Analysis
-
max time kernel
148s -
max time network
156s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
31-01-2022 00:10
Static task
static1
Behavioral task
behavioral1
Sample
c6088899bcb77e5d642999ebb0f440e28b795007735023b38d4965c0ae02a05e.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
c6088899bcb77e5d642999ebb0f440e28b795007735023b38d4965c0ae02a05e.exe
Resource
win10-en-20211208
General
-
Target
c6088899bcb77e5d642999ebb0f440e28b795007735023b38d4965c0ae02a05e.exe
-
Size
89KB
-
MD5
2ca3f59590a5aeab648f292bf19f4a5e
-
SHA1
bf3cb57d73c580f710388c9d574de074bbca5d7a
-
SHA256
c6088899bcb77e5d642999ebb0f440e28b795007735023b38d4965c0ae02a05e
-
SHA512
c0ce4574fd307e9f2069fc2f390a935fc1dc1f4a0c0f2711ad69ae14da07bb037c6d4d51917f36a012e428e544b760776265a0ead6adb67fee7c1496f4c25ca2
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 2868 MediaCenter.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
c6088899bcb77e5d642999ebb0f440e28b795007735023b38d4965c0ae02a05e.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" c6088899bcb77e5d642999ebb0f440e28b795007735023b38d4965c0ae02a05e.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
c6088899bcb77e5d642999ebb0f440e28b795007735023b38d4965c0ae02a05e.exedescription pid process Token: SeIncBasePriorityPrivilege 2844 c6088899bcb77e5d642999ebb0f440e28b795007735023b38d4965c0ae02a05e.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
c6088899bcb77e5d642999ebb0f440e28b795007735023b38d4965c0ae02a05e.execmd.exedescription pid process target process PID 2844 wrote to memory of 2868 2844 c6088899bcb77e5d642999ebb0f440e28b795007735023b38d4965c0ae02a05e.exe MediaCenter.exe PID 2844 wrote to memory of 2868 2844 c6088899bcb77e5d642999ebb0f440e28b795007735023b38d4965c0ae02a05e.exe MediaCenter.exe PID 2844 wrote to memory of 2868 2844 c6088899bcb77e5d642999ebb0f440e28b795007735023b38d4965c0ae02a05e.exe MediaCenter.exe PID 2844 wrote to memory of 3548 2844 c6088899bcb77e5d642999ebb0f440e28b795007735023b38d4965c0ae02a05e.exe cmd.exe PID 2844 wrote to memory of 3548 2844 c6088899bcb77e5d642999ebb0f440e28b795007735023b38d4965c0ae02a05e.exe cmd.exe PID 2844 wrote to memory of 3548 2844 c6088899bcb77e5d642999ebb0f440e28b795007735023b38d4965c0ae02a05e.exe cmd.exe PID 3548 wrote to memory of 1496 3548 cmd.exe PING.EXE PID 3548 wrote to memory of 1496 3548 cmd.exe PING.EXE PID 3548 wrote to memory of 1496 3548 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\c6088899bcb77e5d642999ebb0f440e28b795007735023b38d4965c0ae02a05e.exe"C:\Users\Admin\AppData\Local\Temp\c6088899bcb77e5d642999ebb0f440e28b795007735023b38d4965c0ae02a05e.exe"1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:2868 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\c6088899bcb77e5d642999ebb0f440e28b795007735023b38d4965c0ae02a05e.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3548 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1496
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
ee4106fb9925171165ee6b46d63e75a2
SHA1c12538be22f90aab8f0a6e7ef1de3936a2c1e5c7
SHA25613b093e7c4ab208690baa99ad86345b09ff2b14ff5e6e634689e5d2f6aeb6c1f
SHA51270b6875e6b36abac40534e717c63d8dcc425825c28da78c697740e4922f629fc24138a82a4cd2a2569f53cf278cd09a6f91a2c065748e23b17b19680c38cdb99
-
MD5
ee4106fb9925171165ee6b46d63e75a2
SHA1c12538be22f90aab8f0a6e7ef1de3936a2c1e5c7
SHA25613b093e7c4ab208690baa99ad86345b09ff2b14ff5e6e634689e5d2f6aeb6c1f
SHA51270b6875e6b36abac40534e717c63d8dcc425825c28da78c697740e4922f629fc24138a82a4cd2a2569f53cf278cd09a6f91a2c065748e23b17b19680c38cdb99