Analysis
-
max time kernel
138s -
max time network
157s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
30-01-2022 18:56
Static task
static1
Behavioral task
behavioral1
Sample
099baab8695d559acbd74dd1645e97cbefe47ed04244aa57cf66410b031de7dc.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
099baab8695d559acbd74dd1645e97cbefe47ed04244aa57cf66410b031de7dc.exe
Resource
win10-en-20211208
General
-
Target
099baab8695d559acbd74dd1645e97cbefe47ed04244aa57cf66410b031de7dc.exe
-
Size
89KB
-
MD5
5482deee917c374bab43dd83a4a6c722
-
SHA1
92a984f289e24abae44c4237d09c9ff3a198783a
-
SHA256
099baab8695d559acbd74dd1645e97cbefe47ed04244aa57cf66410b031de7dc
-
SHA512
8596f9d2bba261d2f000b81b2f68a275b04f469143a02b9f61a401c4a04b625ddb7b03e4da4c85eb5f4fec3f07f53d3113256a0babfeae908e0cbbeb6a5e4492
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1860 MediaCenter.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
099baab8695d559acbd74dd1645e97cbefe47ed04244aa57cf66410b031de7dc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 099baab8695d559acbd74dd1645e97cbefe47ed04244aa57cf66410b031de7dc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
099baab8695d559acbd74dd1645e97cbefe47ed04244aa57cf66410b031de7dc.exedescription pid process Token: SeIncBasePriorityPrivilege 3704 099baab8695d559acbd74dd1645e97cbefe47ed04244aa57cf66410b031de7dc.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
099baab8695d559acbd74dd1645e97cbefe47ed04244aa57cf66410b031de7dc.execmd.exedescription pid process target process PID 3704 wrote to memory of 1860 3704 099baab8695d559acbd74dd1645e97cbefe47ed04244aa57cf66410b031de7dc.exe MediaCenter.exe PID 3704 wrote to memory of 1860 3704 099baab8695d559acbd74dd1645e97cbefe47ed04244aa57cf66410b031de7dc.exe MediaCenter.exe PID 3704 wrote to memory of 1860 3704 099baab8695d559acbd74dd1645e97cbefe47ed04244aa57cf66410b031de7dc.exe MediaCenter.exe PID 3704 wrote to memory of 1268 3704 099baab8695d559acbd74dd1645e97cbefe47ed04244aa57cf66410b031de7dc.exe cmd.exe PID 3704 wrote to memory of 1268 3704 099baab8695d559acbd74dd1645e97cbefe47ed04244aa57cf66410b031de7dc.exe cmd.exe PID 3704 wrote to memory of 1268 3704 099baab8695d559acbd74dd1645e97cbefe47ed04244aa57cf66410b031de7dc.exe cmd.exe PID 1268 wrote to memory of 2952 1268 cmd.exe PING.EXE PID 1268 wrote to memory of 2952 1268 cmd.exe PING.EXE PID 1268 wrote to memory of 2952 1268 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\099baab8695d559acbd74dd1645e97cbefe47ed04244aa57cf66410b031de7dc.exe"C:\Users\Admin\AppData\Local\Temp\099baab8695d559acbd74dd1645e97cbefe47ed04244aa57cf66410b031de7dc.exe"1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3704 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1860 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\099baab8695d559acbd74dd1645e97cbefe47ed04244aa57cf66410b031de7dc.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1268 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:2952
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
a84ae09db577277245e1606a4fa02037
SHA116e1102b4fb2509b5b90e580260fda21cf9ae33d
SHA2560412222315aea036ec73c72019b1ef8979c2c45bb3b45464866fb1ea4de4b835
SHA51203025975a50f584d18d0ed75cca4ddb3494285679121ad6749cf1e7da356b0d4f21cae55ea6e1c972ea8ad2b6af7d520d74ca988fb502b1c80ca3588bae8399e
-
MD5
a84ae09db577277245e1606a4fa02037
SHA116e1102b4fb2509b5b90e580260fda21cf9ae33d
SHA2560412222315aea036ec73c72019b1ef8979c2c45bb3b45464866fb1ea4de4b835
SHA51203025975a50f584d18d0ed75cca4ddb3494285679121ad6749cf1e7da356b0d4f21cae55ea6e1c972ea8ad2b6af7d520d74ca988fb502b1c80ca3588bae8399e