Analysis
-
max time kernel
149s -
max time network
186s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
12-02-2022 03:24
Static task
static1
Behavioral task
behavioral1
Sample
17b65381a1f470c98d23c786b914a7b787a0c90fd042d0f35106fadf0e032c2e.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
17b65381a1f470c98d23c786b914a7b787a0c90fd042d0f35106fadf0e032c2e.exe
Resource
win10v2004-en-20220112
General
-
Target
17b65381a1f470c98d23c786b914a7b787a0c90fd042d0f35106fadf0e032c2e.exe
-
Size
89KB
-
MD5
12dccd8c39d8343a20b4a193febc5899
-
SHA1
68ab8ca331fcb750b47571f418eade17be00a2b1
-
SHA256
17b65381a1f470c98d23c786b914a7b787a0c90fd042d0f35106fadf0e032c2e
-
SHA512
6833f72fa6531715029babca0867eda347f348730335287c523a277a4ebea7c0c7852e9b4eb096c315c966fa5b27dcc46321a8d58c5a7156afa187f0f0897740
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 3368 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
17b65381a1f470c98d23c786b914a7b787a0c90fd042d0f35106fadf0e032c2e.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation 17b65381a1f470c98d23c786b914a7b787a0c90fd042d0f35106fadf0e032c2e.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
17b65381a1f470c98d23c786b914a7b787a0c90fd042d0f35106fadf0e032c2e.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 17b65381a1f470c98d23c786b914a7b787a0c90fd042d0f35106fadf0e032c2e.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
MusNotifyIcon.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MusNotifyIcon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MusNotifyIcon.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
17b65381a1f470c98d23c786b914a7b787a0c90fd042d0f35106fadf0e032c2e.exedescription pid process Token: SeIncBasePriorityPrivilege 8 17b65381a1f470c98d23c786b914a7b787a0c90fd042d0f35106fadf0e032c2e.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
17b65381a1f470c98d23c786b914a7b787a0c90fd042d0f35106fadf0e032c2e.execmd.exedescription pid process target process PID 8 wrote to memory of 3368 8 17b65381a1f470c98d23c786b914a7b787a0c90fd042d0f35106fadf0e032c2e.exe MediaCenter.exe PID 8 wrote to memory of 3368 8 17b65381a1f470c98d23c786b914a7b787a0c90fd042d0f35106fadf0e032c2e.exe MediaCenter.exe PID 8 wrote to memory of 3368 8 17b65381a1f470c98d23c786b914a7b787a0c90fd042d0f35106fadf0e032c2e.exe MediaCenter.exe PID 8 wrote to memory of 2748 8 17b65381a1f470c98d23c786b914a7b787a0c90fd042d0f35106fadf0e032c2e.exe cmd.exe PID 8 wrote to memory of 2748 8 17b65381a1f470c98d23c786b914a7b787a0c90fd042d0f35106fadf0e032c2e.exe cmd.exe PID 8 wrote to memory of 2748 8 17b65381a1f470c98d23c786b914a7b787a0c90fd042d0f35106fadf0e032c2e.exe cmd.exe PID 2748 wrote to memory of 3896 2748 cmd.exe PING.EXE PID 2748 wrote to memory of 3896 2748 cmd.exe PING.EXE PID 2748 wrote to memory of 3896 2748 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\17b65381a1f470c98d23c786b914a7b787a0c90fd042d0f35106fadf0e032c2e.exe"C:\Users\Admin\AppData\Local\Temp\17b65381a1f470c98d23c786b914a7b787a0c90fd042d0f35106fadf0e032c2e.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:8 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:3368 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\17b65381a1f470c98d23c786b914a7b787a0c90fd042d0f35106fadf0e032c2e.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:3896
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k wusvcs -p1⤵PID:460
-
C:\Windows\system32\MusNotifyIcon.exe%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 131⤵
- Checks processor information in registry
PID:3936
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
138d61e948944a04b64f345224961dda
SHA1ffd0a5d712d66bbe17b8bf772adb107acb252fed
SHA256a2a5231955da58162dbacf56bab24adaa7b5311282cb8896978fd34d00e879d2
SHA51230f307458badec067f1b0cdd4e49bf189aac594369badbfe76f0a97773a4bf7363b280cda8d4e8cd148fe27994141636a8e55a91c427026c0be0ab8b8c83b85b
-
MD5
138d61e948944a04b64f345224961dda
SHA1ffd0a5d712d66bbe17b8bf772adb107acb252fed
SHA256a2a5231955da58162dbacf56bab24adaa7b5311282cb8896978fd34d00e879d2
SHA51230f307458badec067f1b0cdd4e49bf189aac594369badbfe76f0a97773a4bf7363b280cda8d4e8cd148fe27994141636a8e55a91c427026c0be0ab8b8c83b85b