Analysis
-
max time kernel
134s -
max time network
151s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
31-01-2022 00:41
Static task
static1
Behavioral task
behavioral1
Sample
5096ed81ec028361943f459672fbe36adb08d41fc51243596df1133588ab9f76.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
5096ed81ec028361943f459672fbe36adb08d41fc51243596df1133588ab9f76.exe
Resource
win10-en-20211208
General
-
Target
5096ed81ec028361943f459672fbe36adb08d41fc51243596df1133588ab9f76.exe
-
Size
79KB
-
MD5
0ff96f4dbfe8aa9c49b489218d862cd7
-
SHA1
b87ae231c0a79f865f6fe838b17b9263e114b1a8
-
SHA256
5096ed81ec028361943f459672fbe36adb08d41fc51243596df1133588ab9f76
-
SHA512
72d3f291b39c3cd74b3c638331b07a54ebebdb020fdf56b4ae5214e0b7a2934675d7379cbb77cfe87188676b5a686a4e27927798cdff737da38e73321b2c35c1
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 4000 MediaCenter.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
5096ed81ec028361943f459672fbe36adb08d41fc51243596df1133588ab9f76.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 5096ed81ec028361943f459672fbe36adb08d41fc51243596df1133588ab9f76.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
5096ed81ec028361943f459672fbe36adb08d41fc51243596df1133588ab9f76.exedescription pid process Token: SeIncBasePriorityPrivilege 812 5096ed81ec028361943f459672fbe36adb08d41fc51243596df1133588ab9f76.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
5096ed81ec028361943f459672fbe36adb08d41fc51243596df1133588ab9f76.execmd.exedescription pid process target process PID 812 wrote to memory of 4000 812 5096ed81ec028361943f459672fbe36adb08d41fc51243596df1133588ab9f76.exe MediaCenter.exe PID 812 wrote to memory of 4000 812 5096ed81ec028361943f459672fbe36adb08d41fc51243596df1133588ab9f76.exe MediaCenter.exe PID 812 wrote to memory of 4000 812 5096ed81ec028361943f459672fbe36adb08d41fc51243596df1133588ab9f76.exe MediaCenter.exe PID 812 wrote to memory of 4088 812 5096ed81ec028361943f459672fbe36adb08d41fc51243596df1133588ab9f76.exe cmd.exe PID 812 wrote to memory of 4088 812 5096ed81ec028361943f459672fbe36adb08d41fc51243596df1133588ab9f76.exe cmd.exe PID 812 wrote to memory of 4088 812 5096ed81ec028361943f459672fbe36adb08d41fc51243596df1133588ab9f76.exe cmd.exe PID 4088 wrote to memory of 3720 4088 cmd.exe PING.EXE PID 4088 wrote to memory of 3720 4088 cmd.exe PING.EXE PID 4088 wrote to memory of 3720 4088 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\5096ed81ec028361943f459672fbe36adb08d41fc51243596df1133588ab9f76.exe"C:\Users\Admin\AppData\Local\Temp\5096ed81ec028361943f459672fbe36adb08d41fc51243596df1133588ab9f76.exe"1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:812 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:4000 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\5096ed81ec028361943f459672fbe36adb08d41fc51243596df1133588ab9f76.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4088 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:3720
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
e76f472f2b2b8ca2b942d11b706b406d
SHA13ee3729d145cce56f7feb2e3e435944f5ff3e7b0
SHA256bd6b11db054b30f4e3124f4b53bfc93858587deb0ed1678f4cb3560a04b4195f
SHA512627c558550b4822030cc70e57f39defea1d338f11e4dcea9e4adca14c5845ecc1673532d59ded7666ee6b63a132d5ee7bf3a2cd087f5006045a9c83cddefbbcb
-
MD5
e76f472f2b2b8ca2b942d11b706b406d
SHA13ee3729d145cce56f7feb2e3e435944f5ff3e7b0
SHA256bd6b11db054b30f4e3124f4b53bfc93858587deb0ed1678f4cb3560a04b4195f
SHA512627c558550b4822030cc70e57f39defea1d338f11e4dcea9e4adca14c5845ecc1673532d59ded7666ee6b63a132d5ee7bf3a2cd087f5006045a9c83cddefbbcb