Analysis
-
max time kernel
157s -
max time network
169s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
31-01-2022 01:05
Static task
static1
Behavioral task
behavioral1
Sample
43078f436a9a7b278edf2fedc64a159d85d79e92a53d89b7da0e5ccd64f807a6.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
43078f436a9a7b278edf2fedc64a159d85d79e92a53d89b7da0e5ccd64f807a6.exe
Resource
win10-en-20211208
General
-
Target
43078f436a9a7b278edf2fedc64a159d85d79e92a53d89b7da0e5ccd64f807a6.exe
-
Size
89KB
-
MD5
07b678ed364b23688b02a13727166a45
-
SHA1
929ec8f907ddf381479fc81e9d4f5da4ffca6c79
-
SHA256
43078f436a9a7b278edf2fedc64a159d85d79e92a53d89b7da0e5ccd64f807a6
-
SHA512
19a787e25749b0102cdd94e0884a875ccdb7966d00fafca68b4395e4e579ce5673bb28a9c30a006815ff7ced945a93eb9e90912f699ce462dea2b012605a2a19
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 3672 MediaCenter.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
43078f436a9a7b278edf2fedc64a159d85d79e92a53d89b7da0e5ccd64f807a6.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 43078f436a9a7b278edf2fedc64a159d85d79e92a53d89b7da0e5ccd64f807a6.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
43078f436a9a7b278edf2fedc64a159d85d79e92a53d89b7da0e5ccd64f807a6.exedescription pid process Token: SeIncBasePriorityPrivilege 3384 43078f436a9a7b278edf2fedc64a159d85d79e92a53d89b7da0e5ccd64f807a6.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
43078f436a9a7b278edf2fedc64a159d85d79e92a53d89b7da0e5ccd64f807a6.execmd.exedescription pid process target process PID 3384 wrote to memory of 3672 3384 43078f436a9a7b278edf2fedc64a159d85d79e92a53d89b7da0e5ccd64f807a6.exe MediaCenter.exe PID 3384 wrote to memory of 3672 3384 43078f436a9a7b278edf2fedc64a159d85d79e92a53d89b7da0e5ccd64f807a6.exe MediaCenter.exe PID 3384 wrote to memory of 3672 3384 43078f436a9a7b278edf2fedc64a159d85d79e92a53d89b7da0e5ccd64f807a6.exe MediaCenter.exe PID 3384 wrote to memory of 3976 3384 43078f436a9a7b278edf2fedc64a159d85d79e92a53d89b7da0e5ccd64f807a6.exe cmd.exe PID 3384 wrote to memory of 3976 3384 43078f436a9a7b278edf2fedc64a159d85d79e92a53d89b7da0e5ccd64f807a6.exe cmd.exe PID 3384 wrote to memory of 3976 3384 43078f436a9a7b278edf2fedc64a159d85d79e92a53d89b7da0e5ccd64f807a6.exe cmd.exe PID 3976 wrote to memory of 4316 3976 cmd.exe PING.EXE PID 3976 wrote to memory of 4316 3976 cmd.exe PING.EXE PID 3976 wrote to memory of 4316 3976 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\43078f436a9a7b278edf2fedc64a159d85d79e92a53d89b7da0e5ccd64f807a6.exe"C:\Users\Admin\AppData\Local\Temp\43078f436a9a7b278edf2fedc64a159d85d79e92a53d89b7da0e5ccd64f807a6.exe"1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3384 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:3672 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\43078f436a9a7b278edf2fedc64a159d85d79e92a53d89b7da0e5ccd64f807a6.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3976 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:4316
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
5e9cdf9640b0c69c5d345595dfb50019
SHA184b0f1e523274dd974cf310e8430bc0f079dab23
SHA25696b74916d6a5fcaaa72ac72e464b89ec92be9fa4fa148766263d29ef63fc9f39
SHA51290298bfc96b00bff5d46941380e4bfce99ac656dab9b17316dbb27103a5ebffac43017219fea297e89f4ee460d83ae55e68d78a718dfc3a4015bbe5ae0861637
-
MD5
5e9cdf9640b0c69c5d345595dfb50019
SHA184b0f1e523274dd974cf310e8430bc0f079dab23
SHA25696b74916d6a5fcaaa72ac72e464b89ec92be9fa4fa148766263d29ef63fc9f39
SHA51290298bfc96b00bff5d46941380e4bfce99ac656dab9b17316dbb27103a5ebffac43017219fea297e89f4ee460d83ae55e68d78a718dfc3a4015bbe5ae0861637