Analysis
-
max time kernel
163s -
max time network
176s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
12-02-2022 08:19
Static task
static1
Behavioral task
behavioral1
Sample
0b45e126783a51846d41db08ae332566d362a2b0772506f6931214d634b7ebaa.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0b45e126783a51846d41db08ae332566d362a2b0772506f6931214d634b7ebaa.exe
Resource
win10v2004-en-20220112
General
-
Target
0b45e126783a51846d41db08ae332566d362a2b0772506f6931214d634b7ebaa.exe
-
Size
92KB
-
MD5
75671d499ddf0ed6dadb85ab8d9dcdcf
-
SHA1
ecd0ff998d5de2ea78eeb78c5c6c086a89e83096
-
SHA256
0b45e126783a51846d41db08ae332566d362a2b0772506f6931214d634b7ebaa
-
SHA512
e98d141074d2e6975579b129eb7d182549b5f1ab6b950f718f526218827aeaae3586f28406a5a95ca2570cf05b13abf59b00aafbae169810302a752ff44d244d
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 4008 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0b45e126783a51846d41db08ae332566d362a2b0772506f6931214d634b7ebaa.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation 0b45e126783a51846d41db08ae332566d362a2b0772506f6931214d634b7ebaa.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0b45e126783a51846d41db08ae332566d362a2b0772506f6931214d634b7ebaa.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0b45e126783a51846d41db08ae332566d362a2b0772506f6931214d634b7ebaa.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
MusNotifyIcon.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MusNotifyIcon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MusNotifyIcon.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0b45e126783a51846d41db08ae332566d362a2b0772506f6931214d634b7ebaa.exedescription pid process Token: SeIncBasePriorityPrivilege 3512 0b45e126783a51846d41db08ae332566d362a2b0772506f6931214d634b7ebaa.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
0b45e126783a51846d41db08ae332566d362a2b0772506f6931214d634b7ebaa.execmd.exedescription pid process target process PID 3512 wrote to memory of 4008 3512 0b45e126783a51846d41db08ae332566d362a2b0772506f6931214d634b7ebaa.exe MediaCenter.exe PID 3512 wrote to memory of 4008 3512 0b45e126783a51846d41db08ae332566d362a2b0772506f6931214d634b7ebaa.exe MediaCenter.exe PID 3512 wrote to memory of 4008 3512 0b45e126783a51846d41db08ae332566d362a2b0772506f6931214d634b7ebaa.exe MediaCenter.exe PID 3512 wrote to memory of 1368 3512 0b45e126783a51846d41db08ae332566d362a2b0772506f6931214d634b7ebaa.exe cmd.exe PID 3512 wrote to memory of 1368 3512 0b45e126783a51846d41db08ae332566d362a2b0772506f6931214d634b7ebaa.exe cmd.exe PID 3512 wrote to memory of 1368 3512 0b45e126783a51846d41db08ae332566d362a2b0772506f6931214d634b7ebaa.exe cmd.exe PID 1368 wrote to memory of 2596 1368 cmd.exe PING.EXE PID 1368 wrote to memory of 2596 1368 cmd.exe PING.EXE PID 1368 wrote to memory of 2596 1368 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0b45e126783a51846d41db08ae332566d362a2b0772506f6931214d634b7ebaa.exe"C:\Users\Admin\AppData\Local\Temp\0b45e126783a51846d41db08ae332566d362a2b0772506f6931214d634b7ebaa.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3512 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:4008 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0b45e126783a51846d41db08ae332566d362a2b0772506f6931214d634b7ebaa.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1368 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:2596
-
C:\Windows\system32\MusNotifyIcon.exe%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 131⤵
- Checks processor information in registry
PID:620
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
332ec55428f40e163569238d7cd5c340
SHA11e751f9b22b587ef4c4dc33b5cd4642855d539b9
SHA2561a26edecae280a6287be04644f306feced26e79ee1c9d29ca16ea2fb602155e6
SHA5128ee09c080e29bb49f0ba652945e69a86778c980f020543310ebcb98bd6ae788cc05c43f7b246d7e65f96fea187ffbb391f1e8745ccf746588379f37c26f5a208
-
MD5
332ec55428f40e163569238d7cd5c340
SHA11e751f9b22b587ef4c4dc33b5cd4642855d539b9
SHA2561a26edecae280a6287be04644f306feced26e79ee1c9d29ca16ea2fb602155e6
SHA5128ee09c080e29bb49f0ba652945e69a86778c980f020543310ebcb98bd6ae788cc05c43f7b246d7e65f96fea187ffbb391f1e8745ccf746588379f37c26f5a208