Analysis
-
max time kernel
134s -
max time network
137s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
24-02-2022 11:08
Static task
static1
Behavioral task
behavioral1
Sample
fb9634f7f285e1b11b44d55c58f0c2e8d14fa5ace58670d8c806b09d6570c629.exe
Resource
win7-20220223-en
Behavioral task
behavioral2
Sample
fb9634f7f285e1b11b44d55c58f0c2e8d14fa5ace58670d8c806b09d6570c629.exe
Resource
win10-en-20211208
Behavioral task
behavioral3
Sample
fb9634f7f285e1b11b44d55c58f0c2e8d14fa5ace58670d8c806b09d6570c629.exe
Resource
win10v2004-en-20220113
General
-
Target
fb9634f7f285e1b11b44d55c58f0c2e8d14fa5ace58670d8c806b09d6570c629.exe
-
Size
216KB
-
MD5
052e970aff7e2e0e3209417a92f4e2c6
-
SHA1
32c0cb93f35e65295a02d362c3bf4fd71fa9365c
-
SHA256
fb9634f7f285e1b11b44d55c58f0c2e8d14fa5ace58670d8c806b09d6570c629
-
SHA512
38d19aea666d07db8c2f2925d3d7af99d03936cfda936fbc994d00ce66b27147647ca28bae684b99fdbbc7e424b34b13c5c5a6d4739d4a46934ae2ba744e8c8d
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral3/memory/4820-132-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral3/memory/2192-133-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 2192 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
fb9634f7f285e1b11b44d55c58f0c2e8d14fa5ace58670d8c806b09d6570c629.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation fb9634f7f285e1b11b44d55c58f0c2e8d14fa5ace58670d8c806b09d6570c629.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
fb9634f7f285e1b11b44d55c58f0c2e8d14fa5ace58670d8c806b09d6570c629.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" fb9634f7f285e1b11b44d55c58f0c2e8d14fa5ace58670d8c806b09d6570c629.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
fb9634f7f285e1b11b44d55c58f0c2e8d14fa5ace58670d8c806b09d6570c629.exedescription pid process Token: SeIncBasePriorityPrivilege 4820 fb9634f7f285e1b11b44d55c58f0c2e8d14fa5ace58670d8c806b09d6570c629.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
fb9634f7f285e1b11b44d55c58f0c2e8d14fa5ace58670d8c806b09d6570c629.execmd.exedescription pid process target process PID 4820 wrote to memory of 2192 4820 fb9634f7f285e1b11b44d55c58f0c2e8d14fa5ace58670d8c806b09d6570c629.exe MediaCenter.exe PID 4820 wrote to memory of 2192 4820 fb9634f7f285e1b11b44d55c58f0c2e8d14fa5ace58670d8c806b09d6570c629.exe MediaCenter.exe PID 4820 wrote to memory of 2192 4820 fb9634f7f285e1b11b44d55c58f0c2e8d14fa5ace58670d8c806b09d6570c629.exe MediaCenter.exe PID 4820 wrote to memory of 1892 4820 fb9634f7f285e1b11b44d55c58f0c2e8d14fa5ace58670d8c806b09d6570c629.exe cmd.exe PID 4820 wrote to memory of 1892 4820 fb9634f7f285e1b11b44d55c58f0c2e8d14fa5ace58670d8c806b09d6570c629.exe cmd.exe PID 4820 wrote to memory of 1892 4820 fb9634f7f285e1b11b44d55c58f0c2e8d14fa5ace58670d8c806b09d6570c629.exe cmd.exe PID 1892 wrote to memory of 632 1892 cmd.exe PING.EXE PID 1892 wrote to memory of 632 1892 cmd.exe PING.EXE PID 1892 wrote to memory of 632 1892 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\fb9634f7f285e1b11b44d55c58f0c2e8d14fa5ace58670d8c806b09d6570c629.exe"C:\Users\Admin\AppData\Local\Temp\fb9634f7f285e1b11b44d55c58f0c2e8d14fa5ace58670d8c806b09d6570c629.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\fb9634f7f285e1b11b44d55c58f0c2e8d14fa5ace58670d8c806b09d6570c629.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
02822c0b3f7194ea0d6cc233e513a536
SHA1bd9046b19ebf78b06c845de9fd43784f78e22f43
SHA256e1cfebbcf0f83f644b90ef5e35ca72522dd3f698046d8af850e69a41b5b2390f
SHA5124c118f808353615d517aaf80cd362c3918ac97b79382c39bc6bac101dca7ba4876dd7429dca4107b16e05a9d51bc47d119e66856168f5beb07b68627d381efa0
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
02822c0b3f7194ea0d6cc233e513a536
SHA1bd9046b19ebf78b06c845de9fd43784f78e22f43
SHA256e1cfebbcf0f83f644b90ef5e35ca72522dd3f698046d8af850e69a41b5b2390f
SHA5124c118f808353615d517aaf80cd362c3918ac97b79382c39bc6bac101dca7ba4876dd7429dca4107b16e05a9d51bc47d119e66856168f5beb07b68627d381efa0
-
memory/2192-133-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/4820-132-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB