Analysis
-
max time kernel
129s -
max time network
138s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
23-03-2022 09:33
Static task
static1
Behavioral task
behavioral1
Sample
fa78da80bfee18732ee6ffb55b9fa8322f3310723273f782fc52f6e9c87b397f.exe
Resource
win7-20220311-en
Behavioral task
behavioral2
Sample
fa78da80bfee18732ee6ffb55b9fa8322f3310723273f782fc52f6e9c87b397f.exe
Resource
win10v2004-en-20220113
General
-
Target
fa78da80bfee18732ee6ffb55b9fa8322f3310723273f782fc52f6e9c87b397f.exe
-
Size
104KB
-
MD5
39355c04cb738da59753caccf1bd4dd5
-
SHA1
c8a84f08c89965c7719d0207ca9ba6bc89da15d1
-
SHA256
fa78da80bfee18732ee6ffb55b9fa8322f3310723273f782fc52f6e9c87b397f
-
SHA512
8d91282e663ff4e72a49eaecdce8173d240fcad6d8bb265aa01dc6760e65b9441f226c79b8056c1b21d3d1912abdd05cf8ae55bb5ca593cfa89b1ecf36e25248
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule behavioral2/files/0x000400000001e7c3-132.dat family_sakula behavioral2/files/0x000400000001e7c3-131.dat family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid Process 1652 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
fa78da80bfee18732ee6ffb55b9fa8322f3310723273f782fc52f6e9c87b397f.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation fa78da80bfee18732ee6ffb55b9fa8322f3310723273f782fc52f6e9c87b397f.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
fa78da80bfee18732ee6ffb55b9fa8322f3310723273f782fc52f6e9c87b397f.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" fa78da80bfee18732ee6ffb55b9fa8322f3310723273f782fc52f6e9c87b397f.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
fa78da80bfee18732ee6ffb55b9fa8322f3310723273f782fc52f6e9c87b397f.exedescription pid Process Token: SeIncBasePriorityPrivilege 1380 fa78da80bfee18732ee6ffb55b9fa8322f3310723273f782fc52f6e9c87b397f.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
fa78da80bfee18732ee6ffb55b9fa8322f3310723273f782fc52f6e9c87b397f.execmd.exedescription pid Process procid_target PID 1380 wrote to memory of 1652 1380 fa78da80bfee18732ee6ffb55b9fa8322f3310723273f782fc52f6e9c87b397f.exe 79 PID 1380 wrote to memory of 1652 1380 fa78da80bfee18732ee6ffb55b9fa8322f3310723273f782fc52f6e9c87b397f.exe 79 PID 1380 wrote to memory of 1652 1380 fa78da80bfee18732ee6ffb55b9fa8322f3310723273f782fc52f6e9c87b397f.exe 79 PID 1380 wrote to memory of 3312 1380 fa78da80bfee18732ee6ffb55b9fa8322f3310723273f782fc52f6e9c87b397f.exe 88 PID 1380 wrote to memory of 3312 1380 fa78da80bfee18732ee6ffb55b9fa8322f3310723273f782fc52f6e9c87b397f.exe 88 PID 1380 wrote to memory of 3312 1380 fa78da80bfee18732ee6ffb55b9fa8322f3310723273f782fc52f6e9c87b397f.exe 88 PID 3312 wrote to memory of 984 3312 cmd.exe 90 PID 3312 wrote to memory of 984 3312 cmd.exe 90 PID 3312 wrote to memory of 984 3312 cmd.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\fa78da80bfee18732ee6ffb55b9fa8322f3310723273f782fc52f6e9c87b397f.exe"C:\Users\Admin\AppData\Local\Temp\fa78da80bfee18732ee6ffb55b9fa8322f3310723273f782fc52f6e9c87b397f.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1380 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1652
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\fa78da80bfee18732ee6ffb55b9fa8322f3310723273f782fc52f6e9c87b397f.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3312 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:984
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
cb5ee79f9904530ae717cbe31356dfd9
SHA19456915f4245196398f01f5d1ef659f96887bc74
SHA2563644b5af5af2aa2cb1b1d27c2fe02a75e2de102efbe2a3c245c2dc794808d941
SHA512f0294f39fa01187058ea9f48ad6d99e0b27aacfd89b12eb1cede0c8e41ce62830ee92264e4299f6da0476ccefb3d3d6c668621bd01c5fed4bf9385cfacfa1274
-
MD5
cb5ee79f9904530ae717cbe31356dfd9
SHA19456915f4245196398f01f5d1ef659f96887bc74
SHA2563644b5af5af2aa2cb1b1d27c2fe02a75e2de102efbe2a3c245c2dc794808d941
SHA512f0294f39fa01187058ea9f48ad6d99e0b27aacfd89b12eb1cede0c8e41ce62830ee92264e4299f6da0476ccefb3d3d6c668621bd01c5fed4bf9385cfacfa1274