Analysis
-
max time kernel
139s -
max time network
142s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
24-02-2022 11:08
Static task
static1
Behavioral task
behavioral1
Sample
fb9634f7f285e1b11b44d55c58f0c2e8d14fa5ace58670d8c806b09d6570c629.exe
Resource
win7-20220223-en
Behavioral task
behavioral2
Sample
fb9634f7f285e1b11b44d55c58f0c2e8d14fa5ace58670d8c806b09d6570c629.exe
Resource
win10-en-20211208
Behavioral task
behavioral3
Sample
fb9634f7f285e1b11b44d55c58f0c2e8d14fa5ace58670d8c806b09d6570c629.exe
Resource
win10v2004-en-20220113
General
-
Target
fb9634f7f285e1b11b44d55c58f0c2e8d14fa5ace58670d8c806b09d6570c629.exe
-
Size
216KB
-
MD5
052e970aff7e2e0e3209417a92f4e2c6
-
SHA1
32c0cb93f35e65295a02d362c3bf4fd71fa9365c
-
SHA256
fb9634f7f285e1b11b44d55c58f0c2e8d14fa5ace58670d8c806b09d6570c629
-
SHA512
38d19aea666d07db8c2f2925d3d7af99d03936cfda936fbc994d00ce66b27147647ca28bae684b99fdbbc7e424b34b13c5c5a6d4739d4a46934ae2ba744e8c8d
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral2/memory/1984-117-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral2/memory/1620-118-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1620 MediaCenter.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
fb9634f7f285e1b11b44d55c58f0c2e8d14fa5ace58670d8c806b09d6570c629.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" fb9634f7f285e1b11b44d55c58f0c2e8d14fa5ace58670d8c806b09d6570c629.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
fb9634f7f285e1b11b44d55c58f0c2e8d14fa5ace58670d8c806b09d6570c629.exedescription pid process Token: SeIncBasePriorityPrivilege 1984 fb9634f7f285e1b11b44d55c58f0c2e8d14fa5ace58670d8c806b09d6570c629.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
fb9634f7f285e1b11b44d55c58f0c2e8d14fa5ace58670d8c806b09d6570c629.execmd.exedescription pid process target process PID 1984 wrote to memory of 1620 1984 fb9634f7f285e1b11b44d55c58f0c2e8d14fa5ace58670d8c806b09d6570c629.exe MediaCenter.exe PID 1984 wrote to memory of 1620 1984 fb9634f7f285e1b11b44d55c58f0c2e8d14fa5ace58670d8c806b09d6570c629.exe MediaCenter.exe PID 1984 wrote to memory of 1620 1984 fb9634f7f285e1b11b44d55c58f0c2e8d14fa5ace58670d8c806b09d6570c629.exe MediaCenter.exe PID 1984 wrote to memory of 2476 1984 fb9634f7f285e1b11b44d55c58f0c2e8d14fa5ace58670d8c806b09d6570c629.exe cmd.exe PID 1984 wrote to memory of 2476 1984 fb9634f7f285e1b11b44d55c58f0c2e8d14fa5ace58670d8c806b09d6570c629.exe cmd.exe PID 1984 wrote to memory of 2476 1984 fb9634f7f285e1b11b44d55c58f0c2e8d14fa5ace58670d8c806b09d6570c629.exe cmd.exe PID 2476 wrote to memory of 2824 2476 cmd.exe PING.EXE PID 2476 wrote to memory of 2824 2476 cmd.exe PING.EXE PID 2476 wrote to memory of 2824 2476 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\fb9634f7f285e1b11b44d55c58f0c2e8d14fa5ace58670d8c806b09d6570c629.exe"C:\Users\Admin\AppData\Local\Temp\fb9634f7f285e1b11b44d55c58f0c2e8d14fa5ace58670d8c806b09d6570c629.exe"1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\fb9634f7f285e1b11b44d55c58f0c2e8d14fa5ace58670d8c806b09d6570c629.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
38bbef46cb5cb7e1484d04da8a2f14ee
SHA1323a4d91837baf17779d5cfd448872c684a2fb68
SHA2560f092ed2816f919bf4c8cc0942f50462f002b19c047ee675498970e005be880f
SHA512afbf202492c9bdab972ed556088fc81063bde37c4f3057315a03360fea2ad61f4abf4a4967d2a22537d53dde6705d52834da256f53c6795e64209e0dba4a09c1
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
38bbef46cb5cb7e1484d04da8a2f14ee
SHA1323a4d91837baf17779d5cfd448872c684a2fb68
SHA2560f092ed2816f919bf4c8cc0942f50462f002b19c047ee675498970e005be880f
SHA512afbf202492c9bdab972ed556088fc81063bde37c4f3057315a03360fea2ad61f4abf4a4967d2a22537d53dde6705d52834da256f53c6795e64209e0dba4a09c1
-
memory/1620-118-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1984-117-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB