Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
30-09-2021 12:24
Static task
static1
Behavioral task
behavioral1
Sample
c0064a70b0d297c43ccc230f852c1ffac7534d58251dec497bab0e7e82f79143.exe
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
c0064a70b0d297c43ccc230f852c1ffac7534d58251dec497bab0e7e82f79143.exe
Resource
win10v20210408
General
-
Target
c0064a70b0d297c43ccc230f852c1ffac7534d58251dec497bab0e7e82f79143.exe
-
Size
216KB
-
MD5
dab5f66a4c8f6bcbcdeb2a83c21769c5
-
SHA1
06e8c2999917c6bc5d4b6359de3222d4379acbb9
-
SHA256
c0064a70b0d297c43ccc230f852c1ffac7534d58251dec497bab0e7e82f79143
-
SHA512
3a02669cd6390e5c6b5e1dd8711c300790cd78419a512830325c497fad7a5864aeaac6e0622dd39ab3bd3bafad49f5ad968d0d6c24c961adb9cafb7b64869854
Malware Config
Signatures
-
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
pid Process 628 MediaCenter.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" c0064a70b0d297c43ccc230f852c1ffac7534d58251dec497bab0e7e82f79143.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
pid Process 3692 PING.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 568 c0064a70b0d297c43ccc230f852c1ffac7534d58251dec497bab0e7e82f79143.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 568 wrote to memory of 628 568 c0064a70b0d297c43ccc230f852c1ffac7534d58251dec497bab0e7e82f79143.exe 68 PID 568 wrote to memory of 628 568 c0064a70b0d297c43ccc230f852c1ffac7534d58251dec497bab0e7e82f79143.exe 68 PID 568 wrote to memory of 628 568 c0064a70b0d297c43ccc230f852c1ffac7534d58251dec497bab0e7e82f79143.exe 68 PID 568 wrote to memory of 2828 568 c0064a70b0d297c43ccc230f852c1ffac7534d58251dec497bab0e7e82f79143.exe 72 PID 568 wrote to memory of 2828 568 c0064a70b0d297c43ccc230f852c1ffac7534d58251dec497bab0e7e82f79143.exe 72 PID 568 wrote to memory of 2828 568 c0064a70b0d297c43ccc230f852c1ffac7534d58251dec497bab0e7e82f79143.exe 72 PID 2828 wrote to memory of 3692 2828 cmd.exe 74 PID 2828 wrote to memory of 3692 2828 cmd.exe 74 PID 2828 wrote to memory of 3692 2828 cmd.exe 74
Processes
-
C:\Users\Admin\AppData\Local\Temp\c0064a70b0d297c43ccc230f852c1ffac7534d58251dec497bab0e7e82f79143.exe"C:\Users\Admin\AppData\Local\Temp\c0064a70b0d297c43ccc230f852c1ffac7534d58251dec497bab0e7e82f79143.exe"1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:568 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:628
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\c0064a70b0d297c43ccc230f852c1ffac7534d58251dec497bab0e7e82f79143.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:3692
-
-