Analysis
-
max time kernel
133s -
max time network
131s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
30-09-2021 12:24
Static task
static1
Behavioral task
behavioral1
Sample
c0064a70b0d297c43ccc230f852c1ffac7534d58251dec497bab0e7e82f79143.exe
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
c0064a70b0d297c43ccc230f852c1ffac7534d58251dec497bab0e7e82f79143.exe
Resource
win10v20210408
General
-
Target
c0064a70b0d297c43ccc230f852c1ffac7534d58251dec497bab0e7e82f79143.exe
-
Size
216KB
-
MD5
dab5f66a4c8f6bcbcdeb2a83c21769c5
-
SHA1
06e8c2999917c6bc5d4b6359de3222d4379acbb9
-
SHA256
c0064a70b0d297c43ccc230f852c1ffac7534d58251dec497bab0e7e82f79143
-
SHA512
3a02669cd6390e5c6b5e1dd8711c300790cd78419a512830325c497fad7a5864aeaac6e0622dd39ab3bd3bafad49f5ad968d0d6c24c961adb9cafb7b64869854
Malware Config
Signatures
-
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
pid Process 1664 MediaCenter.exe -
Deletes itself 1 IoCs
pid Process 1396 cmd.exe -
Loads dropped DLL 1 IoCs
pid Process 2040 c0064a70b0d297c43ccc230f852c1ffac7534d58251dec497bab0e7e82f79143.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" c0064a70b0d297c43ccc230f852c1ffac7534d58251dec497bab0e7e82f79143.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
pid Process 548 PING.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 2040 c0064a70b0d297c43ccc230f852c1ffac7534d58251dec497bab0e7e82f79143.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2040 wrote to memory of 1664 2040 c0064a70b0d297c43ccc230f852c1ffac7534d58251dec497bab0e7e82f79143.exe 27 PID 2040 wrote to memory of 1664 2040 c0064a70b0d297c43ccc230f852c1ffac7534d58251dec497bab0e7e82f79143.exe 27 PID 2040 wrote to memory of 1664 2040 c0064a70b0d297c43ccc230f852c1ffac7534d58251dec497bab0e7e82f79143.exe 27 PID 2040 wrote to memory of 1664 2040 c0064a70b0d297c43ccc230f852c1ffac7534d58251dec497bab0e7e82f79143.exe 27 PID 2040 wrote to memory of 1396 2040 c0064a70b0d297c43ccc230f852c1ffac7534d58251dec497bab0e7e82f79143.exe 30 PID 2040 wrote to memory of 1396 2040 c0064a70b0d297c43ccc230f852c1ffac7534d58251dec497bab0e7e82f79143.exe 30 PID 2040 wrote to memory of 1396 2040 c0064a70b0d297c43ccc230f852c1ffac7534d58251dec497bab0e7e82f79143.exe 30 PID 2040 wrote to memory of 1396 2040 c0064a70b0d297c43ccc230f852c1ffac7534d58251dec497bab0e7e82f79143.exe 30 PID 1396 wrote to memory of 548 1396 cmd.exe 32 PID 1396 wrote to memory of 548 1396 cmd.exe 32 PID 1396 wrote to memory of 548 1396 cmd.exe 32 PID 1396 wrote to memory of 548 1396 cmd.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\c0064a70b0d297c43ccc230f852c1ffac7534d58251dec497bab0e7e82f79143.exe"C:\Users\Admin\AppData\Local\Temp\c0064a70b0d297c43ccc230f852c1ffac7534d58251dec497bab0e7e82f79143.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1664
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\c0064a70b0d297c43ccc230f852c1ffac7534d58251dec497bab0e7e82f79143.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1396 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:548
-
-