Analysis
-
max time kernel
150s -
max time network
131s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
17-10-2022 08:34
Behavioral task
behavioral1
Sample
d496522fd93ca1cb2bca9979b7868a39cbfb534ba328136a1d674dd8e88cd497.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
d496522fd93ca1cb2bca9979b7868a39cbfb534ba328136a1d674dd8e88cd497.exe
Resource
win10v2004-20220812-en
General
-
Target
d496522fd93ca1cb2bca9979b7868a39cbfb534ba328136a1d674dd8e88cd497.exe
-
Size
222KB
-
MD5
a999566216b6111e7e3a79cc38ea7275
-
SHA1
e7128d2bf65d01607ce1f636b99c8efeb08828f0
-
SHA256
d496522fd93ca1cb2bca9979b7868a39cbfb534ba328136a1d674dd8e88cd497
-
SHA512
445ca5235b0abe97b495cea68e5c5f805b096c8224a9622770ff5d289321a669a9ab90c90f22c56d9f145853eacac4be21d6391b46ee12ae061c8b639c877d2e
-
SSDEEP
6144:n29qRfVSnfj30BmhqC8WSr24AyqaLjLj64fm:zRfQniC8WSa4C6L2wm
Malware Config
Signatures
-
Sakula payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 4884 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
d496522fd93ca1cb2bca9979b7868a39cbfb534ba328136a1d674dd8e88cd497.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation d496522fd93ca1cb2bca9979b7868a39cbfb534ba328136a1d674dd8e88cd497.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
d496522fd93ca1cb2bca9979b7868a39cbfb534ba328136a1d674dd8e88cd497.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" d496522fd93ca1cb2bca9979b7868a39cbfb534ba328136a1d674dd8e88cd497.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
d496522fd93ca1cb2bca9979b7868a39cbfb534ba328136a1d674dd8e88cd497.exedescription pid process Token: SeIncBasePriorityPrivilege 1184 d496522fd93ca1cb2bca9979b7868a39cbfb534ba328136a1d674dd8e88cd497.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
d496522fd93ca1cb2bca9979b7868a39cbfb534ba328136a1d674dd8e88cd497.execmd.exedescription pid process target process PID 1184 wrote to memory of 4884 1184 d496522fd93ca1cb2bca9979b7868a39cbfb534ba328136a1d674dd8e88cd497.exe MediaCenter.exe PID 1184 wrote to memory of 4884 1184 d496522fd93ca1cb2bca9979b7868a39cbfb534ba328136a1d674dd8e88cd497.exe MediaCenter.exe PID 1184 wrote to memory of 4884 1184 d496522fd93ca1cb2bca9979b7868a39cbfb534ba328136a1d674dd8e88cd497.exe MediaCenter.exe PID 1184 wrote to memory of 3608 1184 d496522fd93ca1cb2bca9979b7868a39cbfb534ba328136a1d674dd8e88cd497.exe cmd.exe PID 1184 wrote to memory of 3608 1184 d496522fd93ca1cb2bca9979b7868a39cbfb534ba328136a1d674dd8e88cd497.exe cmd.exe PID 1184 wrote to memory of 3608 1184 d496522fd93ca1cb2bca9979b7868a39cbfb534ba328136a1d674dd8e88cd497.exe cmd.exe PID 3608 wrote to memory of 2404 3608 cmd.exe PING.EXE PID 3608 wrote to memory of 2404 3608 cmd.exe PING.EXE PID 3608 wrote to memory of 2404 3608 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\d496522fd93ca1cb2bca9979b7868a39cbfb534ba328136a1d674dd8e88cd497.exe"C:\Users\Admin\AppData\Local\Temp\d496522fd93ca1cb2bca9979b7868a39cbfb534ba328136a1d674dd8e88cd497.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\d496522fd93ca1cb2bca9979b7868a39cbfb534ba328136a1d674dd8e88cd497.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeFilesize
222KB
MD5199a959fb19179dee662462e52b54fc1
SHA1fab73d3e629054524c4cd5a4c493fb7480bb8eea
SHA25693de6a5b3a4ccfca4202497876eb7f945cbc358643ca195b8145e5c107cf84c7
SHA512be73c7eea49ace0340268a65ba90054076c2faf5fdb30d009b8cbf543eef62c6a14c999e47b8a606579c0c54c7126d702249a0039a8ed84326378dc26ebc7659
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeFilesize
222KB
MD5199a959fb19179dee662462e52b54fc1
SHA1fab73d3e629054524c4cd5a4c493fb7480bb8eea
SHA25693de6a5b3a4ccfca4202497876eb7f945cbc358643ca195b8145e5c107cf84c7
SHA512be73c7eea49ace0340268a65ba90054076c2faf5fdb30d009b8cbf543eef62c6a14c999e47b8a606579c0c54c7126d702249a0039a8ed84326378dc26ebc7659
-
memory/2404-136-0x0000000000000000-mapping.dmp
-
memory/3608-135-0x0000000000000000-mapping.dmp
-
memory/4884-132-0x0000000000000000-mapping.dmp