Analysis
-
max time kernel
162s -
max time network
183s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
12-10-2022 15:57
Behavioral task
behavioral1
Sample
1f6999433b7ac1b5e41d71c0922e6472cce3b19665da1da5c9c76c64fbda97fb.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
1f6999433b7ac1b5e41d71c0922e6472cce3b19665da1da5c9c76c64fbda97fb.exe
Resource
win10v2004-20220812-en
General
-
Target
1f6999433b7ac1b5e41d71c0922e6472cce3b19665da1da5c9c76c64fbda97fb.exe
-
Size
88KB
-
MD5
2891e37bed6d36ec6c9b3bcc5835e313
-
SHA1
5cf55d05e3d6499f5cfd2ff460886029eb507cfd
-
SHA256
1f6999433b7ac1b5e41d71c0922e6472cce3b19665da1da5c9c76c64fbda97fb
-
SHA512
de98b2f8ebdfac9bd04680b3d69230d6dc8428b1df6237651c93e06e4664cd795e5d059fc28fd38df5d4e78f981ac3557f321b2886acda0581371999d185b07d
-
SSDEEP
1536:Boaj1hJL1S9t0MIeboal8bCKxo7h0RP0jwHVz30rtro1PTEzh:y0hpgz6xGhTjwHN30BE1bEl
Malware Config
Signatures
-
Sakula payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 4752 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
1f6999433b7ac1b5e41d71c0922e6472cce3b19665da1da5c9c76c64fbda97fb.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation 1f6999433b7ac1b5e41d71c0922e6472cce3b19665da1da5c9c76c64fbda97fb.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
1f6999433b7ac1b5e41d71c0922e6472cce3b19665da1da5c9c76c64fbda97fb.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 1f6999433b7ac1b5e41d71c0922e6472cce3b19665da1da5c9c76c64fbda97fb.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
1f6999433b7ac1b5e41d71c0922e6472cce3b19665da1da5c9c76c64fbda97fb.exedescription pid process Token: SeIncBasePriorityPrivilege 4736 1f6999433b7ac1b5e41d71c0922e6472cce3b19665da1da5c9c76c64fbda97fb.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
1f6999433b7ac1b5e41d71c0922e6472cce3b19665da1da5c9c76c64fbda97fb.execmd.exedescription pid process target process PID 4736 wrote to memory of 4752 4736 1f6999433b7ac1b5e41d71c0922e6472cce3b19665da1da5c9c76c64fbda97fb.exe MediaCenter.exe PID 4736 wrote to memory of 4752 4736 1f6999433b7ac1b5e41d71c0922e6472cce3b19665da1da5c9c76c64fbda97fb.exe MediaCenter.exe PID 4736 wrote to memory of 4752 4736 1f6999433b7ac1b5e41d71c0922e6472cce3b19665da1da5c9c76c64fbda97fb.exe MediaCenter.exe PID 4736 wrote to memory of 4472 4736 1f6999433b7ac1b5e41d71c0922e6472cce3b19665da1da5c9c76c64fbda97fb.exe cmd.exe PID 4736 wrote to memory of 4472 4736 1f6999433b7ac1b5e41d71c0922e6472cce3b19665da1da5c9c76c64fbda97fb.exe cmd.exe PID 4736 wrote to memory of 4472 4736 1f6999433b7ac1b5e41d71c0922e6472cce3b19665da1da5c9c76c64fbda97fb.exe cmd.exe PID 4472 wrote to memory of 4308 4472 cmd.exe PING.EXE PID 4472 wrote to memory of 4308 4472 cmd.exe PING.EXE PID 4472 wrote to memory of 4308 4472 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\1f6999433b7ac1b5e41d71c0922e6472cce3b19665da1da5c9c76c64fbda97fb.exe"C:\Users\Admin\AppData\Local\Temp\1f6999433b7ac1b5e41d71c0922e6472cce3b19665da1da5c9c76c64fbda97fb.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\1f6999433b7ac1b5e41d71c0922e6472cce3b19665da1da5c9c76c64fbda97fb.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeFilesize
88KB
MD523c8e641882ed3f0e6c729e4c8c03d7b
SHA1daee1c5a70408a4ba9539d4bca8e5a5447143fa4
SHA256a63eb1f44d1e7933936a6271b1fd104b4a308983b974369afa47699ad729aea0
SHA5127235a97955090db1d78287d47b064181a4acf0e09a144fc81fe98191c9fbb0212593ece4e827b6e03653afbb11b862a11675dc49d853e4962ab37eb589fccee9
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeFilesize
88KB
MD523c8e641882ed3f0e6c729e4c8c03d7b
SHA1daee1c5a70408a4ba9539d4bca8e5a5447143fa4
SHA256a63eb1f44d1e7933936a6271b1fd104b4a308983b974369afa47699ad729aea0
SHA5127235a97955090db1d78287d47b064181a4acf0e09a144fc81fe98191c9fbb0212593ece4e827b6e03653afbb11b862a11675dc49d853e4962ab37eb589fccee9
-
memory/4308-136-0x0000000000000000-mapping.dmp
-
memory/4472-135-0x0000000000000000-mapping.dmp
-
memory/4752-132-0x0000000000000000-mapping.dmp