Analysis
-
max time kernel
142s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
18-10-2022 13:00
Behavioral task
behavioral1
Sample
99021fe3de2c235d3ee63ef816e2e8f7ecf9b25081ead44f3f5bb39ffa8cf1c9.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
99021fe3de2c235d3ee63ef816e2e8f7ecf9b25081ead44f3f5bb39ffa8cf1c9.exe
Resource
win10v2004-20220812-en
General
-
Target
99021fe3de2c235d3ee63ef816e2e8f7ecf9b25081ead44f3f5bb39ffa8cf1c9.exe
-
Size
220KB
-
MD5
9db6e1416b3b2d02e4f0df29c2aa3a33
-
SHA1
d9fa4284a962b6b4bbfe1576d8b47fdd31508274
-
SHA256
99021fe3de2c235d3ee63ef816e2e8f7ecf9b25081ead44f3f5bb39ffa8cf1c9
-
SHA512
3183d7718f5106bb38bd93ad0beac1fb53db2955dd38a40fd9ea9614febf83940d7fb400e442ec8f056cb8f0518c11a7e504e9f1054effcd2d609f9b47792b4a
-
SSDEEP
3072:a29DkEGRQixVSjLaes5G30B6SHrMPK82S5EVVEdZHMoGo8uA0I6pVMybCFbRW:a29qRfVSnfj30B+2S6ydMI8QVMgCFbRW
Malware Config
Signatures
-
Sakula payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 4900 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
99021fe3de2c235d3ee63ef816e2e8f7ecf9b25081ead44f3f5bb39ffa8cf1c9.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation 99021fe3de2c235d3ee63ef816e2e8f7ecf9b25081ead44f3f5bb39ffa8cf1c9.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
99021fe3de2c235d3ee63ef816e2e8f7ecf9b25081ead44f3f5bb39ffa8cf1c9.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 99021fe3de2c235d3ee63ef816e2e8f7ecf9b25081ead44f3f5bb39ffa8cf1c9.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
99021fe3de2c235d3ee63ef816e2e8f7ecf9b25081ead44f3f5bb39ffa8cf1c9.exedescription pid process Token: SeIncBasePriorityPrivilege 3132 99021fe3de2c235d3ee63ef816e2e8f7ecf9b25081ead44f3f5bb39ffa8cf1c9.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
99021fe3de2c235d3ee63ef816e2e8f7ecf9b25081ead44f3f5bb39ffa8cf1c9.execmd.exedescription pid process target process PID 3132 wrote to memory of 4900 3132 99021fe3de2c235d3ee63ef816e2e8f7ecf9b25081ead44f3f5bb39ffa8cf1c9.exe MediaCenter.exe PID 3132 wrote to memory of 4900 3132 99021fe3de2c235d3ee63ef816e2e8f7ecf9b25081ead44f3f5bb39ffa8cf1c9.exe MediaCenter.exe PID 3132 wrote to memory of 4900 3132 99021fe3de2c235d3ee63ef816e2e8f7ecf9b25081ead44f3f5bb39ffa8cf1c9.exe MediaCenter.exe PID 3132 wrote to memory of 2244 3132 99021fe3de2c235d3ee63ef816e2e8f7ecf9b25081ead44f3f5bb39ffa8cf1c9.exe cmd.exe PID 3132 wrote to memory of 2244 3132 99021fe3de2c235d3ee63ef816e2e8f7ecf9b25081ead44f3f5bb39ffa8cf1c9.exe cmd.exe PID 3132 wrote to memory of 2244 3132 99021fe3de2c235d3ee63ef816e2e8f7ecf9b25081ead44f3f5bb39ffa8cf1c9.exe cmd.exe PID 2244 wrote to memory of 3872 2244 cmd.exe PING.EXE PID 2244 wrote to memory of 3872 2244 cmd.exe PING.EXE PID 2244 wrote to memory of 3872 2244 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\99021fe3de2c235d3ee63ef816e2e8f7ecf9b25081ead44f3f5bb39ffa8cf1c9.exe"C:\Users\Admin\AppData\Local\Temp\99021fe3de2c235d3ee63ef816e2e8f7ecf9b25081ead44f3f5bb39ffa8cf1c9.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\99021fe3de2c235d3ee63ef816e2e8f7ecf9b25081ead44f3f5bb39ffa8cf1c9.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeFilesize
220KB
MD5fbb3864e22edc0383ed156606afa9ac2
SHA1af0eb48e8f7409b677f1660b2fd3622f45911c34
SHA256ff7972111d6c63690ff080ffc24a29716872ba0edac57b7af74d9dc7a180b8ce
SHA5123d4d5b9e0bf84ad25b8a6e81eeb908f7a7b4fc84cc5fa03654c84f00255bd4a491fe723e1b04651c7a25df46e4f58cc2f5457b49c0167c8844419dc29a30c5cb
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeFilesize
220KB
MD5fbb3864e22edc0383ed156606afa9ac2
SHA1af0eb48e8f7409b677f1660b2fd3622f45911c34
SHA256ff7972111d6c63690ff080ffc24a29716872ba0edac57b7af74d9dc7a180b8ce
SHA5123d4d5b9e0bf84ad25b8a6e81eeb908f7a7b4fc84cc5fa03654c84f00255bd4a491fe723e1b04651c7a25df46e4f58cc2f5457b49c0167c8844419dc29a30c5cb
-
memory/2244-135-0x0000000000000000-mapping.dmp
-
memory/3872-136-0x0000000000000000-mapping.dmp
-
memory/4900-132-0x0000000000000000-mapping.dmp