Analysis
-
max time kernel
134s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
24-02-2022 11:03
Static task
static1
Behavioral task
behavioral1
Sample
7b8d0ee237e85d52c4ae65170c50a97437697299cb92badf91e7510f798bb452.exe
Resource
win7-20220223-en
Behavioral task
behavioral2
Sample
7b8d0ee237e85d52c4ae65170c50a97437697299cb92badf91e7510f798bb452.exe
Resource
win10-20220223-en
Behavioral task
behavioral3
Sample
7b8d0ee237e85d52c4ae65170c50a97437697299cb92badf91e7510f798bb452.exe
Resource
win10v2004-en-20220113
General
-
Target
7b8d0ee237e85d52c4ae65170c50a97437697299cb92badf91e7510f798bb452.exe
-
Size
150KB
-
MD5
202ca1b19f8ecc7e648043485ff91082
-
SHA1
df4be15599023beca2a24de920199fcd88f1f034
-
SHA256
7b8d0ee237e85d52c4ae65170c50a97437697299cb92badf91e7510f798bb452
-
SHA512
8ae627b9e0ba4d79b31bf4f36db947374f3904e405f77b293f2bb2fa6b87afb69cc0b694db661dc2d53b0f51bf2e2a60053628dabc99363c74c4f70cf1bc1554
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 3408 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
7b8d0ee237e85d52c4ae65170c50a97437697299cb92badf91e7510f798bb452.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 7b8d0ee237e85d52c4ae65170c50a97437697299cb92badf91e7510f798bb452.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
7b8d0ee237e85d52c4ae65170c50a97437697299cb92badf91e7510f798bb452.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 7b8d0ee237e85d52c4ae65170c50a97437697299cb92badf91e7510f798bb452.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
7b8d0ee237e85d52c4ae65170c50a97437697299cb92badf91e7510f798bb452.exedescription pid process Token: SeIncBasePriorityPrivilege 2960 7b8d0ee237e85d52c4ae65170c50a97437697299cb92badf91e7510f798bb452.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
7b8d0ee237e85d52c4ae65170c50a97437697299cb92badf91e7510f798bb452.execmd.exedescription pid process target process PID 2960 wrote to memory of 3408 2960 7b8d0ee237e85d52c4ae65170c50a97437697299cb92badf91e7510f798bb452.exe MediaCenter.exe PID 2960 wrote to memory of 3408 2960 7b8d0ee237e85d52c4ae65170c50a97437697299cb92badf91e7510f798bb452.exe MediaCenter.exe PID 2960 wrote to memory of 3408 2960 7b8d0ee237e85d52c4ae65170c50a97437697299cb92badf91e7510f798bb452.exe MediaCenter.exe PID 2960 wrote to memory of 3104 2960 7b8d0ee237e85d52c4ae65170c50a97437697299cb92badf91e7510f798bb452.exe cmd.exe PID 2960 wrote to memory of 3104 2960 7b8d0ee237e85d52c4ae65170c50a97437697299cb92badf91e7510f798bb452.exe cmd.exe PID 2960 wrote to memory of 3104 2960 7b8d0ee237e85d52c4ae65170c50a97437697299cb92badf91e7510f798bb452.exe cmd.exe PID 3104 wrote to memory of 3648 3104 cmd.exe PING.EXE PID 3104 wrote to memory of 3648 3104 cmd.exe PING.EXE PID 3104 wrote to memory of 3648 3104 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\7b8d0ee237e85d52c4ae65170c50a97437697299cb92badf91e7510f798bb452.exe"C:\Users\Admin\AppData\Local\Temp\7b8d0ee237e85d52c4ae65170c50a97437697299cb92badf91e7510f798bb452.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\7b8d0ee237e85d52c4ae65170c50a97437697299cb92badf91e7510f798bb452.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
7e4d26462782fe3eee4ee6d564a1024d
SHA1df733f032544dca64adea0432046682fa096d40b
SHA2565026f19dc1b7a8d314b405bd42f83785e5af9ad72d45e22d022b0a1eb96bcbef
SHA5129bd49d42a8c8c498b05a742b6f96370fdbd93161a166ad3730522ca228b88eab8e9dcf295f28f72abdb86391863c9336308fdc0d634f0e88b1e0b8051dd74322
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
7e4d26462782fe3eee4ee6d564a1024d
SHA1df733f032544dca64adea0432046682fa096d40b
SHA2565026f19dc1b7a8d314b405bd42f83785e5af9ad72d45e22d022b0a1eb96bcbef
SHA5129bd49d42a8c8c498b05a742b6f96370fdbd93161a166ad3730522ca228b88eab8e9dcf295f28f72abdb86391863c9336308fdc0d634f0e88b1e0b8051dd74322