Analysis
-
max time kernel
153s -
max time network
170s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
04-12-2022 23:46
Behavioral task
behavioral1
Sample
ffb88820a9e968fa6b147521ae0b59c3497ebff7affa569b0ab56244ad86fa54.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
ffb88820a9e968fa6b147521ae0b59c3497ebff7affa569b0ab56244ad86fa54.exe
Resource
win10v2004-20221111-en
General
-
Target
ffb88820a9e968fa6b147521ae0b59c3497ebff7affa569b0ab56244ad86fa54.exe
-
Size
216KB
-
MD5
aded8813f5cc4687c47d75ec002c7637
-
SHA1
a1acd934d53214a1792279bab59dcfb1ae537e8a
-
SHA256
ffb88820a9e968fa6b147521ae0b59c3497ebff7affa569b0ab56244ad86fa54
-
SHA512
b54e57bd60816ab5569584f6c43aff21ca44a30ab7b2387d8224b1b7be787ed27474d25a0d803607f1175c4f7df7139b479ac9df1dd6bc2b0e1f71ba45812536
-
SSDEEP
3072:d29DkEGRQixVSjLB130BYgjXjpEnQ77uZwOuz/xS3iGpZMu:d29qRfVSnr30B7Xj/GwBxE1+u
Malware Config
Signatures
-
Sakula payload 5 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral2/memory/4444-135-0x0000000000400000-0x0000000000425000-memory.dmp family_sakula behavioral2/memory/384-136-0x0000000000400000-0x0000000000425000-memory.dmp family_sakula behavioral2/memory/4444-138-0x0000000000400000-0x0000000000425000-memory.dmp family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 384 MediaCenter.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe upx C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe upx behavioral2/memory/4444-135-0x0000000000400000-0x0000000000425000-memory.dmp upx behavioral2/memory/384-136-0x0000000000400000-0x0000000000425000-memory.dmp upx behavioral2/memory/4444-138-0x0000000000400000-0x0000000000425000-memory.dmp upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
ffb88820a9e968fa6b147521ae0b59c3497ebff7affa569b0ab56244ad86fa54.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation ffb88820a9e968fa6b147521ae0b59c3497ebff7affa569b0ab56244ad86fa54.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
ffb88820a9e968fa6b147521ae0b59c3497ebff7affa569b0ab56244ad86fa54.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" ffb88820a9e968fa6b147521ae0b59c3497ebff7affa569b0ab56244ad86fa54.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
ffb88820a9e968fa6b147521ae0b59c3497ebff7affa569b0ab56244ad86fa54.exedescription pid process Token: SeIncBasePriorityPrivilege 4444 ffb88820a9e968fa6b147521ae0b59c3497ebff7affa569b0ab56244ad86fa54.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
ffb88820a9e968fa6b147521ae0b59c3497ebff7affa569b0ab56244ad86fa54.execmd.exedescription pid process target process PID 4444 wrote to memory of 384 4444 ffb88820a9e968fa6b147521ae0b59c3497ebff7affa569b0ab56244ad86fa54.exe MediaCenter.exe PID 4444 wrote to memory of 384 4444 ffb88820a9e968fa6b147521ae0b59c3497ebff7affa569b0ab56244ad86fa54.exe MediaCenter.exe PID 4444 wrote to memory of 384 4444 ffb88820a9e968fa6b147521ae0b59c3497ebff7affa569b0ab56244ad86fa54.exe MediaCenter.exe PID 4444 wrote to memory of 4208 4444 ffb88820a9e968fa6b147521ae0b59c3497ebff7affa569b0ab56244ad86fa54.exe cmd.exe PID 4444 wrote to memory of 4208 4444 ffb88820a9e968fa6b147521ae0b59c3497ebff7affa569b0ab56244ad86fa54.exe cmd.exe PID 4444 wrote to memory of 4208 4444 ffb88820a9e968fa6b147521ae0b59c3497ebff7affa569b0ab56244ad86fa54.exe cmd.exe PID 4208 wrote to memory of 3664 4208 cmd.exe PING.EXE PID 4208 wrote to memory of 3664 4208 cmd.exe PING.EXE PID 4208 wrote to memory of 3664 4208 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\ffb88820a9e968fa6b147521ae0b59c3497ebff7affa569b0ab56244ad86fa54.exe"C:\Users\Admin\AppData\Local\Temp\ffb88820a9e968fa6b147521ae0b59c3497ebff7affa569b0ab56244ad86fa54.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4444 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:384 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\ffb88820a9e968fa6b147521ae0b59c3497ebff7affa569b0ab56244ad86fa54.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4208 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:3664
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeFilesize
216KB
MD563fa9f1724f6c187bdcfffd993dfe2be
SHA1f33cf8a6ad27275a17748c9b3e76410b2969baa6
SHA256de2c6be559ddda23241aa0e30fdad7acc8bd23cac5348367d9e05d11ff17a8ad
SHA512c06c349b52efc35e14f43999335c9232a4c0ed4f2ab9db342b963f61f78298316508888b2df1cda28d2a945f113366e64819e1a8a30bc0bea97bc29ef053973b
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeFilesize
216KB
MD563fa9f1724f6c187bdcfffd993dfe2be
SHA1f33cf8a6ad27275a17748c9b3e76410b2969baa6
SHA256de2c6be559ddda23241aa0e30fdad7acc8bd23cac5348367d9e05d11ff17a8ad
SHA512c06c349b52efc35e14f43999335c9232a4c0ed4f2ab9db342b963f61f78298316508888b2df1cda28d2a945f113366e64819e1a8a30bc0bea97bc29ef053973b
-
memory/384-132-0x0000000000000000-mapping.dmp
-
memory/384-136-0x0000000000400000-0x0000000000425000-memory.dmpFilesize
148KB
-
memory/3664-139-0x0000000000000000-mapping.dmp
-
memory/4208-137-0x0000000000000000-mapping.dmp
-
memory/4444-135-0x0000000000400000-0x0000000000425000-memory.dmpFilesize
148KB
-
memory/4444-138-0x0000000000400000-0x0000000000425000-memory.dmpFilesize
148KB