Analysis
-
max time kernel
128s -
max time network
137s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
31-01-2022 00:54
Static task
static1
Behavioral task
behavioral1
Sample
415dc126af775a928a51c872a6513d6ac9f5dcd84e00734b409d58a5922de96e.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
415dc126af775a928a51c872a6513d6ac9f5dcd84e00734b409d58a5922de96e.exe
Resource
win10-en-20211208
General
-
Target
415dc126af775a928a51c872a6513d6ac9f5dcd84e00734b409d58a5922de96e.exe
-
Size
79KB
-
MD5
0b6a0ca44e47609910d978ffb1ee49c6
-
SHA1
e0fee9ccd0368f6f3acf0e9f2885dccd8f8b5359
-
SHA256
415dc126af775a928a51c872a6513d6ac9f5dcd84e00734b409d58a5922de96e
-
SHA512
3fd47a464cb2110d3d4127a09fc85d60ded77c9e385e290253e92051910b555b6b649e9c91069b776b6403d310a19277da4ec6d344a9622954cf1ed534bf758a
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 2912 MediaCenter.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
415dc126af775a928a51c872a6513d6ac9f5dcd84e00734b409d58a5922de96e.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 415dc126af775a928a51c872a6513d6ac9f5dcd84e00734b409d58a5922de96e.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
415dc126af775a928a51c872a6513d6ac9f5dcd84e00734b409d58a5922de96e.exedescription pid process Token: SeIncBasePriorityPrivilege 3240 415dc126af775a928a51c872a6513d6ac9f5dcd84e00734b409d58a5922de96e.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
415dc126af775a928a51c872a6513d6ac9f5dcd84e00734b409d58a5922de96e.execmd.exedescription pid process target process PID 3240 wrote to memory of 2912 3240 415dc126af775a928a51c872a6513d6ac9f5dcd84e00734b409d58a5922de96e.exe MediaCenter.exe PID 3240 wrote to memory of 2912 3240 415dc126af775a928a51c872a6513d6ac9f5dcd84e00734b409d58a5922de96e.exe MediaCenter.exe PID 3240 wrote to memory of 2912 3240 415dc126af775a928a51c872a6513d6ac9f5dcd84e00734b409d58a5922de96e.exe MediaCenter.exe PID 3240 wrote to memory of 1936 3240 415dc126af775a928a51c872a6513d6ac9f5dcd84e00734b409d58a5922de96e.exe cmd.exe PID 3240 wrote to memory of 1936 3240 415dc126af775a928a51c872a6513d6ac9f5dcd84e00734b409d58a5922de96e.exe cmd.exe PID 3240 wrote to memory of 1936 3240 415dc126af775a928a51c872a6513d6ac9f5dcd84e00734b409d58a5922de96e.exe cmd.exe PID 1936 wrote to memory of 3144 1936 cmd.exe PING.EXE PID 1936 wrote to memory of 3144 1936 cmd.exe PING.EXE PID 1936 wrote to memory of 3144 1936 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\415dc126af775a928a51c872a6513d6ac9f5dcd84e00734b409d58a5922de96e.exe"C:\Users\Admin\AppData\Local\Temp\415dc126af775a928a51c872a6513d6ac9f5dcd84e00734b409d58a5922de96e.exe"1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3240 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:2912 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\415dc126af775a928a51c872a6513d6ac9f5dcd84e00734b409d58a5922de96e.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1936 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:3144
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
2b8dd0a51eb9e18f0ee7e507dbd93960
SHA11319ffbfa043bcfa405dea4f78b99d6bba7b15b2
SHA256183f4f0bc1d642b14b5f59670257be4cb2867bbd1e55c4469cdbfbf0ddb41f25
SHA512668f047c18a00a0597f4f06f4c285e1c7969dfcce6556df0f9ca15a6c1097de4b7ede4545ff6c5d64eac12f7aa6fb38e6c59ba16badc49e824213ff2127ff320
-
MD5
2b8dd0a51eb9e18f0ee7e507dbd93960
SHA11319ffbfa043bcfa405dea4f78b99d6bba7b15b2
SHA256183f4f0bc1d642b14b5f59670257be4cb2867bbd1e55c4469cdbfbf0ddb41f25
SHA512668f047c18a00a0597f4f06f4c285e1c7969dfcce6556df0f9ca15a6c1097de4b7ede4545ff6c5d64eac12f7aa6fb38e6c59ba16badc49e824213ff2127ff320