Analysis
-
max time kernel
160s -
max time network
172s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
30-01-2022 18:04
Static task
static1
Behavioral task
behavioral1
Sample
898b9cc780196111ebf157de1fbb8362abf21da678147f1198d237017c896cb9.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
898b9cc780196111ebf157de1fbb8362abf21da678147f1198d237017c896cb9.exe
Resource
win10-en-20211208
General
-
Target
898b9cc780196111ebf157de1fbb8362abf21da678147f1198d237017c896cb9.exe
-
Size
89KB
-
MD5
62d4777dd8953743d26510f00b74f444
-
SHA1
8e23f62d8701f9e050c241680c15c3220bf78228
-
SHA256
898b9cc780196111ebf157de1fbb8362abf21da678147f1198d237017c896cb9
-
SHA512
9efb88bfb322e741e7d67411cb01581cd2b81b71920688840c3ffbc746f2c9250964aca8b4f146c9e70f7f809602059cc455dc8f7ffbfff8c9a1c9ced557cfe3
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 3228 MediaCenter.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
898b9cc780196111ebf157de1fbb8362abf21da678147f1198d237017c896cb9.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 898b9cc780196111ebf157de1fbb8362abf21da678147f1198d237017c896cb9.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
898b9cc780196111ebf157de1fbb8362abf21da678147f1198d237017c896cb9.exedescription pid process Token: SeIncBasePriorityPrivilege 3420 898b9cc780196111ebf157de1fbb8362abf21da678147f1198d237017c896cb9.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
898b9cc780196111ebf157de1fbb8362abf21da678147f1198d237017c896cb9.execmd.exedescription pid process target process PID 3420 wrote to memory of 3228 3420 898b9cc780196111ebf157de1fbb8362abf21da678147f1198d237017c896cb9.exe MediaCenter.exe PID 3420 wrote to memory of 3228 3420 898b9cc780196111ebf157de1fbb8362abf21da678147f1198d237017c896cb9.exe MediaCenter.exe PID 3420 wrote to memory of 3228 3420 898b9cc780196111ebf157de1fbb8362abf21da678147f1198d237017c896cb9.exe MediaCenter.exe PID 3420 wrote to memory of 4252 3420 898b9cc780196111ebf157de1fbb8362abf21da678147f1198d237017c896cb9.exe cmd.exe PID 3420 wrote to memory of 4252 3420 898b9cc780196111ebf157de1fbb8362abf21da678147f1198d237017c896cb9.exe cmd.exe PID 3420 wrote to memory of 4252 3420 898b9cc780196111ebf157de1fbb8362abf21da678147f1198d237017c896cb9.exe cmd.exe PID 4252 wrote to memory of 4396 4252 cmd.exe PING.EXE PID 4252 wrote to memory of 4396 4252 cmd.exe PING.EXE PID 4252 wrote to memory of 4396 4252 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\898b9cc780196111ebf157de1fbb8362abf21da678147f1198d237017c896cb9.exe"C:\Users\Admin\AppData\Local\Temp\898b9cc780196111ebf157de1fbb8362abf21da678147f1198d237017c896cb9.exe"1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3420 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:3228 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\898b9cc780196111ebf157de1fbb8362abf21da678147f1198d237017c896cb9.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4252 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:4396
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
f9f0267533915bd566e60d273a451770
SHA14ad80379da0e2b5d1619e05c519af5a20922cde5
SHA25661b9a98afe3db013954845ba3a6de3ab495e8bbef33cecf04e8bed03e5c5e342
SHA5124475da203d127e7f5f937c53a80ca28c89feeff63eed5f66a6492bb4832e2ac4f234019c79ce83513da2531b5b2bd347a382ef5e2aa4e80c7694cecbfafb9356
-
MD5
f9f0267533915bd566e60d273a451770
SHA14ad80379da0e2b5d1619e05c519af5a20922cde5
SHA25661b9a98afe3db013954845ba3a6de3ab495e8bbef33cecf04e8bed03e5c5e342
SHA5124475da203d127e7f5f937c53a80ca28c89feeff63eed5f66a6492bb4832e2ac4f234019c79ce83513da2531b5b2bd347a382ef5e2aa4e80c7694cecbfafb9356