Analysis
-
max time kernel
150s -
max time network
159s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
30-01-2022 20:47
Static task
static1
Behavioral task
behavioral1
Sample
9a2a8d85677aba13c8b287580601052c9156f7d37a8e8b9d9ba4c6453f048537.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
9a2a8d85677aba13c8b287580601052c9156f7d37a8e8b9d9ba4c6453f048537.exe
Resource
win10-en-20211208
General
-
Target
9a2a8d85677aba13c8b287580601052c9156f7d37a8e8b9d9ba4c6453f048537.exe
-
Size
320KB
-
MD5
372aa07662fb5779c8bf16d46fb58acb
-
SHA1
5b5bce07b669039db3b8738538fad9cd898a9807
-
SHA256
9a2a8d85677aba13c8b287580601052c9156f7d37a8e8b9d9ba4c6453f048537
-
SHA512
f958ce972fdaaa26da8ca810813146157ac8c4550fef2a79dfd4c2ae7a527108bb6bf5660bc3528bc6db53d6086d59dc87c542527288674faedbed6980a9dca8
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1436 MediaCenter.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
9a2a8d85677aba13c8b287580601052c9156f7d37a8e8b9d9ba4c6453f048537.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 9a2a8d85677aba13c8b287580601052c9156f7d37a8e8b9d9ba4c6453f048537.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
9a2a8d85677aba13c8b287580601052c9156f7d37a8e8b9d9ba4c6453f048537.exedescription pid process Token: SeIncBasePriorityPrivilege 3800 9a2a8d85677aba13c8b287580601052c9156f7d37a8e8b9d9ba4c6453f048537.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
9a2a8d85677aba13c8b287580601052c9156f7d37a8e8b9d9ba4c6453f048537.execmd.exedescription pid process target process PID 3800 wrote to memory of 1436 3800 9a2a8d85677aba13c8b287580601052c9156f7d37a8e8b9d9ba4c6453f048537.exe MediaCenter.exe PID 3800 wrote to memory of 1436 3800 9a2a8d85677aba13c8b287580601052c9156f7d37a8e8b9d9ba4c6453f048537.exe MediaCenter.exe PID 3800 wrote to memory of 1436 3800 9a2a8d85677aba13c8b287580601052c9156f7d37a8e8b9d9ba4c6453f048537.exe MediaCenter.exe PID 3800 wrote to memory of 776 3800 9a2a8d85677aba13c8b287580601052c9156f7d37a8e8b9d9ba4c6453f048537.exe cmd.exe PID 3800 wrote to memory of 776 3800 9a2a8d85677aba13c8b287580601052c9156f7d37a8e8b9d9ba4c6453f048537.exe cmd.exe PID 3800 wrote to memory of 776 3800 9a2a8d85677aba13c8b287580601052c9156f7d37a8e8b9d9ba4c6453f048537.exe cmd.exe PID 776 wrote to memory of 4016 776 cmd.exe PING.EXE PID 776 wrote to memory of 4016 776 cmd.exe PING.EXE PID 776 wrote to memory of 4016 776 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\9a2a8d85677aba13c8b287580601052c9156f7d37a8e8b9d9ba4c6453f048537.exe"C:\Users\Admin\AppData\Local\Temp\9a2a8d85677aba13c8b287580601052c9156f7d37a8e8b9d9ba4c6453f048537.exe"1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3800 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1436 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\9a2a8d85677aba13c8b287580601052c9156f7d37a8e8b9d9ba4c6453f048537.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:776 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:4016
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
546387aaf41c39f38d23dcad1d0e9986
SHA15ff5e51f28497869594a1c53200681f4d2e8d08f
SHA256e648d3a4d8c4826a4d0b083eac635dcffaefc63c505d1f03e1a1e6df96d630ef
SHA51279bf267651a3da40b2f919a09e5dc6812aefa267b1e11f06162e207f44eb4331a59e00814f2db2be9d057988876ae2c5baf1481ea6865dcb1095e6084e55f9b6
-
MD5
546387aaf41c39f38d23dcad1d0e9986
SHA15ff5e51f28497869594a1c53200681f4d2e8d08f
SHA256e648d3a4d8c4826a4d0b083eac635dcffaefc63c505d1f03e1a1e6df96d630ef
SHA51279bf267651a3da40b2f919a09e5dc6812aefa267b1e11f06162e207f44eb4331a59e00814f2db2be9d057988876ae2c5baf1481ea6865dcb1095e6084e55f9b6