Analysis
-
max time kernel
159s -
max time network
166s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
30-01-2022 17:43
Static task
static1
Behavioral task
behavioral1
Sample
c4172c6ac1e00bb82cce8ce000b3a199e5f65b0936bc5fb67f28e0d8fc34ded6.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
c4172c6ac1e00bb82cce8ce000b3a199e5f65b0936bc5fb67f28e0d8fc34ded6.exe
Resource
win10-en-20211208
General
-
Target
c4172c6ac1e00bb82cce8ce000b3a199e5f65b0936bc5fb67f28e0d8fc34ded6.exe
-
Size
89KB
-
MD5
69374e5bcb38a82ef60c97ec0569ded3
-
SHA1
2baffb0df06fea13ea97658e200fcecd1ee346eb
-
SHA256
c4172c6ac1e00bb82cce8ce000b3a199e5f65b0936bc5fb67f28e0d8fc34ded6
-
SHA512
fe9fc743285242fef57aabf78d0d391ec32120c815ebb6240b439cdc28cd4080c736ad8ce7d2affddaf6fd61f57bc949947d6c4b3111e383efca4f52397a3c23
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 3724 MediaCenter.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
c4172c6ac1e00bb82cce8ce000b3a199e5f65b0936bc5fb67f28e0d8fc34ded6.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" c4172c6ac1e00bb82cce8ce000b3a199e5f65b0936bc5fb67f28e0d8fc34ded6.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
c4172c6ac1e00bb82cce8ce000b3a199e5f65b0936bc5fb67f28e0d8fc34ded6.exedescription pid process Token: SeIncBasePriorityPrivilege 3716 c4172c6ac1e00bb82cce8ce000b3a199e5f65b0936bc5fb67f28e0d8fc34ded6.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
c4172c6ac1e00bb82cce8ce000b3a199e5f65b0936bc5fb67f28e0d8fc34ded6.execmd.exedescription pid process target process PID 3716 wrote to memory of 3724 3716 c4172c6ac1e00bb82cce8ce000b3a199e5f65b0936bc5fb67f28e0d8fc34ded6.exe MediaCenter.exe PID 3716 wrote to memory of 3724 3716 c4172c6ac1e00bb82cce8ce000b3a199e5f65b0936bc5fb67f28e0d8fc34ded6.exe MediaCenter.exe PID 3716 wrote to memory of 3724 3716 c4172c6ac1e00bb82cce8ce000b3a199e5f65b0936bc5fb67f28e0d8fc34ded6.exe MediaCenter.exe PID 3716 wrote to memory of 1644 3716 c4172c6ac1e00bb82cce8ce000b3a199e5f65b0936bc5fb67f28e0d8fc34ded6.exe cmd.exe PID 3716 wrote to memory of 1644 3716 c4172c6ac1e00bb82cce8ce000b3a199e5f65b0936bc5fb67f28e0d8fc34ded6.exe cmd.exe PID 3716 wrote to memory of 1644 3716 c4172c6ac1e00bb82cce8ce000b3a199e5f65b0936bc5fb67f28e0d8fc34ded6.exe cmd.exe PID 1644 wrote to memory of 4468 1644 cmd.exe PING.EXE PID 1644 wrote to memory of 4468 1644 cmd.exe PING.EXE PID 1644 wrote to memory of 4468 1644 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\c4172c6ac1e00bb82cce8ce000b3a199e5f65b0936bc5fb67f28e0d8fc34ded6.exe"C:\Users\Admin\AppData\Local\Temp\c4172c6ac1e00bb82cce8ce000b3a199e5f65b0936bc5fb67f28e0d8fc34ded6.exe"1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3716 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:3724 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\c4172c6ac1e00bb82cce8ce000b3a199e5f65b0936bc5fb67f28e0d8fc34ded6.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1644 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:4468
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
628c0c97396f0fd34bc52f16c58b423a
SHA1f6323cd86bd1a46b1a70e8cab7ec42438e2fb609
SHA25602f4ace68a4f39117ba1082b08cb54710635b2d6f2ad54c3f1b72b3ecf6dcaf7
SHA51201b892fc78c80631f787c8df4c38585ddd41b63c2171d9b80af0a7b37ed23498d364c0222a0bd96be68fb15cc5e4215446b01b7d314befc9844ced4e327fc713
-
MD5
628c0c97396f0fd34bc52f16c58b423a
SHA1f6323cd86bd1a46b1a70e8cab7ec42438e2fb609
SHA25602f4ace68a4f39117ba1082b08cb54710635b2d6f2ad54c3f1b72b3ecf6dcaf7
SHA51201b892fc78c80631f787c8df4c38585ddd41b63c2171d9b80af0a7b37ed23498d364c0222a0bd96be68fb15cc5e4215446b01b7d314befc9844ced4e327fc713