Analysis
-
max time kernel
135s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
18-10-2022 01:30
Static task
static1
Behavioral task
behavioral1
Sample
1a81e9a720d63a7e5534fa8101daacfb89fceb1cbd2dc53be16d9f27651bd137.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
1a81e9a720d63a7e5534fa8101daacfb89fceb1cbd2dc53be16d9f27651bd137.exe
Resource
win10v2004-20220812-en
General
-
Target
1a81e9a720d63a7e5534fa8101daacfb89fceb1cbd2dc53be16d9f27651bd137.exe
-
Size
60KB
-
MD5
2d86ea35b749cd52aeff4d266e16fa76
-
SHA1
13ddadc253699a608d66b473c4bb1cbb03d7ceb2
-
SHA256
1a81e9a720d63a7e5534fa8101daacfb89fceb1cbd2dc53be16d9f27651bd137
-
SHA512
4f670c031458ab0747a86f4af09c620ed9bce0e216b8732ef2b1e74f415f6d9463e55087c5bc4afd413e8c695478af51123d22e3fbff37f2b2663ccff42e7886
-
SSDEEP
1536:iZioIoCwbYP4nuEApQK4TQbtY2gA9DX+ytBO8c3G3eTJ/a:iEoIlwIguEA4c5DgA9DOyq0eFi
Malware Config
Signatures
-
Sakula payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/4252-135-0x0000000000400000-0x000000000041A000-memory.dmp family_sakula behavioral2/memory/4976-136-0x0000000000400000-0x000000000041A000-memory.dmp family_sakula behavioral2/memory/4976-137-0x0000000000400000-0x000000000041A000-memory.dmp family_sakula behavioral2/memory/4252-139-0x0000000000400000-0x000000000041A000-memory.dmp family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 4976 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
1a81e9a720d63a7e5534fa8101daacfb89fceb1cbd2dc53be16d9f27651bd137.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 1a81e9a720d63a7e5534fa8101daacfb89fceb1cbd2dc53be16d9f27651bd137.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
1a81e9a720d63a7e5534fa8101daacfb89fceb1cbd2dc53be16d9f27651bd137.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 1a81e9a720d63a7e5534fa8101daacfb89fceb1cbd2dc53be16d9f27651bd137.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
1a81e9a720d63a7e5534fa8101daacfb89fceb1cbd2dc53be16d9f27651bd137.exedescription pid process Token: SeIncBasePriorityPrivilege 4252 1a81e9a720d63a7e5534fa8101daacfb89fceb1cbd2dc53be16d9f27651bd137.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
1a81e9a720d63a7e5534fa8101daacfb89fceb1cbd2dc53be16d9f27651bd137.execmd.exedescription pid process target process PID 4252 wrote to memory of 4976 4252 1a81e9a720d63a7e5534fa8101daacfb89fceb1cbd2dc53be16d9f27651bd137.exe MediaCenter.exe PID 4252 wrote to memory of 4976 4252 1a81e9a720d63a7e5534fa8101daacfb89fceb1cbd2dc53be16d9f27651bd137.exe MediaCenter.exe PID 4252 wrote to memory of 4976 4252 1a81e9a720d63a7e5534fa8101daacfb89fceb1cbd2dc53be16d9f27651bd137.exe MediaCenter.exe PID 4252 wrote to memory of 1836 4252 1a81e9a720d63a7e5534fa8101daacfb89fceb1cbd2dc53be16d9f27651bd137.exe cmd.exe PID 4252 wrote to memory of 1836 4252 1a81e9a720d63a7e5534fa8101daacfb89fceb1cbd2dc53be16d9f27651bd137.exe cmd.exe PID 4252 wrote to memory of 1836 4252 1a81e9a720d63a7e5534fa8101daacfb89fceb1cbd2dc53be16d9f27651bd137.exe cmd.exe PID 1836 wrote to memory of 3276 1836 cmd.exe PING.EXE PID 1836 wrote to memory of 3276 1836 cmd.exe PING.EXE PID 1836 wrote to memory of 3276 1836 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\1a81e9a720d63a7e5534fa8101daacfb89fceb1cbd2dc53be16d9f27651bd137.exe"C:\Users\Admin\AppData\Local\Temp\1a81e9a720d63a7e5534fa8101daacfb89fceb1cbd2dc53be16d9f27651bd137.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4252 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:4976 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\1a81e9a720d63a7e5534fa8101daacfb89fceb1cbd2dc53be16d9f27651bd137.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1836 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:3276
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeFilesize
60KB
MD5368d6cf63990b33361f17c6fd4207b66
SHA12a21c172c32a3ebfe40ccf0679156b696c2ab3ef
SHA25660c306fd67449c3b6246861da5758e486837d3d3facc839b5bba70fe00dfc014
SHA51259d5abfb978f2fcd6a0510da339cd044c3c78a064d239dee00b517f4f23089a5af480a79f0b525e5a268f913cb3fc4faed8bc78da32a4a110d4603fb0b001e2f
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeFilesize
60KB
MD5368d6cf63990b33361f17c6fd4207b66
SHA12a21c172c32a3ebfe40ccf0679156b696c2ab3ef
SHA25660c306fd67449c3b6246861da5758e486837d3d3facc839b5bba70fe00dfc014
SHA51259d5abfb978f2fcd6a0510da339cd044c3c78a064d239dee00b517f4f23089a5af480a79f0b525e5a268f913cb3fc4faed8bc78da32a4a110d4603fb0b001e2f
-
memory/1836-138-0x0000000000000000-mapping.dmp
-
memory/3276-140-0x0000000000000000-mapping.dmp
-
memory/4252-135-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/4252-139-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/4976-132-0x0000000000000000-mapping.dmp
-
memory/4976-136-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/4976-137-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB