Analysis
-
max time kernel
155s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
24-02-2022 11:09
Static task
static1
Behavioral task
behavioral1
Sample
932249c923c8f7977c12785238e68d4b2030471fc9edbda0ec326ced3bab755f.exe
Resource
win7-20220223-en
Behavioral task
behavioral2
Sample
932249c923c8f7977c12785238e68d4b2030471fc9edbda0ec326ced3bab755f.exe
Resource
win10-20220223-en
Behavioral task
behavioral3
Sample
932249c923c8f7977c12785238e68d4b2030471fc9edbda0ec326ced3bab755f.exe
Resource
win10v2004-en-20220112
General
-
Target
932249c923c8f7977c12785238e68d4b2030471fc9edbda0ec326ced3bab755f.exe
-
Size
3.6MB
-
MD5
4e7155bd7afbb888e41128b78413855b
-
SHA1
8387ad1ee24852185eb9dd265987ae39fa0254d0
-
SHA256
932249c923c8f7977c12785238e68d4b2030471fc9edbda0ec326ced3bab755f
-
SHA512
5ea1e3074525018d672ef91a39cdcf949c5a54dd1957a7aca0a7f547418640e93cb4628345fd4cbc373943fc3c708d91c8943f3c505271059c69de80fe6a6a8c
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 736 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
932249c923c8f7977c12785238e68d4b2030471fc9edbda0ec326ced3bab755f.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation 932249c923c8f7977c12785238e68d4b2030471fc9edbda0ec326ced3bab755f.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
932249c923c8f7977c12785238e68d4b2030471fc9edbda0ec326ced3bab755f.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 932249c923c8f7977c12785238e68d4b2030471fc9edbda0ec326ced3bab755f.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
932249c923c8f7977c12785238e68d4b2030471fc9edbda0ec326ced3bab755f.exedescription pid process Token: SeIncBasePriorityPrivilege 3932 932249c923c8f7977c12785238e68d4b2030471fc9edbda0ec326ced3bab755f.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
932249c923c8f7977c12785238e68d4b2030471fc9edbda0ec326ced3bab755f.execmd.exedescription pid process target process PID 3932 wrote to memory of 736 3932 932249c923c8f7977c12785238e68d4b2030471fc9edbda0ec326ced3bab755f.exe MediaCenter.exe PID 3932 wrote to memory of 736 3932 932249c923c8f7977c12785238e68d4b2030471fc9edbda0ec326ced3bab755f.exe MediaCenter.exe PID 3932 wrote to memory of 736 3932 932249c923c8f7977c12785238e68d4b2030471fc9edbda0ec326ced3bab755f.exe MediaCenter.exe PID 3932 wrote to memory of 2112 3932 932249c923c8f7977c12785238e68d4b2030471fc9edbda0ec326ced3bab755f.exe cmd.exe PID 3932 wrote to memory of 2112 3932 932249c923c8f7977c12785238e68d4b2030471fc9edbda0ec326ced3bab755f.exe cmd.exe PID 3932 wrote to memory of 2112 3932 932249c923c8f7977c12785238e68d4b2030471fc9edbda0ec326ced3bab755f.exe cmd.exe PID 2112 wrote to memory of 1360 2112 cmd.exe PING.EXE PID 2112 wrote to memory of 1360 2112 cmd.exe PING.EXE PID 2112 wrote to memory of 1360 2112 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\932249c923c8f7977c12785238e68d4b2030471fc9edbda0ec326ced3bab755f.exe"C:\Users\Admin\AppData\Local\Temp\932249c923c8f7977c12785238e68d4b2030471fc9edbda0ec326ced3bab755f.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\932249c923c8f7977c12785238e68d4b2030471fc9edbda0ec326ced3bab755f.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
282a73d11a00b85f6f164269003ea2bf
SHA1345816b1cee6644550dc6dfb594325e1306812c4
SHA256166205190eaa668e7ad67de7e0368de986d9699f4d41f2a3e7f1b39e55b4c9c4
SHA512f0f84637896eba2019bc90f2c7737095d2a178effef88164c9bc0f45528e5c19dae1d4739a89c37a8655784f2f7bdb7e6eac88c3d7bd9753b09d08c2e6c35e30
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
282a73d11a00b85f6f164269003ea2bf
SHA1345816b1cee6644550dc6dfb594325e1306812c4
SHA256166205190eaa668e7ad67de7e0368de986d9699f4d41f2a3e7f1b39e55b4c9c4
SHA512f0f84637896eba2019bc90f2c7737095d2a178effef88164c9bc0f45528e5c19dae1d4739a89c37a8655784f2f7bdb7e6eac88c3d7bd9753b09d08c2e6c35e30