Analysis
-
max time kernel
136s -
max time network
160s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
16-06-2022 07:40
Static task
static1
Behavioral task
behavioral1
Sample
26aeb4306d11fe8219e450cd26a8af73a8972e1675486cefb2a56bf2b2d04409.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
26aeb4306d11fe8219e450cd26a8af73a8972e1675486cefb2a56bf2b2d04409.exe
Resource
win10v2004-20220414-en
General
-
Target
26aeb4306d11fe8219e450cd26a8af73a8972e1675486cefb2a56bf2b2d04409.exe
-
Size
79KB
-
MD5
6623ef6b58ca25808463b629d56e4660
-
SHA1
a432c50373feb75ab0fb681c9f502a5e49fa43bd
-
SHA256
26aeb4306d11fe8219e450cd26a8af73a8972e1675486cefb2a56bf2b2d04409
-
SHA512
ac58292418685528ae87db45f2e44bb92fc8ed61376939038e9ec2f2fd7ef162351564534f12c9dfd2cf203277316facccf53ef7d345c87acb48bca9f6d09fba
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 2784 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
26aeb4306d11fe8219e450cd26a8af73a8972e1675486cefb2a56bf2b2d04409.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation 26aeb4306d11fe8219e450cd26a8af73a8972e1675486cefb2a56bf2b2d04409.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
26aeb4306d11fe8219e450cd26a8af73a8972e1675486cefb2a56bf2b2d04409.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 26aeb4306d11fe8219e450cd26a8af73a8972e1675486cefb2a56bf2b2d04409.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
26aeb4306d11fe8219e450cd26a8af73a8972e1675486cefb2a56bf2b2d04409.exedescription pid process Token: SeIncBasePriorityPrivilege 3188 26aeb4306d11fe8219e450cd26a8af73a8972e1675486cefb2a56bf2b2d04409.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
26aeb4306d11fe8219e450cd26a8af73a8972e1675486cefb2a56bf2b2d04409.execmd.exedescription pid process target process PID 3188 wrote to memory of 2784 3188 26aeb4306d11fe8219e450cd26a8af73a8972e1675486cefb2a56bf2b2d04409.exe MediaCenter.exe PID 3188 wrote to memory of 2784 3188 26aeb4306d11fe8219e450cd26a8af73a8972e1675486cefb2a56bf2b2d04409.exe MediaCenter.exe PID 3188 wrote to memory of 2784 3188 26aeb4306d11fe8219e450cd26a8af73a8972e1675486cefb2a56bf2b2d04409.exe MediaCenter.exe PID 3188 wrote to memory of 2544 3188 26aeb4306d11fe8219e450cd26a8af73a8972e1675486cefb2a56bf2b2d04409.exe cmd.exe PID 3188 wrote to memory of 2544 3188 26aeb4306d11fe8219e450cd26a8af73a8972e1675486cefb2a56bf2b2d04409.exe cmd.exe PID 3188 wrote to memory of 2544 3188 26aeb4306d11fe8219e450cd26a8af73a8972e1675486cefb2a56bf2b2d04409.exe cmd.exe PID 2544 wrote to memory of 4348 2544 cmd.exe PING.EXE PID 2544 wrote to memory of 4348 2544 cmd.exe PING.EXE PID 2544 wrote to memory of 4348 2544 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\26aeb4306d11fe8219e450cd26a8af73a8972e1675486cefb2a56bf2b2d04409.exe"C:\Users\Admin\AppData\Local\Temp\26aeb4306d11fe8219e450cd26a8af73a8972e1675486cefb2a56bf2b2d04409.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\26aeb4306d11fe8219e450cd26a8af73a8972e1675486cefb2a56bf2b2d04409.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeFilesize
79KB
MD54d71496a303006aa0225c1d9ca3f5692
SHA160611502dccb563f61baf3d54eb4c2da83a05c29
SHA256e1a72800c96caa29d308243fc6992c12d81395c2c21ce89c891333f044a34af7
SHA512c3e33da555058b199a6eb6eaa8799945b88848fe9ae143fe417ce422cff98386c165092a2c1ccbed2025ee27e5b1e0d9ba2f7125c2ff3439c43c1224e772b22a
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeFilesize
79KB
MD54d71496a303006aa0225c1d9ca3f5692
SHA160611502dccb563f61baf3d54eb4c2da83a05c29
SHA256e1a72800c96caa29d308243fc6992c12d81395c2c21ce89c891333f044a34af7
SHA512c3e33da555058b199a6eb6eaa8799945b88848fe9ae143fe417ce422cff98386c165092a2c1ccbed2025ee27e5b1e0d9ba2f7125c2ff3439c43c1224e772b22a
-
memory/2544-133-0x0000000000000000-mapping.dmp
-
memory/2784-130-0x0000000000000000-mapping.dmp
-
memory/4348-134-0x0000000000000000-mapping.dmp