Analysis
-
max time kernel
160s -
max time network
182s -
platform
windows10-2004_x64 -
resource
win10v2004-20220331-en -
submitted
27-03-2022 10:35
Static task
static1
Behavioral task
behavioral1
Sample
a1fee89b08c2efed52dc1869e371d19c10813b9d64b9d48d53ab46475f08aa6e.exe
Resource
win7-20220331-en
Behavioral task
behavioral2
Sample
a1fee89b08c2efed52dc1869e371d19c10813b9d64b9d48d53ab46475f08aa6e.exe
Resource
win10v2004-20220331-en
General
-
Target
a1fee89b08c2efed52dc1869e371d19c10813b9d64b9d48d53ab46475f08aa6e.exe
-
Size
150KB
-
MD5
0ba9883b897c6f4508594c9908c6810a
-
SHA1
91fd59bbcff52bcf72034b11d9d982ccd2fc1bac
-
SHA256
a1fee89b08c2efed52dc1869e371d19c10813b9d64b9d48d53ab46475f08aa6e
-
SHA512
bfc4a41e1675dd6602db39fbadfe1d4db79e10ae0396e8caa034e596cdb422247254a5333fbef52a0611668e9dee2664f918a687910c54baf44cf8b737b8b1dd
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1824 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
a1fee89b08c2efed52dc1869e371d19c10813b9d64b9d48d53ab46475f08aa6e.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000\Control Panel\International\Geo\Nation a1fee89b08c2efed52dc1869e371d19c10813b9d64b9d48d53ab46475f08aa6e.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
a1fee89b08c2efed52dc1869e371d19c10813b9d64b9d48d53ab46475f08aa6e.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" a1fee89b08c2efed52dc1869e371d19c10813b9d64b9d48d53ab46475f08aa6e.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
a1fee89b08c2efed52dc1869e371d19c10813b9d64b9d48d53ab46475f08aa6e.exedescription pid process Token: SeIncBasePriorityPrivilege 3812 a1fee89b08c2efed52dc1869e371d19c10813b9d64b9d48d53ab46475f08aa6e.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
a1fee89b08c2efed52dc1869e371d19c10813b9d64b9d48d53ab46475f08aa6e.execmd.exedescription pid process target process PID 3812 wrote to memory of 1824 3812 a1fee89b08c2efed52dc1869e371d19c10813b9d64b9d48d53ab46475f08aa6e.exe MediaCenter.exe PID 3812 wrote to memory of 1824 3812 a1fee89b08c2efed52dc1869e371d19c10813b9d64b9d48d53ab46475f08aa6e.exe MediaCenter.exe PID 3812 wrote to memory of 1824 3812 a1fee89b08c2efed52dc1869e371d19c10813b9d64b9d48d53ab46475f08aa6e.exe MediaCenter.exe PID 3812 wrote to memory of 3884 3812 a1fee89b08c2efed52dc1869e371d19c10813b9d64b9d48d53ab46475f08aa6e.exe cmd.exe PID 3812 wrote to memory of 3884 3812 a1fee89b08c2efed52dc1869e371d19c10813b9d64b9d48d53ab46475f08aa6e.exe cmd.exe PID 3812 wrote to memory of 3884 3812 a1fee89b08c2efed52dc1869e371d19c10813b9d64b9d48d53ab46475f08aa6e.exe cmd.exe PID 3884 wrote to memory of 4872 3884 cmd.exe PING.EXE PID 3884 wrote to memory of 4872 3884 cmd.exe PING.EXE PID 3884 wrote to memory of 4872 3884 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\a1fee89b08c2efed52dc1869e371d19c10813b9d64b9d48d53ab46475f08aa6e.exe"C:\Users\Admin\AppData\Local\Temp\a1fee89b08c2efed52dc1869e371d19c10813b9d64b9d48d53ab46475f08aa6e.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\a1fee89b08c2efed52dc1869e371d19c10813b9d64b9d48d53ab46475f08aa6e.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeFilesize
150KB
MD5559d54cbde2f953ad5bdaf36a3b02660
SHA128f359c2b6c97b8a978990fc1f11ebc2c1e8388a
SHA2563be5c83e65c254da3d2eee1e02b4f9d075970f0ebe2457aed5c3586c55924786
SHA512b8890880dc50e8127b9366034c05f525b199b130918e10a09326f0e3b1ed73bfbbd76c92721cc60b21e182919c72eb5a46f1b539c3988acdc728cc294a5f2812
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeFilesize
150KB
MD5559d54cbde2f953ad5bdaf36a3b02660
SHA128f359c2b6c97b8a978990fc1f11ebc2c1e8388a
SHA2563be5c83e65c254da3d2eee1e02b4f9d075970f0ebe2457aed5c3586c55924786
SHA512b8890880dc50e8127b9366034c05f525b199b130918e10a09326f0e3b1ed73bfbbd76c92721cc60b21e182919c72eb5a46f1b539c3988acdc728cc294a5f2812
-
memory/1824-124-0x0000000000000000-mapping.dmp
-
memory/3884-127-0x0000000000000000-mapping.dmp
-
memory/4872-128-0x0000000000000000-mapping.dmp