Analysis
-
max time kernel
152s -
max time network
165s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
12-02-2022 08:29
Static task
static1
Behavioral task
behavioral1
Sample
0af9c0954f0d69b7d7670689a8e18e24520ce4eb7d29f4f3e7d8361255c4f86d.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0af9c0954f0d69b7d7670689a8e18e24520ce4eb7d29f4f3e7d8361255c4f86d.exe
Resource
win10v2004-en-20220112
General
-
Target
0af9c0954f0d69b7d7670689a8e18e24520ce4eb7d29f4f3e7d8361255c4f86d.exe
-
Size
80KB
-
MD5
877333f89463142430ddf4b8f57e5cf2
-
SHA1
2061ade9bac23bd458cb03edd88847cadfa83f44
-
SHA256
0af9c0954f0d69b7d7670689a8e18e24520ce4eb7d29f4f3e7d8361255c4f86d
-
SHA512
ea20e86de92ebc0a95eaac9f7e9dd4188d9521a6458ac566d25a19c0c0d56c6c6b210c35041800f5ccdacc3fde55e8bd3b8701a31caee6e137e8bd41b66654f4
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 2816 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0af9c0954f0d69b7d7670689a8e18e24520ce4eb7d29f4f3e7d8361255c4f86d.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation 0af9c0954f0d69b7d7670689a8e18e24520ce4eb7d29f4f3e7d8361255c4f86d.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0af9c0954f0d69b7d7670689a8e18e24520ce4eb7d29f4f3e7d8361255c4f86d.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0af9c0954f0d69b7d7670689a8e18e24520ce4eb7d29f4f3e7d8361255c4f86d.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
MusNotifyIcon.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MusNotifyIcon.exe Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MusNotifyIcon.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0af9c0954f0d69b7d7670689a8e18e24520ce4eb7d29f4f3e7d8361255c4f86d.exedescription pid process Token: SeIncBasePriorityPrivilege 1264 0af9c0954f0d69b7d7670689a8e18e24520ce4eb7d29f4f3e7d8361255c4f86d.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
0af9c0954f0d69b7d7670689a8e18e24520ce4eb7d29f4f3e7d8361255c4f86d.execmd.exedescription pid process target process PID 1264 wrote to memory of 2816 1264 0af9c0954f0d69b7d7670689a8e18e24520ce4eb7d29f4f3e7d8361255c4f86d.exe MediaCenter.exe PID 1264 wrote to memory of 2816 1264 0af9c0954f0d69b7d7670689a8e18e24520ce4eb7d29f4f3e7d8361255c4f86d.exe MediaCenter.exe PID 1264 wrote to memory of 2816 1264 0af9c0954f0d69b7d7670689a8e18e24520ce4eb7d29f4f3e7d8361255c4f86d.exe MediaCenter.exe PID 1264 wrote to memory of 4028 1264 0af9c0954f0d69b7d7670689a8e18e24520ce4eb7d29f4f3e7d8361255c4f86d.exe cmd.exe PID 1264 wrote to memory of 4028 1264 0af9c0954f0d69b7d7670689a8e18e24520ce4eb7d29f4f3e7d8361255c4f86d.exe cmd.exe PID 1264 wrote to memory of 4028 1264 0af9c0954f0d69b7d7670689a8e18e24520ce4eb7d29f4f3e7d8361255c4f86d.exe cmd.exe PID 4028 wrote to memory of 684 4028 cmd.exe PING.EXE PID 4028 wrote to memory of 684 4028 cmd.exe PING.EXE PID 4028 wrote to memory of 684 4028 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0af9c0954f0d69b7d7670689a8e18e24520ce4eb7d29f4f3e7d8361255c4f86d.exe"C:\Users\Admin\AppData\Local\Temp\0af9c0954f0d69b7d7670689a8e18e24520ce4eb7d29f4f3e7d8361255c4f86d.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1264 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:2816 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0af9c0954f0d69b7d7670689a8e18e24520ce4eb7d29f4f3e7d8361255c4f86d.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4028 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:684
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k wusvcs -p1⤵PID:2516
-
C:\Windows\system32\MusNotifyIcon.exe%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 131⤵
- Checks processor information in registry
PID:4008
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k wusvcs -p1⤵PID:1388
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
b75c39c436cd80dfc7acbe4f4b03f785
SHA152def8e47973ca5bd302075d7de6cc3b7f916fdb
SHA25681f7a5df5020d748ab830a94dd71e840536da86c8538d454d7035ca55f0f3840
SHA512ce3797864bb981ebac120df9fc526c121a36c6ed2bbe9b1c47d675c6b5f773961ce651c30b4c6ec00ac2cee8ca6bfec5dbe8817d0fef22758f4aaf1178204922
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
b75c39c436cd80dfc7acbe4f4b03f785
SHA152def8e47973ca5bd302075d7de6cc3b7f916fdb
SHA25681f7a5df5020d748ab830a94dd71e840536da86c8538d454d7035ca55f0f3840
SHA512ce3797864bb981ebac120df9fc526c121a36c6ed2bbe9b1c47d675c6b5f773961ce651c30b4c6ec00ac2cee8ca6bfec5dbe8817d0fef22758f4aaf1178204922