Analysis
-
max time kernel
130s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
18-10-2022 08:30
Behavioral task
behavioral1
Sample
e8cbc695da0a4e41d0a99ac2a65351e0c89848ec5a7eaa66203e2ba44928b4f3.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
e8cbc695da0a4e41d0a99ac2a65351e0c89848ec5a7eaa66203e2ba44928b4f3.exe
Resource
win10v2004-20220812-en
General
-
Target
e8cbc695da0a4e41d0a99ac2a65351e0c89848ec5a7eaa66203e2ba44928b4f3.exe
-
Size
98KB
-
MD5
61904881703150762d61354d40bc6d03
-
SHA1
8c05ffcb409a54ec20994e681cb426e2b676cfe5
-
SHA256
e8cbc695da0a4e41d0a99ac2a65351e0c89848ec5a7eaa66203e2ba44928b4f3
-
SHA512
2b7dca253883b8dca8ae86d80ee7a2b67ba5a4e5b121aa5e684cc914d43cb85b7cda05d975bc7a6ef1cce52aad0c09417b22c442fe91a75de0868b37b15c5e3e
-
SSDEEP
1536:XQFl29mEkE0L1rDEKrxZKF2zf9g2Pl7W/MwbxMX+ees52z30rtrBuxzuA:429DkEGRQixVSjLaes5G30B6r
Malware Config
Signatures
-
Sakula payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 5068 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
e8cbc695da0a4e41d0a99ac2a65351e0c89848ec5a7eaa66203e2ba44928b4f3.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation e8cbc695da0a4e41d0a99ac2a65351e0c89848ec5a7eaa66203e2ba44928b4f3.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
e8cbc695da0a4e41d0a99ac2a65351e0c89848ec5a7eaa66203e2ba44928b4f3.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" e8cbc695da0a4e41d0a99ac2a65351e0c89848ec5a7eaa66203e2ba44928b4f3.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
e8cbc695da0a4e41d0a99ac2a65351e0c89848ec5a7eaa66203e2ba44928b4f3.exedescription pid process Token: SeIncBasePriorityPrivilege 2892 e8cbc695da0a4e41d0a99ac2a65351e0c89848ec5a7eaa66203e2ba44928b4f3.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
e8cbc695da0a4e41d0a99ac2a65351e0c89848ec5a7eaa66203e2ba44928b4f3.execmd.exedescription pid process target process PID 2892 wrote to memory of 5068 2892 e8cbc695da0a4e41d0a99ac2a65351e0c89848ec5a7eaa66203e2ba44928b4f3.exe MediaCenter.exe PID 2892 wrote to memory of 5068 2892 e8cbc695da0a4e41d0a99ac2a65351e0c89848ec5a7eaa66203e2ba44928b4f3.exe MediaCenter.exe PID 2892 wrote to memory of 5068 2892 e8cbc695da0a4e41d0a99ac2a65351e0c89848ec5a7eaa66203e2ba44928b4f3.exe MediaCenter.exe PID 2892 wrote to memory of 2788 2892 e8cbc695da0a4e41d0a99ac2a65351e0c89848ec5a7eaa66203e2ba44928b4f3.exe cmd.exe PID 2892 wrote to memory of 2788 2892 e8cbc695da0a4e41d0a99ac2a65351e0c89848ec5a7eaa66203e2ba44928b4f3.exe cmd.exe PID 2892 wrote to memory of 2788 2892 e8cbc695da0a4e41d0a99ac2a65351e0c89848ec5a7eaa66203e2ba44928b4f3.exe cmd.exe PID 2788 wrote to memory of 1148 2788 cmd.exe PING.EXE PID 2788 wrote to memory of 1148 2788 cmd.exe PING.EXE PID 2788 wrote to memory of 1148 2788 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\e8cbc695da0a4e41d0a99ac2a65351e0c89848ec5a7eaa66203e2ba44928b4f3.exe"C:\Users\Admin\AppData\Local\Temp\e8cbc695da0a4e41d0a99ac2a65351e0c89848ec5a7eaa66203e2ba44928b4f3.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\e8cbc695da0a4e41d0a99ac2a65351e0c89848ec5a7eaa66203e2ba44928b4f3.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeFilesize
98KB
MD5e502c3d9acb1a39459e9c136d3a05815
SHA1e3b201f6a2741a91965a7ad9553d0c6e9ac2a983
SHA2561475f74c512353277de115b8375e3743fa352ddceb4b3a1889152c81215f2f42
SHA512d98783d64d12abe0ecca729675cd1b17aa3c40adfd3f5155ae765cd4fad97e22271b60c43e21db212b3f41faa58673df875d4c006fb45d976583e7b046af3daf
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeFilesize
98KB
MD5e502c3d9acb1a39459e9c136d3a05815
SHA1e3b201f6a2741a91965a7ad9553d0c6e9ac2a983
SHA2561475f74c512353277de115b8375e3743fa352ddceb4b3a1889152c81215f2f42
SHA512d98783d64d12abe0ecca729675cd1b17aa3c40adfd3f5155ae765cd4fad97e22271b60c43e21db212b3f41faa58673df875d4c006fb45d976583e7b046af3daf
-
memory/1148-136-0x0000000000000000-mapping.dmp
-
memory/2788-135-0x0000000000000000-mapping.dmp
-
memory/5068-132-0x0000000000000000-mapping.dmp