Analysis
-
max time kernel
157s -
max time network
157s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
30-01-2022 20:18
Static task
static1
Behavioral task
behavioral1
Sample
b719bca6ade9b83bbadd435e49f5a7c43e586b112ac3f342ca37daaa01ace9bb.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
b719bca6ade9b83bbadd435e49f5a7c43e586b112ac3f342ca37daaa01ace9bb.exe
Resource
win10-en-20211208
General
-
Target
b719bca6ade9b83bbadd435e49f5a7c43e586b112ac3f342ca37daaa01ace9bb.exe
-
Size
89KB
-
MD5
416e831d583665352fe16fe9232d36cf
-
SHA1
50e7b4d4f3ab5fa9c77c0286213e7980ed52f6f6
-
SHA256
b719bca6ade9b83bbadd435e49f5a7c43e586b112ac3f342ca37daaa01ace9bb
-
SHA512
49ce4109c6564507c44ff2b6881d560522900a2e564fce834e9a645d526d0853288ca5a4c348caf4570ef03eee2a26fee263de06a3f23f1979cb532f82399cc0
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1208 MediaCenter.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
b719bca6ade9b83bbadd435e49f5a7c43e586b112ac3f342ca37daaa01ace9bb.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" b719bca6ade9b83bbadd435e49f5a7c43e586b112ac3f342ca37daaa01ace9bb.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
b719bca6ade9b83bbadd435e49f5a7c43e586b112ac3f342ca37daaa01ace9bb.exedescription pid process Token: SeIncBasePriorityPrivilege 3048 b719bca6ade9b83bbadd435e49f5a7c43e586b112ac3f342ca37daaa01ace9bb.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
b719bca6ade9b83bbadd435e49f5a7c43e586b112ac3f342ca37daaa01ace9bb.execmd.exedescription pid process target process PID 3048 wrote to memory of 1208 3048 b719bca6ade9b83bbadd435e49f5a7c43e586b112ac3f342ca37daaa01ace9bb.exe MediaCenter.exe PID 3048 wrote to memory of 1208 3048 b719bca6ade9b83bbadd435e49f5a7c43e586b112ac3f342ca37daaa01ace9bb.exe MediaCenter.exe PID 3048 wrote to memory of 1208 3048 b719bca6ade9b83bbadd435e49f5a7c43e586b112ac3f342ca37daaa01ace9bb.exe MediaCenter.exe PID 3048 wrote to memory of 424 3048 b719bca6ade9b83bbadd435e49f5a7c43e586b112ac3f342ca37daaa01ace9bb.exe cmd.exe PID 3048 wrote to memory of 424 3048 b719bca6ade9b83bbadd435e49f5a7c43e586b112ac3f342ca37daaa01ace9bb.exe cmd.exe PID 3048 wrote to memory of 424 3048 b719bca6ade9b83bbadd435e49f5a7c43e586b112ac3f342ca37daaa01ace9bb.exe cmd.exe PID 424 wrote to memory of 4032 424 cmd.exe PING.EXE PID 424 wrote to memory of 4032 424 cmd.exe PING.EXE PID 424 wrote to memory of 4032 424 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\b719bca6ade9b83bbadd435e49f5a7c43e586b112ac3f342ca37daaa01ace9bb.exe"C:\Users\Admin\AppData\Local\Temp\b719bca6ade9b83bbadd435e49f5a7c43e586b112ac3f342ca37daaa01ace9bb.exe"1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1208 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\b719bca6ade9b83bbadd435e49f5a7c43e586b112ac3f342ca37daaa01ace9bb.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:424 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:4032
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
0a57543ce165c0b5d9099ff33a6fc92e
SHA1b47ba0e40b50110f593e1ab1aecaff8e43bc13fa
SHA256a1f4d759f5a100062d08effffe85786feea313282f89e38bb839c788f8618c37
SHA5121c7336045b834d35e91f061daa1bda467b58ecf47280270cc92ff2ea5856cac01d7015d728156df11e32e02af57bf2c01d6295b73f2ad8bfe4a98e59d8da421d
-
MD5
0a57543ce165c0b5d9099ff33a6fc92e
SHA1b47ba0e40b50110f593e1ab1aecaff8e43bc13fa
SHA256a1f4d759f5a100062d08effffe85786feea313282f89e38bb839c788f8618c37
SHA5121c7336045b834d35e91f061daa1bda467b58ecf47280270cc92ff2ea5856cac01d7015d728156df11e32e02af57bf2c01d6295b73f2ad8bfe4a98e59d8da421d