Analysis
-
max time kernel
164s -
max time network
176s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
30-01-2022 19:40
Static task
static1
Behavioral task
behavioral1
Sample
8a955b35c86e3bfc05ca6654723179d766ad6960ecb8e768abd1f56c24102d78.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
8a955b35c86e3bfc05ca6654723179d766ad6960ecb8e768abd1f56c24102d78.exe
Resource
win10-en-20211208
General
-
Target
8a955b35c86e3bfc05ca6654723179d766ad6960ecb8e768abd1f56c24102d78.exe
-
Size
89KB
-
MD5
492c59bddbcbe7cbd2f932655181fb08
-
SHA1
93229172020b93a506549d505148b5c9e80d643b
-
SHA256
8a955b35c86e3bfc05ca6654723179d766ad6960ecb8e768abd1f56c24102d78
-
SHA512
03591f35373f1a42fd2db8bd6da119e1cb06118820ee4113f23458b6efad30580427688b3af43657b51b74b7411c72245188a6e77cbc72b6a6782c73d94a50e3
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 920 MediaCenter.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
8a955b35c86e3bfc05ca6654723179d766ad6960ecb8e768abd1f56c24102d78.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 8a955b35c86e3bfc05ca6654723179d766ad6960ecb8e768abd1f56c24102d78.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
8a955b35c86e3bfc05ca6654723179d766ad6960ecb8e768abd1f56c24102d78.exedescription pid process Token: SeIncBasePriorityPrivilege 3296 8a955b35c86e3bfc05ca6654723179d766ad6960ecb8e768abd1f56c24102d78.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
8a955b35c86e3bfc05ca6654723179d766ad6960ecb8e768abd1f56c24102d78.execmd.exedescription pid process target process PID 3296 wrote to memory of 920 3296 8a955b35c86e3bfc05ca6654723179d766ad6960ecb8e768abd1f56c24102d78.exe MediaCenter.exe PID 3296 wrote to memory of 920 3296 8a955b35c86e3bfc05ca6654723179d766ad6960ecb8e768abd1f56c24102d78.exe MediaCenter.exe PID 3296 wrote to memory of 920 3296 8a955b35c86e3bfc05ca6654723179d766ad6960ecb8e768abd1f56c24102d78.exe MediaCenter.exe PID 3296 wrote to memory of 1824 3296 8a955b35c86e3bfc05ca6654723179d766ad6960ecb8e768abd1f56c24102d78.exe cmd.exe PID 3296 wrote to memory of 1824 3296 8a955b35c86e3bfc05ca6654723179d766ad6960ecb8e768abd1f56c24102d78.exe cmd.exe PID 3296 wrote to memory of 1824 3296 8a955b35c86e3bfc05ca6654723179d766ad6960ecb8e768abd1f56c24102d78.exe cmd.exe PID 1824 wrote to memory of 3412 1824 cmd.exe PING.EXE PID 1824 wrote to memory of 3412 1824 cmd.exe PING.EXE PID 1824 wrote to memory of 3412 1824 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\8a955b35c86e3bfc05ca6654723179d766ad6960ecb8e768abd1f56c24102d78.exe"C:\Users\Admin\AppData\Local\Temp\8a955b35c86e3bfc05ca6654723179d766ad6960ecb8e768abd1f56c24102d78.exe"1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3296 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:920 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\8a955b35c86e3bfc05ca6654723179d766ad6960ecb8e768abd1f56c24102d78.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1824 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:3412
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
ce50d34f334c16af30561adca2d80946
SHA18733f8701b366d34b13ae7a35f6d161bfb8c0091
SHA256f54ebe9db94469f1833052f671cd0f503605357aa650918f0284a399e9de204d
SHA512c272febf67b7dc7a2b50a4323a9eb1b20ee3a675181d818b7ee661a4792669a87b0bf69bcdeb4a7cf50696a3416dfc13e54428231c99dca8f3372f81f8bd2c7e
-
MD5
ce50d34f334c16af30561adca2d80946
SHA18733f8701b366d34b13ae7a35f6d161bfb8c0091
SHA256f54ebe9db94469f1833052f671cd0f503605357aa650918f0284a399e9de204d
SHA512c272febf67b7dc7a2b50a4323a9eb1b20ee3a675181d818b7ee661a4792669a87b0bf69bcdeb4a7cf50696a3416dfc13e54428231c99dca8f3372f81f8bd2c7e