Analysis
-
max time kernel
129s -
max time network
133s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
24-02-2022 11:08
Static task
static1
Behavioral task
behavioral1
Sample
c0064a70b0d297c43ccc230f852c1ffac7534d58251dec497bab0e7e82f79143.exe
Resource
win7-20220223-en
Behavioral task
behavioral2
Sample
c0064a70b0d297c43ccc230f852c1ffac7534d58251dec497bab0e7e82f79143.exe
Resource
win10-en-20211208
Behavioral task
behavioral3
Sample
c0064a70b0d297c43ccc230f852c1ffac7534d58251dec497bab0e7e82f79143.exe
Resource
win10v2004-en-20220113
General
-
Target
c0064a70b0d297c43ccc230f852c1ffac7534d58251dec497bab0e7e82f79143.exe
-
Size
216KB
-
MD5
dab5f66a4c8f6bcbcdeb2a83c21769c5
-
SHA1
06e8c2999917c6bc5d4b6359de3222d4379acbb9
-
SHA256
c0064a70b0d297c43ccc230f852c1ffac7534d58251dec497bab0e7e82f79143
-
SHA512
3a02669cd6390e5c6b5e1dd8711c300790cd78419a512830325c497fad7a5864aeaac6e0622dd39ab3bd3bafad49f5ad968d0d6c24c961adb9cafb7b64869854
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral3/memory/2120-132-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral3/memory/2792-133-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 2792 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
c0064a70b0d297c43ccc230f852c1ffac7534d58251dec497bab0e7e82f79143.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation c0064a70b0d297c43ccc230f852c1ffac7534d58251dec497bab0e7e82f79143.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
c0064a70b0d297c43ccc230f852c1ffac7534d58251dec497bab0e7e82f79143.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" c0064a70b0d297c43ccc230f852c1ffac7534d58251dec497bab0e7e82f79143.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
c0064a70b0d297c43ccc230f852c1ffac7534d58251dec497bab0e7e82f79143.exedescription pid process Token: SeIncBasePriorityPrivilege 2120 c0064a70b0d297c43ccc230f852c1ffac7534d58251dec497bab0e7e82f79143.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
c0064a70b0d297c43ccc230f852c1ffac7534d58251dec497bab0e7e82f79143.execmd.exedescription pid process target process PID 2120 wrote to memory of 2792 2120 c0064a70b0d297c43ccc230f852c1ffac7534d58251dec497bab0e7e82f79143.exe MediaCenter.exe PID 2120 wrote to memory of 2792 2120 c0064a70b0d297c43ccc230f852c1ffac7534d58251dec497bab0e7e82f79143.exe MediaCenter.exe PID 2120 wrote to memory of 2792 2120 c0064a70b0d297c43ccc230f852c1ffac7534d58251dec497bab0e7e82f79143.exe MediaCenter.exe PID 2120 wrote to memory of 4508 2120 c0064a70b0d297c43ccc230f852c1ffac7534d58251dec497bab0e7e82f79143.exe cmd.exe PID 2120 wrote to memory of 4508 2120 c0064a70b0d297c43ccc230f852c1ffac7534d58251dec497bab0e7e82f79143.exe cmd.exe PID 2120 wrote to memory of 4508 2120 c0064a70b0d297c43ccc230f852c1ffac7534d58251dec497bab0e7e82f79143.exe cmd.exe PID 4508 wrote to memory of 4960 4508 cmd.exe PING.EXE PID 4508 wrote to memory of 4960 4508 cmd.exe PING.EXE PID 4508 wrote to memory of 4960 4508 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\c0064a70b0d297c43ccc230f852c1ffac7534d58251dec497bab0e7e82f79143.exe"C:\Users\Admin\AppData\Local\Temp\c0064a70b0d297c43ccc230f852c1ffac7534d58251dec497bab0e7e82f79143.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\c0064a70b0d297c43ccc230f852c1ffac7534d58251dec497bab0e7e82f79143.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
d3271d28f1dffaa30f964855298fe751
SHA1d07cefd55a808a00dc19085e6672e91b65a32e9d
SHA256bad4553f43f6218638096ea794856c086464202c9b67bb453b30eac75468f7a3
SHA5129d71b3bd696c29ee1a9200a99091986caa09399ef1f19dd5a81199f1d295a08833648c5fe201e2f0f316e167c4ff72d72fe0619744de82d1c4b770bef0d84845
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
d3271d28f1dffaa30f964855298fe751
SHA1d07cefd55a808a00dc19085e6672e91b65a32e9d
SHA256bad4553f43f6218638096ea794856c086464202c9b67bb453b30eac75468f7a3
SHA5129d71b3bd696c29ee1a9200a99091986caa09399ef1f19dd5a81199f1d295a08833648c5fe201e2f0f316e167c4ff72d72fe0619744de82d1c4b770bef0d84845
-
memory/2120-132-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2792-133-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB