Analysis
-
max time kernel
168s -
max time network
192s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
12-02-2022 07:08
Static task
static1
Behavioral task
behavioral1
Sample
0e6b8d14e04e55ea3836d9de67a5b5314c66210701cb504bebed269030079856.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0e6b8d14e04e55ea3836d9de67a5b5314c66210701cb504bebed269030079856.exe
Resource
win10v2004-en-20220112
General
-
Target
0e6b8d14e04e55ea3836d9de67a5b5314c66210701cb504bebed269030079856.exe
-
Size
191KB
-
MD5
6875b11b2e7da9aeb6370077f6b228d3
-
SHA1
fc94eaf90b170a615dd19557399e8b9a8855114d
-
SHA256
0e6b8d14e04e55ea3836d9de67a5b5314c66210701cb504bebed269030079856
-
SHA512
b3d7fcb169dbf15652612f2cfbc3ac7177c1329bbe9f3c7c36e59607ffa84351824ed59931b044e2f739fe4a099c7d1ca134c66450d931960993a94606bdfa4b
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 752 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0e6b8d14e04e55ea3836d9de67a5b5314c66210701cb504bebed269030079856.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation 0e6b8d14e04e55ea3836d9de67a5b5314c66210701cb504bebed269030079856.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0e6b8d14e04e55ea3836d9de67a5b5314c66210701cb504bebed269030079856.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0e6b8d14e04e55ea3836d9de67a5b5314c66210701cb504bebed269030079856.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
MusNotifyIcon.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MusNotifyIcon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MusNotifyIcon.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0e6b8d14e04e55ea3836d9de67a5b5314c66210701cb504bebed269030079856.exedescription pid process Token: SeIncBasePriorityPrivilege 2300 0e6b8d14e04e55ea3836d9de67a5b5314c66210701cb504bebed269030079856.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
0e6b8d14e04e55ea3836d9de67a5b5314c66210701cb504bebed269030079856.execmd.exedescription pid process target process PID 2300 wrote to memory of 752 2300 0e6b8d14e04e55ea3836d9de67a5b5314c66210701cb504bebed269030079856.exe MediaCenter.exe PID 2300 wrote to memory of 752 2300 0e6b8d14e04e55ea3836d9de67a5b5314c66210701cb504bebed269030079856.exe MediaCenter.exe PID 2300 wrote to memory of 752 2300 0e6b8d14e04e55ea3836d9de67a5b5314c66210701cb504bebed269030079856.exe MediaCenter.exe PID 2300 wrote to memory of 3924 2300 0e6b8d14e04e55ea3836d9de67a5b5314c66210701cb504bebed269030079856.exe cmd.exe PID 2300 wrote to memory of 3924 2300 0e6b8d14e04e55ea3836d9de67a5b5314c66210701cb504bebed269030079856.exe cmd.exe PID 2300 wrote to memory of 3924 2300 0e6b8d14e04e55ea3836d9de67a5b5314c66210701cb504bebed269030079856.exe cmd.exe PID 3924 wrote to memory of 3088 3924 cmd.exe PING.EXE PID 3924 wrote to memory of 3088 3924 cmd.exe PING.EXE PID 3924 wrote to memory of 3088 3924 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0e6b8d14e04e55ea3836d9de67a5b5314c66210701cb504bebed269030079856.exe"C:\Users\Admin\AppData\Local\Temp\0e6b8d14e04e55ea3836d9de67a5b5314c66210701cb504bebed269030079856.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2300 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:752 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0e6b8d14e04e55ea3836d9de67a5b5314c66210701cb504bebed269030079856.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3924 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:3088
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k wusvcs -p1⤵PID:2976
-
C:\Windows\system32\MusNotifyIcon.exe%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 131⤵
- Checks processor information in registry
PID:1396
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
ab04c36e3a5988c696f77703b17afae4
SHA17bf63b5531f31f3dcb72f3dc369beee4f0632c97
SHA256a9c286ebad631a562a9055dde6a708f15573ca82004e6d361be1977a86cc7743
SHA5121c077ffb50639efe96a058bf6feb67b6e8f74fee9ba147d00fc7fa17b2efa93688eb454376953d9da645e09ee67cbd62ff07035da2d0e366a9a8b03620fe4955
-
MD5
ab04c36e3a5988c696f77703b17afae4
SHA17bf63b5531f31f3dcb72f3dc369beee4f0632c97
SHA256a9c286ebad631a562a9055dde6a708f15573ca82004e6d361be1977a86cc7743
SHA5121c077ffb50639efe96a058bf6feb67b6e8f74fee9ba147d00fc7fa17b2efa93688eb454376953d9da645e09ee67cbd62ff07035da2d0e366a9a8b03620fe4955