Analysis
-
max time kernel
162s -
max time network
181s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
30-01-2022 17:50
Static task
static1
Behavioral task
behavioral1
Sample
96daa5e74f5c9e2ce501ea14341f7da17ab6111b24187d1bc00f2565952bcfa1.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
96daa5e74f5c9e2ce501ea14341f7da17ab6111b24187d1bc00f2565952bcfa1.exe
Resource
win10-en-20211208
General
-
Target
96daa5e74f5c9e2ce501ea14341f7da17ab6111b24187d1bc00f2565952bcfa1.exe
-
Size
89KB
-
MD5
67112866e800b9dce2892cf827444d60
-
SHA1
0f8cda402017d87a94c6f87a7fa872dfc1aa1bea
-
SHA256
96daa5e74f5c9e2ce501ea14341f7da17ab6111b24187d1bc00f2565952bcfa1
-
SHA512
9a0f03cf324879803a9e97a5453184877927b8725b7159652537f68a91203ca2c5568660c95cc2718b4dfeab02b1c7f1fbc3658465a04862e8fdedae7cb13569
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 3624 MediaCenter.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
96daa5e74f5c9e2ce501ea14341f7da17ab6111b24187d1bc00f2565952bcfa1.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 96daa5e74f5c9e2ce501ea14341f7da17ab6111b24187d1bc00f2565952bcfa1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
96daa5e74f5c9e2ce501ea14341f7da17ab6111b24187d1bc00f2565952bcfa1.exedescription pid process Token: SeIncBasePriorityPrivilege 1156 96daa5e74f5c9e2ce501ea14341f7da17ab6111b24187d1bc00f2565952bcfa1.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
96daa5e74f5c9e2ce501ea14341f7da17ab6111b24187d1bc00f2565952bcfa1.execmd.exedescription pid process target process PID 1156 wrote to memory of 3624 1156 96daa5e74f5c9e2ce501ea14341f7da17ab6111b24187d1bc00f2565952bcfa1.exe MediaCenter.exe PID 1156 wrote to memory of 3624 1156 96daa5e74f5c9e2ce501ea14341f7da17ab6111b24187d1bc00f2565952bcfa1.exe MediaCenter.exe PID 1156 wrote to memory of 3624 1156 96daa5e74f5c9e2ce501ea14341f7da17ab6111b24187d1bc00f2565952bcfa1.exe MediaCenter.exe PID 1156 wrote to memory of 3388 1156 96daa5e74f5c9e2ce501ea14341f7da17ab6111b24187d1bc00f2565952bcfa1.exe cmd.exe PID 1156 wrote to memory of 3388 1156 96daa5e74f5c9e2ce501ea14341f7da17ab6111b24187d1bc00f2565952bcfa1.exe cmd.exe PID 1156 wrote to memory of 3388 1156 96daa5e74f5c9e2ce501ea14341f7da17ab6111b24187d1bc00f2565952bcfa1.exe cmd.exe PID 3388 wrote to memory of 436 3388 cmd.exe PING.EXE PID 3388 wrote to memory of 436 3388 cmd.exe PING.EXE PID 3388 wrote to memory of 436 3388 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\96daa5e74f5c9e2ce501ea14341f7da17ab6111b24187d1bc00f2565952bcfa1.exe"C:\Users\Admin\AppData\Local\Temp\96daa5e74f5c9e2ce501ea14341f7da17ab6111b24187d1bc00f2565952bcfa1.exe"1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1156 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:3624 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\96daa5e74f5c9e2ce501ea14341f7da17ab6111b24187d1bc00f2565952bcfa1.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3388 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:436
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
cad9f0c48b156f655a719ce39341ce6e
SHA12a11149f0d07f37b0a6727975f91b04a08a60d0e
SHA25641463365ddb092b4b3443e33fc591226192e05fbbde965aa8001474d3f52177e
SHA512b7b4cf3d4ca09c68cb74a3e6adceb156dc1ceb00c492a6d34277ab21ab1662cc92dc4893ee4a5aac8c2ea35d040911079221325b79c8862343f841a879a2accd
-
MD5
cad9f0c48b156f655a719ce39341ce6e
SHA12a11149f0d07f37b0a6727975f91b04a08a60d0e
SHA25641463365ddb092b4b3443e33fc591226192e05fbbde965aa8001474d3f52177e
SHA512b7b4cf3d4ca09c68cb74a3e6adceb156dc1ceb00c492a6d34277ab21ab1662cc92dc4893ee4a5aac8c2ea35d040911079221325b79c8862343f841a879a2accd