Analysis
-
max time kernel
126s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
18-10-2022 02:20
Static task
static1
Behavioral task
behavioral1
Sample
c2264f2d6a6e0108caa212d4c3c786f6d77ac907b02abf1ccf9d74f9439890f4.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
c2264f2d6a6e0108caa212d4c3c786f6d77ac907b02abf1ccf9d74f9439890f4.exe
Resource
win10v2004-20220812-en
General
-
Target
c2264f2d6a6e0108caa212d4c3c786f6d77ac907b02abf1ccf9d74f9439890f4.exe
-
Size
60KB
-
MD5
cfb618ea09382a4e7a68c3dd6a4732b3
-
SHA1
9156cb63276c50d24fa11f4dc6c2c65c01db2bb9
-
SHA256
c2264f2d6a6e0108caa212d4c3c786f6d77ac907b02abf1ccf9d74f9439890f4
-
SHA512
ff373843fe5d698316076cde9a087216ac62aefda35408a998ee407e0d9813d6a8b2025788cdfe6e3e7d3dc07a433afe7e8eb6140c0923292d3aaaa30f303f5e
-
SSDEEP
1536:iZioIoCwbYP4nuEApQK4TQbtY2gA9DX+ytBO8c3G3eTJ/X:iEoIlwIguEA4c5DgA9DOyq0eFP
Malware Config
Signatures
-
Sakula payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/4848-136-0x0000000000400000-0x000000000041A000-memory.dmp family_sakula behavioral2/memory/4744-137-0x0000000000400000-0x000000000041A000-memory.dmp family_sakula behavioral2/memory/4744-139-0x0000000000400000-0x000000000041A000-memory.dmp family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 4848 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
c2264f2d6a6e0108caa212d4c3c786f6d77ac907b02abf1ccf9d74f9439890f4.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation c2264f2d6a6e0108caa212d4c3c786f6d77ac907b02abf1ccf9d74f9439890f4.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
c2264f2d6a6e0108caa212d4c3c786f6d77ac907b02abf1ccf9d74f9439890f4.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" c2264f2d6a6e0108caa212d4c3c786f6d77ac907b02abf1ccf9d74f9439890f4.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
c2264f2d6a6e0108caa212d4c3c786f6d77ac907b02abf1ccf9d74f9439890f4.exedescription pid process Token: SeIncBasePriorityPrivilege 4744 c2264f2d6a6e0108caa212d4c3c786f6d77ac907b02abf1ccf9d74f9439890f4.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
c2264f2d6a6e0108caa212d4c3c786f6d77ac907b02abf1ccf9d74f9439890f4.execmd.exedescription pid process target process PID 4744 wrote to memory of 4848 4744 c2264f2d6a6e0108caa212d4c3c786f6d77ac907b02abf1ccf9d74f9439890f4.exe MediaCenter.exe PID 4744 wrote to memory of 4848 4744 c2264f2d6a6e0108caa212d4c3c786f6d77ac907b02abf1ccf9d74f9439890f4.exe MediaCenter.exe PID 4744 wrote to memory of 4848 4744 c2264f2d6a6e0108caa212d4c3c786f6d77ac907b02abf1ccf9d74f9439890f4.exe MediaCenter.exe PID 4744 wrote to memory of 3760 4744 c2264f2d6a6e0108caa212d4c3c786f6d77ac907b02abf1ccf9d74f9439890f4.exe cmd.exe PID 4744 wrote to memory of 3760 4744 c2264f2d6a6e0108caa212d4c3c786f6d77ac907b02abf1ccf9d74f9439890f4.exe cmd.exe PID 4744 wrote to memory of 3760 4744 c2264f2d6a6e0108caa212d4c3c786f6d77ac907b02abf1ccf9d74f9439890f4.exe cmd.exe PID 3760 wrote to memory of 4884 3760 cmd.exe PING.EXE PID 3760 wrote to memory of 4884 3760 cmd.exe PING.EXE PID 3760 wrote to memory of 4884 3760 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\c2264f2d6a6e0108caa212d4c3c786f6d77ac907b02abf1ccf9d74f9439890f4.exe"C:\Users\Admin\AppData\Local\Temp\c2264f2d6a6e0108caa212d4c3c786f6d77ac907b02abf1ccf9d74f9439890f4.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\c2264f2d6a6e0108caa212d4c3c786f6d77ac907b02abf1ccf9d74f9439890f4.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeFilesize
60KB
MD54dd90e784d86dba5f61739a397060d18
SHA1f9446f6da017c7a9684e422a1a68658d35b03bbd
SHA25656172439e061caac2684785ec98ad268cb2ff5dc702cad8af11f3ede97a2fc0b
SHA512c4bb4d0426792a8319b14d16a14280211250b872c03203efa1472be8cdbb54bed3e9c08ef877edc106c9073484f0a4636f9d7a51228e6044664f2fac9933c923
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeFilesize
60KB
MD54dd90e784d86dba5f61739a397060d18
SHA1f9446f6da017c7a9684e422a1a68658d35b03bbd
SHA25656172439e061caac2684785ec98ad268cb2ff5dc702cad8af11f3ede97a2fc0b
SHA512c4bb4d0426792a8319b14d16a14280211250b872c03203efa1472be8cdbb54bed3e9c08ef877edc106c9073484f0a4636f9d7a51228e6044664f2fac9933c923
-
memory/3760-138-0x0000000000000000-mapping.dmp
-
memory/4744-132-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/4744-137-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/4744-139-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/4848-133-0x0000000000000000-mapping.dmp
-
memory/4848-136-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/4884-140-0x0000000000000000-mapping.dmp