Analysis
-
max time kernel
116s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
10-10-2022 02:36
Behavioral task
behavioral1
Sample
10fa04bbf25570d83c37d5b7008fe85d.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
10fa04bbf25570d83c37d5b7008fe85d.exe
Resource
win10v2004-20220812-en
General
-
Target
10fa04bbf25570d83c37d5b7008fe85d.exe
-
Size
88KB
-
MD5
10fa04bbf25570d83c37d5b7008fe85d
-
SHA1
7f6c136b0cc97cfdd0ba5e27ec03a0ea4c87193f
-
SHA256
e84e3f69364a3aa00fee5e5f24744d77ac01c026b004756ca65e19a891f4de54
-
SHA512
8fbab615e94f86612ce7e696e6f5a0457c9a0c18ccaa286b4769315350861e14e125041b828d22a3abcfbe727020d414577e70a522bfb29b9221683ebd562612
-
SSDEEP
1536:Boaj1hJL1S9t0MIeboal8bCKxo7h0RP0jwHVz30rtroyPTEzg:y0hpgz6xGhTjwHN30BEybEk
Malware Config
Signatures
-
Sakula payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 3840 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
10fa04bbf25570d83c37d5b7008fe85d.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 10fa04bbf25570d83c37d5b7008fe85d.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
10fa04bbf25570d83c37d5b7008fe85d.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 10fa04bbf25570d83c37d5b7008fe85d.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
10fa04bbf25570d83c37d5b7008fe85d.exedescription pid process Token: SeIncBasePriorityPrivilege 1800 10fa04bbf25570d83c37d5b7008fe85d.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
10fa04bbf25570d83c37d5b7008fe85d.execmd.exedescription pid process target process PID 1800 wrote to memory of 3840 1800 10fa04bbf25570d83c37d5b7008fe85d.exe MediaCenter.exe PID 1800 wrote to memory of 3840 1800 10fa04bbf25570d83c37d5b7008fe85d.exe MediaCenter.exe PID 1800 wrote to memory of 3840 1800 10fa04bbf25570d83c37d5b7008fe85d.exe MediaCenter.exe PID 1800 wrote to memory of 3384 1800 10fa04bbf25570d83c37d5b7008fe85d.exe cmd.exe PID 1800 wrote to memory of 3384 1800 10fa04bbf25570d83c37d5b7008fe85d.exe cmd.exe PID 1800 wrote to memory of 3384 1800 10fa04bbf25570d83c37d5b7008fe85d.exe cmd.exe PID 3384 wrote to memory of 3412 3384 cmd.exe PING.EXE PID 3384 wrote to memory of 3412 3384 cmd.exe PING.EXE PID 3384 wrote to memory of 3412 3384 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\10fa04bbf25570d83c37d5b7008fe85d.exe"C:\Users\Admin\AppData\Local\Temp\10fa04bbf25570d83c37d5b7008fe85d.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\10fa04bbf25570d83c37d5b7008fe85d.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeFilesize
88KB
MD5a0e87a3e61eab892a7abcc03afef4a78
SHA143512147b7c45f536ca1866da224db904f536879
SHA2566ad258500767c04c0565ec88026caa01a82378cda963d06035bbf467a016f211
SHA512fc2a91cb70aad43a90b03da685febd4a20bd1597261418cca068fa3e8c345c81aed645c7d045ba3abeca8a87e458098c92f28cb2927fd5c166c7ebd1d77df643
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeFilesize
88KB
MD5a0e87a3e61eab892a7abcc03afef4a78
SHA143512147b7c45f536ca1866da224db904f536879
SHA2566ad258500767c04c0565ec88026caa01a82378cda963d06035bbf467a016f211
SHA512fc2a91cb70aad43a90b03da685febd4a20bd1597261418cca068fa3e8c345c81aed645c7d045ba3abeca8a87e458098c92f28cb2927fd5c166c7ebd1d77df643
-
memory/3384-135-0x0000000000000000-mapping.dmp
-
memory/3412-136-0x0000000000000000-mapping.dmp
-
memory/3840-132-0x0000000000000000-mapping.dmp