Analysis
-
max time kernel
137s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
24-02-2022 11:09
Static task
static1
Behavioral task
behavioral1
Sample
995e26d3c24d06f40dd6771fa55d0127639a50e59249c593cb21ee3ea9401cfa.exe
Resource
win7-20220223-en
Behavioral task
behavioral2
Sample
995e26d3c24d06f40dd6771fa55d0127639a50e59249c593cb21ee3ea9401cfa.exe
Resource
win10-en-20211208
Behavioral task
behavioral3
Sample
995e26d3c24d06f40dd6771fa55d0127639a50e59249c593cb21ee3ea9401cfa.exe
Resource
win10v2004-en-20220113
General
-
Target
995e26d3c24d06f40dd6771fa55d0127639a50e59249c593cb21ee3ea9401cfa.exe
-
Size
4.5MB
-
MD5
ccdb023db49ef98e92bc4e52fd5d7bec
-
SHA1
704fe7f943331a69984527e50d3ab1823e111f4b
-
SHA256
995e26d3c24d06f40dd6771fa55d0127639a50e59249c593cb21ee3ea9401cfa
-
SHA512
4ce111297c6cdff1377d6eaa9069318ffd7845a4e91ec9bb01488cdef70c5ef292dcb7bb40fff76ff081eaff87e32632bdd4227f0f7c853857da0de4b52e1d29
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 3424 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
995e26d3c24d06f40dd6771fa55d0127639a50e59249c593cb21ee3ea9401cfa.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 995e26d3c24d06f40dd6771fa55d0127639a50e59249c593cb21ee3ea9401cfa.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
995e26d3c24d06f40dd6771fa55d0127639a50e59249c593cb21ee3ea9401cfa.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 995e26d3c24d06f40dd6771fa55d0127639a50e59249c593cb21ee3ea9401cfa.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
995e26d3c24d06f40dd6771fa55d0127639a50e59249c593cb21ee3ea9401cfa.exedescription pid process Token: SeIncBasePriorityPrivilege 1268 995e26d3c24d06f40dd6771fa55d0127639a50e59249c593cb21ee3ea9401cfa.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
995e26d3c24d06f40dd6771fa55d0127639a50e59249c593cb21ee3ea9401cfa.execmd.exedescription pid process target process PID 1268 wrote to memory of 3424 1268 995e26d3c24d06f40dd6771fa55d0127639a50e59249c593cb21ee3ea9401cfa.exe MediaCenter.exe PID 1268 wrote to memory of 3424 1268 995e26d3c24d06f40dd6771fa55d0127639a50e59249c593cb21ee3ea9401cfa.exe MediaCenter.exe PID 1268 wrote to memory of 3424 1268 995e26d3c24d06f40dd6771fa55d0127639a50e59249c593cb21ee3ea9401cfa.exe MediaCenter.exe PID 1268 wrote to memory of 4464 1268 995e26d3c24d06f40dd6771fa55d0127639a50e59249c593cb21ee3ea9401cfa.exe cmd.exe PID 1268 wrote to memory of 4464 1268 995e26d3c24d06f40dd6771fa55d0127639a50e59249c593cb21ee3ea9401cfa.exe cmd.exe PID 1268 wrote to memory of 4464 1268 995e26d3c24d06f40dd6771fa55d0127639a50e59249c593cb21ee3ea9401cfa.exe cmd.exe PID 4464 wrote to memory of 4516 4464 cmd.exe PING.EXE PID 4464 wrote to memory of 4516 4464 cmd.exe PING.EXE PID 4464 wrote to memory of 4516 4464 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\995e26d3c24d06f40dd6771fa55d0127639a50e59249c593cb21ee3ea9401cfa.exe"C:\Users\Admin\AppData\Local\Temp\995e26d3c24d06f40dd6771fa55d0127639a50e59249c593cb21ee3ea9401cfa.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\995e26d3c24d06f40dd6771fa55d0127639a50e59249c593cb21ee3ea9401cfa.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
09a30137ce61df288e18c8428e6bfffe
SHA18a8a1b16a783a0902ccb02d76ac7b4b04d9dc359
SHA256dd5db5e5f740959c4844f38926e57b68acddb1b65c3eb0de05c14a578b84b7de
SHA5126d8cb3b28034d3cb1c82b15fe5474795840a409a54274f3ec8f37c46d0c883f8848c41e8bd42405e197187bb25c6112cd7a69cf743921e60cd067469c8fc6c54
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
09a30137ce61df288e18c8428e6bfffe
SHA18a8a1b16a783a0902ccb02d76ac7b4b04d9dc359
SHA256dd5db5e5f740959c4844f38926e57b68acddb1b65c3eb0de05c14a578b84b7de
SHA5126d8cb3b28034d3cb1c82b15fe5474795840a409a54274f3ec8f37c46d0c883f8848c41e8bd42405e197187bb25c6112cd7a69cf743921e60cd067469c8fc6c54