Analysis
-
max time kernel
179s -
max time network
189s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
12-02-2022 09:43
Static task
static1
Behavioral task
behavioral1
Sample
09366210f77c39cab265fa9433a4f7b2c7e46270b50b2c9bbba733b93258e91b.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
09366210f77c39cab265fa9433a4f7b2c7e46270b50b2c9bbba733b93258e91b.exe
Resource
win10v2004-en-20220112
General
-
Target
09366210f77c39cab265fa9433a4f7b2c7e46270b50b2c9bbba733b93258e91b.exe
-
Size
192KB
-
MD5
ef5c7d79e14d1c3d5ca40455fd1e23c1
-
SHA1
eaac062a5c8665f8f7683819581a20d206212508
-
SHA256
09366210f77c39cab265fa9433a4f7b2c7e46270b50b2c9bbba733b93258e91b
-
SHA512
1216fc9ccff005a82b94e694572aedf99ea514b9338f1cf172bd3300c3d7d4908002c0ab17527039dc7b5ae3d2a9666c080df18c442475a4f438b1b872c7dc1a
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 632 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
09366210f77c39cab265fa9433a4f7b2c7e46270b50b2c9bbba733b93258e91b.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation 09366210f77c39cab265fa9433a4f7b2c7e46270b50b2c9bbba733b93258e91b.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
09366210f77c39cab265fa9433a4f7b2c7e46270b50b2c9bbba733b93258e91b.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 09366210f77c39cab265fa9433a4f7b2c7e46270b50b2c9bbba733b93258e91b.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
MusNotifyIcon.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MusNotifyIcon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MusNotifyIcon.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
09366210f77c39cab265fa9433a4f7b2c7e46270b50b2c9bbba733b93258e91b.exedescription pid process Token: SeIncBasePriorityPrivilege 3300 09366210f77c39cab265fa9433a4f7b2c7e46270b50b2c9bbba733b93258e91b.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
09366210f77c39cab265fa9433a4f7b2c7e46270b50b2c9bbba733b93258e91b.execmd.exedescription pid process target process PID 3300 wrote to memory of 632 3300 09366210f77c39cab265fa9433a4f7b2c7e46270b50b2c9bbba733b93258e91b.exe MediaCenter.exe PID 3300 wrote to memory of 632 3300 09366210f77c39cab265fa9433a4f7b2c7e46270b50b2c9bbba733b93258e91b.exe MediaCenter.exe PID 3300 wrote to memory of 632 3300 09366210f77c39cab265fa9433a4f7b2c7e46270b50b2c9bbba733b93258e91b.exe MediaCenter.exe PID 3300 wrote to memory of 756 3300 09366210f77c39cab265fa9433a4f7b2c7e46270b50b2c9bbba733b93258e91b.exe cmd.exe PID 3300 wrote to memory of 756 3300 09366210f77c39cab265fa9433a4f7b2c7e46270b50b2c9bbba733b93258e91b.exe cmd.exe PID 3300 wrote to memory of 756 3300 09366210f77c39cab265fa9433a4f7b2c7e46270b50b2c9bbba733b93258e91b.exe cmd.exe PID 756 wrote to memory of 3176 756 cmd.exe PING.EXE PID 756 wrote to memory of 3176 756 cmd.exe PING.EXE PID 756 wrote to memory of 3176 756 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\09366210f77c39cab265fa9433a4f7b2c7e46270b50b2c9bbba733b93258e91b.exe"C:\Users\Admin\AppData\Local\Temp\09366210f77c39cab265fa9433a4f7b2c7e46270b50b2c9bbba733b93258e91b.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3300 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:632 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\09366210f77c39cab265fa9433a4f7b2c7e46270b50b2c9bbba733b93258e91b.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:756 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:3176
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k wusvcs -p1⤵PID:1872
-
C:\Windows\system32\MusNotifyIcon.exe%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 131⤵
- Checks processor information in registry
PID:1988
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
b0062788a319bc1f8d6834e35a280ad7
SHA124b2a765a95491cbcba54f43d1b39030aad72402
SHA25689c735b5516f675a2ebff7f8c91fdae8bb021f23e28591e4b335c51e2ca91d1e
SHA5123ad64f5924b5e3cae62e45b5b95e4e8e39f7fa421c9208313756559d1e512b62bb76f2bc3f5382eebd66782f2a1710604a33505c3e29c5ab2fa3e6a10d13a960
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
b0062788a319bc1f8d6834e35a280ad7
SHA124b2a765a95491cbcba54f43d1b39030aad72402
SHA25689c735b5516f675a2ebff7f8c91fdae8bb021f23e28591e4b335c51e2ca91d1e
SHA5123ad64f5924b5e3cae62e45b5b95e4e8e39f7fa421c9208313756559d1e512b62bb76f2bc3f5382eebd66782f2a1710604a33505c3e29c5ab2fa3e6a10d13a960