Analysis
-
max time kernel
152s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
07-11-2022 01:22
Behavioral task
behavioral1
Sample
27710f7919163a48325bf9859c53b6e2d9b08a85438053cfdbf336cfd2e50271.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
27710f7919163a48325bf9859c53b6e2d9b08a85438053cfdbf336cfd2e50271.exe
Resource
win10v2004-20220901-en
General
-
Target
27710f7919163a48325bf9859c53b6e2d9b08a85438053cfdbf336cfd2e50271.exe
-
Size
89KB
-
MD5
07af666d2117296a7814c86839ee2ae0
-
SHA1
45355b93874d7a3dda423bb5b48ca74a9abc9561
-
SHA256
27710f7919163a48325bf9859c53b6e2d9b08a85438053cfdbf336cfd2e50271
-
SHA512
6da02d79e9d35e0a22345a5752f483fe8a93fcad746b686fd544d17e1feeb6dcdd3a432ee932bac4ac9cc45819ef264bcdba2f988a89449adda7ea7244004a17
-
SSDEEP
1536:PQFl29mEkE0L1rDEKrxZKF2zf9g2Pl7W/MwbxMX+ees52z30rtrz:w29DkEGRQixVSjLaes5G30Bv
Malware Config
Signatures
-
Sakula payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 2536 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
27710f7919163a48325bf9859c53b6e2d9b08a85438053cfdbf336cfd2e50271.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation 27710f7919163a48325bf9859c53b6e2d9b08a85438053cfdbf336cfd2e50271.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
27710f7919163a48325bf9859c53b6e2d9b08a85438053cfdbf336cfd2e50271.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 27710f7919163a48325bf9859c53b6e2d9b08a85438053cfdbf336cfd2e50271.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
27710f7919163a48325bf9859c53b6e2d9b08a85438053cfdbf336cfd2e50271.exedescription pid process Token: SeIncBasePriorityPrivilege 5068 27710f7919163a48325bf9859c53b6e2d9b08a85438053cfdbf336cfd2e50271.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
27710f7919163a48325bf9859c53b6e2d9b08a85438053cfdbf336cfd2e50271.execmd.exedescription pid process target process PID 5068 wrote to memory of 2536 5068 27710f7919163a48325bf9859c53b6e2d9b08a85438053cfdbf336cfd2e50271.exe MediaCenter.exe PID 5068 wrote to memory of 2536 5068 27710f7919163a48325bf9859c53b6e2d9b08a85438053cfdbf336cfd2e50271.exe MediaCenter.exe PID 5068 wrote to memory of 2536 5068 27710f7919163a48325bf9859c53b6e2d9b08a85438053cfdbf336cfd2e50271.exe MediaCenter.exe PID 5068 wrote to memory of 1384 5068 27710f7919163a48325bf9859c53b6e2d9b08a85438053cfdbf336cfd2e50271.exe cmd.exe PID 5068 wrote to memory of 1384 5068 27710f7919163a48325bf9859c53b6e2d9b08a85438053cfdbf336cfd2e50271.exe cmd.exe PID 5068 wrote to memory of 1384 5068 27710f7919163a48325bf9859c53b6e2d9b08a85438053cfdbf336cfd2e50271.exe cmd.exe PID 1384 wrote to memory of 4512 1384 cmd.exe PING.EXE PID 1384 wrote to memory of 4512 1384 cmd.exe PING.EXE PID 1384 wrote to memory of 4512 1384 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\27710f7919163a48325bf9859c53b6e2d9b08a85438053cfdbf336cfd2e50271.exe"C:\Users\Admin\AppData\Local\Temp\27710f7919163a48325bf9859c53b6e2d9b08a85438053cfdbf336cfd2e50271.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5068 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:2536 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\27710f7919163a48325bf9859c53b6e2d9b08a85438053cfdbf336cfd2e50271.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1384 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:4512
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeFilesize
89KB
MD5b17c98985bcdacd5a6944b1e49f71963
SHA1535162852edef57d520c551d6f90a82a46e48769
SHA256f47a54e960bcb4321ae4c6e8fd5e813b267419d74723ebd171ec1ea6cd14b491
SHA512273db888847acc44b131d5fcb5802730f928d5c851e3402d10c480e87e38b47b87081e36c49b8a80835e4d6b37cf036caa40bbb5b1e2ea7595ae6e2a71c159b3
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeFilesize
89KB
MD5b17c98985bcdacd5a6944b1e49f71963
SHA1535162852edef57d520c551d6f90a82a46e48769
SHA256f47a54e960bcb4321ae4c6e8fd5e813b267419d74723ebd171ec1ea6cd14b491
SHA512273db888847acc44b131d5fcb5802730f928d5c851e3402d10c480e87e38b47b87081e36c49b8a80835e4d6b37cf036caa40bbb5b1e2ea7595ae6e2a71c159b3
-
memory/1384-135-0x0000000000000000-mapping.dmp
-
memory/2536-132-0x0000000000000000-mapping.dmp
-
memory/4512-136-0x0000000000000000-mapping.dmp