Analysis
-
max time kernel
145s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
12-10-2022 16:33
Behavioral task
behavioral1
Sample
82334fde2fa92edf636d8885d542627f98aa326cf50df9b0f124229d8d857b11.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
82334fde2fa92edf636d8885d542627f98aa326cf50df9b0f124229d8d857b11.exe
Resource
win10v2004-20220901-en
General
-
Target
82334fde2fa92edf636d8885d542627f98aa326cf50df9b0f124229d8d857b11.exe
-
Size
89KB
-
MD5
3cae1b420842e5bc4098dffac0dd44fa
-
SHA1
321be89ffb70aa7c4cccfdb80df413b1c76c2230
-
SHA256
82334fde2fa92edf636d8885d542627f98aa326cf50df9b0f124229d8d857b11
-
SHA512
838f25841dc233671dd007b94c871ef0bb42b6efff66ecf4a079e9cd406ecbc228fe4050702f14224d4d46e50905f6fab9a6e02f35c7904bc8f74563c8e2d1c8
-
SSDEEP
1536:voaj1hJL1S9t0MIeboal8bCKxo7h0RP0jwHVz30rtroWuxzug:Q0hpgz6xGhTjwHN30BE3D
Malware Config
Signatures
-
Sakula payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 4792 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
82334fde2fa92edf636d8885d542627f98aa326cf50df9b0f124229d8d857b11.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation 82334fde2fa92edf636d8885d542627f98aa326cf50df9b0f124229d8d857b11.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
82334fde2fa92edf636d8885d542627f98aa326cf50df9b0f124229d8d857b11.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 82334fde2fa92edf636d8885d542627f98aa326cf50df9b0f124229d8d857b11.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
82334fde2fa92edf636d8885d542627f98aa326cf50df9b0f124229d8d857b11.exedescription pid process Token: SeIncBasePriorityPrivilege 5008 82334fde2fa92edf636d8885d542627f98aa326cf50df9b0f124229d8d857b11.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
82334fde2fa92edf636d8885d542627f98aa326cf50df9b0f124229d8d857b11.execmd.exedescription pid process target process PID 5008 wrote to memory of 4792 5008 82334fde2fa92edf636d8885d542627f98aa326cf50df9b0f124229d8d857b11.exe MediaCenter.exe PID 5008 wrote to memory of 4792 5008 82334fde2fa92edf636d8885d542627f98aa326cf50df9b0f124229d8d857b11.exe MediaCenter.exe PID 5008 wrote to memory of 4792 5008 82334fde2fa92edf636d8885d542627f98aa326cf50df9b0f124229d8d857b11.exe MediaCenter.exe PID 5008 wrote to memory of 2836 5008 82334fde2fa92edf636d8885d542627f98aa326cf50df9b0f124229d8d857b11.exe cmd.exe PID 5008 wrote to memory of 2836 5008 82334fde2fa92edf636d8885d542627f98aa326cf50df9b0f124229d8d857b11.exe cmd.exe PID 5008 wrote to memory of 2836 5008 82334fde2fa92edf636d8885d542627f98aa326cf50df9b0f124229d8d857b11.exe cmd.exe PID 2836 wrote to memory of 4492 2836 cmd.exe PING.EXE PID 2836 wrote to memory of 4492 2836 cmd.exe PING.EXE PID 2836 wrote to memory of 4492 2836 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\82334fde2fa92edf636d8885d542627f98aa326cf50df9b0f124229d8d857b11.exe"C:\Users\Admin\AppData\Local\Temp\82334fde2fa92edf636d8885d542627f98aa326cf50df9b0f124229d8d857b11.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\82334fde2fa92edf636d8885d542627f98aa326cf50df9b0f124229d8d857b11.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeFilesize
89KB
MD5727665c7349d6cff3367b40d2e23163c
SHA1ecc90f7722cbff9a5d674e3cb20bf0c1e7a05a5b
SHA25663335ee7068a4ec5844eb9806ab98452ad57d94a096cfa4c08fac9787a7ee4b5
SHA5128647c9c536c0e221c633836964e268e4102535ae8f6fcace3f69baeb30a423c303667f94d32f4351b8fddefa80414e523d703a118824396f0ba3f51f2536c8c3
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeFilesize
89KB
MD5727665c7349d6cff3367b40d2e23163c
SHA1ecc90f7722cbff9a5d674e3cb20bf0c1e7a05a5b
SHA25663335ee7068a4ec5844eb9806ab98452ad57d94a096cfa4c08fac9787a7ee4b5
SHA5128647c9c536c0e221c633836964e268e4102535ae8f6fcace3f69baeb30a423c303667f94d32f4351b8fddefa80414e523d703a118824396f0ba3f51f2536c8c3
-
memory/2836-135-0x0000000000000000-mapping.dmp
-
memory/4492-136-0x0000000000000000-mapping.dmp
-
memory/4792-132-0x0000000000000000-mapping.dmp