Analysis
-
max time kernel
162s -
max time network
172s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
30-01-2022 18:02
Static task
static1
Behavioral task
behavioral1
Sample
81f2a6dc518fb6d785e4a64d29ae5fd9b7a9140b98bded7c010f47f223f2d106.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
81f2a6dc518fb6d785e4a64d29ae5fd9b7a9140b98bded7c010f47f223f2d106.exe
Resource
win10-en-20211208
General
-
Target
81f2a6dc518fb6d785e4a64d29ae5fd9b7a9140b98bded7c010f47f223f2d106.exe
-
Size
89KB
-
MD5
638304bf859e7be2f0fa39a655fdaffc
-
SHA1
646d54222f020f92fe2e0533c676bb104004686c
-
SHA256
81f2a6dc518fb6d785e4a64d29ae5fd9b7a9140b98bded7c010f47f223f2d106
-
SHA512
fce95cbba24ef5b3aa74e70523b28ac9e074928a2e6b3786c7ff8dd6604704ae2c8c80afa3f6812bfbe5d3400a5bd3c3bb8f3db095c3dcc5fc416a9647fa4803
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 2760 MediaCenter.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
81f2a6dc518fb6d785e4a64d29ae5fd9b7a9140b98bded7c010f47f223f2d106.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 81f2a6dc518fb6d785e4a64d29ae5fd9b7a9140b98bded7c010f47f223f2d106.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
81f2a6dc518fb6d785e4a64d29ae5fd9b7a9140b98bded7c010f47f223f2d106.exedescription pid process Token: SeIncBasePriorityPrivilege 2708 81f2a6dc518fb6d785e4a64d29ae5fd9b7a9140b98bded7c010f47f223f2d106.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
81f2a6dc518fb6d785e4a64d29ae5fd9b7a9140b98bded7c010f47f223f2d106.execmd.exedescription pid process target process PID 2708 wrote to memory of 2760 2708 81f2a6dc518fb6d785e4a64d29ae5fd9b7a9140b98bded7c010f47f223f2d106.exe MediaCenter.exe PID 2708 wrote to memory of 2760 2708 81f2a6dc518fb6d785e4a64d29ae5fd9b7a9140b98bded7c010f47f223f2d106.exe MediaCenter.exe PID 2708 wrote to memory of 2760 2708 81f2a6dc518fb6d785e4a64d29ae5fd9b7a9140b98bded7c010f47f223f2d106.exe MediaCenter.exe PID 2708 wrote to memory of 3684 2708 81f2a6dc518fb6d785e4a64d29ae5fd9b7a9140b98bded7c010f47f223f2d106.exe cmd.exe PID 2708 wrote to memory of 3684 2708 81f2a6dc518fb6d785e4a64d29ae5fd9b7a9140b98bded7c010f47f223f2d106.exe cmd.exe PID 2708 wrote to memory of 3684 2708 81f2a6dc518fb6d785e4a64d29ae5fd9b7a9140b98bded7c010f47f223f2d106.exe cmd.exe PID 3684 wrote to memory of 1588 3684 cmd.exe PING.EXE PID 3684 wrote to memory of 1588 3684 cmd.exe PING.EXE PID 3684 wrote to memory of 1588 3684 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\81f2a6dc518fb6d785e4a64d29ae5fd9b7a9140b98bded7c010f47f223f2d106.exe"C:\Users\Admin\AppData\Local\Temp\81f2a6dc518fb6d785e4a64d29ae5fd9b7a9140b98bded7c010f47f223f2d106.exe"1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:2760 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\81f2a6dc518fb6d785e4a64d29ae5fd9b7a9140b98bded7c010f47f223f2d106.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3684 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1588
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
8f3120e2d591c8ddea339acf790eee48
SHA1b11bf96ea3ee912d84d1c1c9efb4e51a1e479379
SHA25626802f4e673795d0fc1633499afb5d79b7de53c9fd7f034a9c2313ba3f6c2b17
SHA5122fd1a750194fab6f4aa4dcafa026bd7faaccc7dc26cce46142e3cc334ad93866ae8a99a06d9df9e96d83cc2df665e4de3df7fa69deed7b897b71742f36f66a6a
-
MD5
8f3120e2d591c8ddea339acf790eee48
SHA1b11bf96ea3ee912d84d1c1c9efb4e51a1e479379
SHA25626802f4e673795d0fc1633499afb5d79b7de53c9fd7f034a9c2313ba3f6c2b17
SHA5122fd1a750194fab6f4aa4dcafa026bd7faaccc7dc26cce46142e3cc334ad93866ae8a99a06d9df9e96d83cc2df665e4de3df7fa69deed7b897b71742f36f66a6a