:3404 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\8a819e450fbd2edc9716dbdea0f56bafc9dbb8274e502cdb9aff3f7c6bfd9b56.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4288 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:4236
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
b4b0d2b0df60e423a0df1bc59ae4cda7
SHA1d00943754311b04df7168392fc0a1a9e86113df7
SHA25676006fb875011a25d04f227f7ab3eba8b2eb3ab4600d6ce81b7281a924f78606
SHA512ce9bd08cbe44ae871e03f327612870dce5ef7f2ec75e9f27f150f64da9411f8cdbf25bf8d96125b2c89a0b8d1ed766b2da2e102a5d10ff7eb5efee35c50a0765
-
MD5
b4b0d2b0df60e423a0df1bc59ae4cda7
SHA1d00943754311b04df7168392fc0a1a9e86113df7
SHA25676006fb875011a25d04f227f7ab3eba8b2eb3ab4600d6ce81b7281a924f78606
SHA512ce9bd08cbe44ae871e03f327612870dce5ef7f2ec75e9f27f150f64da9411f8cdbf25bf8d96125b2c89a0b8d1ed766b2da2e102a5d10ff7eb5efee35c50a0765