Analysis
-
max time kernel
121s -
max time network
135s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
07-10-2022 07:00
Behavioral task
behavioral1
Sample
10fa04bbf25570d83c37d5b7008fe85d.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
10fa04bbf25570d83c37d5b7008fe85d.exe
Resource
win10v2004-20220812-en
General
-
Target
10fa04bbf25570d83c37d5b7008fe85d.exe
-
Size
88KB
-
MD5
10fa04bbf25570d83c37d5b7008fe85d
-
SHA1
7f6c136b0cc97cfdd0ba5e27ec03a0ea4c87193f
-
SHA256
e84e3f69364a3aa00fee5e5f24744d77ac01c026b004756ca65e19a891f4de54
-
SHA512
8fbab615e94f86612ce7e696e6f5a0457c9a0c18ccaa286b4769315350861e14e125041b828d22a3abcfbe727020d414577e70a522bfb29b9221683ebd562612
-
SSDEEP
1536:Boaj1hJL1S9t0MIeboal8bCKxo7h0RP0jwHVz30rtroyPTEzg:y0hpgz6xGhTjwHN30BEybEk
Malware Config
Signatures
-
Sakula payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1304 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
10fa04bbf25570d83c37d5b7008fe85d.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation 10fa04bbf25570d83c37d5b7008fe85d.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
10fa04bbf25570d83c37d5b7008fe85d.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 10fa04bbf25570d83c37d5b7008fe85d.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
10fa04bbf25570d83c37d5b7008fe85d.exedescription pid process Token: SeIncBasePriorityPrivilege 568 10fa04bbf25570d83c37d5b7008fe85d.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
10fa04bbf25570d83c37d5b7008fe85d.execmd.exedescription pid process target process PID 568 wrote to memory of 1304 568 10fa04bbf25570d83c37d5b7008fe85d.exe MediaCenter.exe PID 568 wrote to memory of 1304 568 10fa04bbf25570d83c37d5b7008fe85d.exe MediaCenter.exe PID 568 wrote to memory of 1304 568 10fa04bbf25570d83c37d5b7008fe85d.exe MediaCenter.exe PID 568 wrote to memory of 3740 568 10fa04bbf25570d83c37d5b7008fe85d.exe cmd.exe PID 568 wrote to memory of 3740 568 10fa04bbf25570d83c37d5b7008fe85d.exe cmd.exe PID 568 wrote to memory of 3740 568 10fa04bbf25570d83c37d5b7008fe85d.exe cmd.exe PID 3740 wrote to memory of 900 3740 cmd.exe PING.EXE PID 3740 wrote to memory of 900 3740 cmd.exe PING.EXE PID 3740 wrote to memory of 900 3740 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\10fa04bbf25570d83c37d5b7008fe85d.exe"C:\Users\Admin\AppData\Local\Temp\10fa04bbf25570d83c37d5b7008fe85d.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\10fa04bbf25570d83c37d5b7008fe85d.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeFilesize
88KB
MD577719122bb497f01b4cc6c1a02e9c894
SHA1b19a9f9502ce8c50bb5bcb8a926b89be29b1e9c5
SHA25624ae1f2c41fbdcb93315414892600236d83c0b4e96dac299f3a89d05c3e73202
SHA512f76765230987bce5951f714cb22b80e80250eb41a13c5cf598ccb5d665be45f7b0551219e2d7a415fc27e92004dca6ff38a6a6c534e6fb4bc886777473d2535a
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeFilesize
88KB
MD577719122bb497f01b4cc6c1a02e9c894
SHA1b19a9f9502ce8c50bb5bcb8a926b89be29b1e9c5
SHA25624ae1f2c41fbdcb93315414892600236d83c0b4e96dac299f3a89d05c3e73202
SHA512f76765230987bce5951f714cb22b80e80250eb41a13c5cf598ccb5d665be45f7b0551219e2d7a415fc27e92004dca6ff38a6a6c534e6fb4bc886777473d2535a
-
memory/900-136-0x0000000000000000-mapping.dmp
-
memory/1304-132-0x0000000000000000-mapping.dmp
-
memory/3740-135-0x0000000000000000-mapping.dmp