Analysis
-
max time kernel
166s -
max time network
179s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
30-01-2022 18:02
Static task
static1
Behavioral task
behavioral1
Sample
14bab3a5cf879883e3c61b31ba722519360eac9ba68016ecacc9ae611e898d38.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
14bab3a5cf879883e3c61b31ba722519360eac9ba68016ecacc9ae611e898d38.exe
Resource
win10-en-20211208
General
-
Target
14bab3a5cf879883e3c61b31ba722519360eac9ba68016ecacc9ae611e898d38.exe
-
Size
89KB
-
MD5
63ae83244a8d7ca1eef4e834eb0eb07f
-
SHA1
36f79f828ce802cc2ed8dd37cae5247362fb11ea
-
SHA256
14bab3a5cf879883e3c61b31ba722519360eac9ba68016ecacc9ae611e898d38
-
SHA512
8a5ac6c6a16e703aaa56a982ce0d5afcb17ebf818c0faddae8bba4e5818f976fa6db15c6e5d49144c73fac3fab75bd5e3f991fb8fe624abffb266db30f6ebf82
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 2244 MediaCenter.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
14bab3a5cf879883e3c61b31ba722519360eac9ba68016ecacc9ae611e898d38.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 14bab3a5cf879883e3c61b31ba722519360eac9ba68016ecacc9ae611e898d38.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
14bab3a5cf879883e3c61b31ba722519360eac9ba68016ecacc9ae611e898d38.exedescription pid process Token: SeIncBasePriorityPrivilege 3100 14bab3a5cf879883e3c61b31ba722519360eac9ba68016ecacc9ae611e898d38.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
14bab3a5cf879883e3c61b31ba722519360eac9ba68016ecacc9ae611e898d38.execmd.exedescription pid process target process PID 3100 wrote to memory of 2244 3100 14bab3a5cf879883e3c61b31ba722519360eac9ba68016ecacc9ae611e898d38.exe MediaCenter.exe PID 3100 wrote to memory of 2244 3100 14bab3a5cf879883e3c61b31ba722519360eac9ba68016ecacc9ae611e898d38.exe MediaCenter.exe PID 3100 wrote to memory of 2244 3100 14bab3a5cf879883e3c61b31ba722519360eac9ba68016ecacc9ae611e898d38.exe MediaCenter.exe PID 3100 wrote to memory of 3716 3100 14bab3a5cf879883e3c61b31ba722519360eac9ba68016ecacc9ae611e898d38.exe cmd.exe PID 3100 wrote to memory of 3716 3100 14bab3a5cf879883e3c61b31ba722519360eac9ba68016ecacc9ae611e898d38.exe cmd.exe PID 3100 wrote to memory of 3716 3100 14bab3a5cf879883e3c61b31ba722519360eac9ba68016ecacc9ae611e898d38.exe cmd.exe PID 3716 wrote to memory of 876 3716 cmd.exe PING.EXE PID 3716 wrote to memory of 876 3716 cmd.exe PING.EXE PID 3716 wrote to memory of 876 3716 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\14bab3a5cf879883e3c61b31ba722519360eac9ba68016ecacc9ae611e898d38.exe"C:\Users\Admin\AppData\Local\Temp\14bab3a5cf879883e3c61b31ba722519360eac9ba68016ecacc9ae611e898d38.exe"1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3100 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:2244 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\14bab3a5cf879883e3c61b31ba722519360eac9ba68016ecacc9ae611e898d38.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3716 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:876
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
28cd675adf79d3416ffdc3cfde85918a
SHA139b41075e714220ff8f30549d4d9930855874584
SHA256b8b402141115ce6e7a6cdf25ce1ed7315a5408f00fa0f72acf58cd9b3f53e2d5
SHA5121083b2919753d5b175fb597dd1468e6a9d06c0ddee19ad10c277fe48d50f83629dd622cfbdee121253224188232ffb407b1366b5f17b566756da5347646dfe8a
-
MD5
28cd675adf79d3416ffdc3cfde85918a
SHA139b41075e714220ff8f30549d4d9930855874584
SHA256b8b402141115ce6e7a6cdf25ce1ed7315a5408f00fa0f72acf58cd9b3f53e2d5
SHA5121083b2919753d5b175fb597dd1468e6a9d06c0ddee19ad10c277fe48d50f83629dd622cfbdee121253224188232ffb407b1366b5f17b566756da5347646dfe8a