Analysis
-
max time kernel
136s -
max time network
144s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
30-01-2022 20:13
Static task
static1
Behavioral task
behavioral1
Sample
34539aa85fcdbd8169a9648c63b7cbc74f4bc0ca7881fd2e03ef7fe1281d0c1c.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
34539aa85fcdbd8169a9648c63b7cbc74f4bc0ca7881fd2e03ef7fe1281d0c1c.exe
Resource
win10-en-20211208
General
-
Target
34539aa85fcdbd8169a9648c63b7cbc74f4bc0ca7881fd2e03ef7fe1281d0c1c.exe
-
Size
89KB
-
MD5
4297e98e6d7ea326dee3d13e53aa8d70
-
SHA1
58048d8322e3648d6a3ece2ec9038d438c687710
-
SHA256
34539aa85fcdbd8169a9648c63b7cbc74f4bc0ca7881fd2e03ef7fe1281d0c1c
-
SHA512
4d312269a502d664e82683d9cc54dc9a5cc080223af8bd3c3c17981008dcbc2a53499a30d69a55dc0dbe2e86d6877b8c04e701bacfe0df1d95c83799952aa130
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 784 MediaCenter.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
34539aa85fcdbd8169a9648c63b7cbc74f4bc0ca7881fd2e03ef7fe1281d0c1c.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 34539aa85fcdbd8169a9648c63b7cbc74f4bc0ca7881fd2e03ef7fe1281d0c1c.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
34539aa85fcdbd8169a9648c63b7cbc74f4bc0ca7881fd2e03ef7fe1281d0c1c.exedescription pid process Token: SeIncBasePriorityPrivilege 3840 34539aa85fcdbd8169a9648c63b7cbc74f4bc0ca7881fd2e03ef7fe1281d0c1c.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
34539aa85fcdbd8169a9648c63b7cbc74f4bc0ca7881fd2e03ef7fe1281d0c1c.execmd.exedescription pid process target process PID 3840 wrote to memory of 784 3840 34539aa85fcdbd8169a9648c63b7cbc74f4bc0ca7881fd2e03ef7fe1281d0c1c.exe MediaCenter.exe PID 3840 wrote to memory of 784 3840 34539aa85fcdbd8169a9648c63b7cbc74f4bc0ca7881fd2e03ef7fe1281d0c1c.exe MediaCenter.exe PID 3840 wrote to memory of 784 3840 34539aa85fcdbd8169a9648c63b7cbc74f4bc0ca7881fd2e03ef7fe1281d0c1c.exe MediaCenter.exe PID 3840 wrote to memory of 920 3840 34539aa85fcdbd8169a9648c63b7cbc74f4bc0ca7881fd2e03ef7fe1281d0c1c.exe cmd.exe PID 3840 wrote to memory of 920 3840 34539aa85fcdbd8169a9648c63b7cbc74f4bc0ca7881fd2e03ef7fe1281d0c1c.exe cmd.exe PID 3840 wrote to memory of 920 3840 34539aa85fcdbd8169a9648c63b7cbc74f4bc0ca7881fd2e03ef7fe1281d0c1c.exe cmd.exe PID 920 wrote to memory of 3952 920 cmd.exe PING.EXE PID 920 wrote to memory of 3952 920 cmd.exe PING.EXE PID 920 wrote to memory of 3952 920 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\34539aa85fcdbd8169a9648c63b7cbc74f4bc0ca7881fd2e03ef7fe1281d0c1c.exe"C:\Users\Admin\AppData\Local\Temp\34539aa85fcdbd8169a9648c63b7cbc74f4bc0ca7881fd2e03ef7fe1281d0c1c.exe"1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3840 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:784 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\34539aa85fcdbd8169a9648c63b7cbc74f4bc0ca7881fd2e03ef7fe1281d0c1c.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:920 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:3952
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
b729fdb7a2e7a9f69e71570922012f7a
SHA164afa0757fd93b71634f506711c7532827b5815e
SHA256c7cfe3c898bbee7d957cc258098a578e90317e6651859165f1943326be5fad74
SHA5125a456c39452b719ee5abe7662692f3528d732279b3c6078006b6c0ae9e4d5a30c298d7821f68741bd539526e5a2714283bafa882f2f510840595db7c8e219bc7
-
MD5
b729fdb7a2e7a9f69e71570922012f7a
SHA164afa0757fd93b71634f506711c7532827b5815e
SHA256c7cfe3c898bbee7d957cc258098a578e90317e6651859165f1943326be5fad74
SHA5125a456c39452b719ee5abe7662692f3528d732279b3c6078006b6c0ae9e4d5a30c298d7821f68741bd539526e5a2714283bafa882f2f510840595db7c8e219bc7