Analysis
-
max time kernel
132s -
max time network
132s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
21-01-2022 23:51
Static task
static1
Behavioral task
behavioral1
Sample
091516a7bc6ff5114ec212a8a33519886f4b3b6889125119bacd5f4bbf7f8362.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
091516a7bc6ff5114ec212a8a33519886f4b3b6889125119bacd5f4bbf7f8362.exe
Resource
win10-en-20211208
General
-
Target
091516a7bc6ff5114ec212a8a33519886f4b3b6889125119bacd5f4bbf7f8362.exe
-
Size
89KB
-
MD5
fedf54586ebd00684e20712ad7eb9189
-
SHA1
da33226bd6f3bb61c7e2b37a731b70ab99367ae2
-
SHA256
091516a7bc6ff5114ec212a8a33519886f4b3b6889125119bacd5f4bbf7f8362
-
SHA512
82ec682ad173eedc9ee51a0238eb4c1175e6d4da74c58261834d0ab38e8b1bc96c82872df27beb9aa69f3a9fb312c941f241a2fe975a9fcd8a41ae65ece81a6b
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1164 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 632 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
091516a7bc6ff5114ec212a8a33519886f4b3b6889125119bacd5f4bbf7f8362.exepid process 1724 091516a7bc6ff5114ec212a8a33519886f4b3b6889125119bacd5f4bbf7f8362.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
091516a7bc6ff5114ec212a8a33519886f4b3b6889125119bacd5f4bbf7f8362.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 091516a7bc6ff5114ec212a8a33519886f4b3b6889125119bacd5f4bbf7f8362.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
091516a7bc6ff5114ec212a8a33519886f4b3b6889125119bacd5f4bbf7f8362.exedescription pid process Token: SeIncBasePriorityPrivilege 1724 091516a7bc6ff5114ec212a8a33519886f4b3b6889125119bacd5f4bbf7f8362.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
091516a7bc6ff5114ec212a8a33519886f4b3b6889125119bacd5f4bbf7f8362.execmd.exedescription pid process target process PID 1724 wrote to memory of 1164 1724 091516a7bc6ff5114ec212a8a33519886f4b3b6889125119bacd5f4bbf7f8362.exe MediaCenter.exe PID 1724 wrote to memory of 1164 1724 091516a7bc6ff5114ec212a8a33519886f4b3b6889125119bacd5f4bbf7f8362.exe MediaCenter.exe PID 1724 wrote to memory of 1164 1724 091516a7bc6ff5114ec212a8a33519886f4b3b6889125119bacd5f4bbf7f8362.exe MediaCenter.exe PID 1724 wrote to memory of 1164 1724 091516a7bc6ff5114ec212a8a33519886f4b3b6889125119bacd5f4bbf7f8362.exe MediaCenter.exe PID 1724 wrote to memory of 632 1724 091516a7bc6ff5114ec212a8a33519886f4b3b6889125119bacd5f4bbf7f8362.exe cmd.exe PID 1724 wrote to memory of 632 1724 091516a7bc6ff5114ec212a8a33519886f4b3b6889125119bacd5f4bbf7f8362.exe cmd.exe PID 1724 wrote to memory of 632 1724 091516a7bc6ff5114ec212a8a33519886f4b3b6889125119bacd5f4bbf7f8362.exe cmd.exe PID 1724 wrote to memory of 632 1724 091516a7bc6ff5114ec212a8a33519886f4b3b6889125119bacd5f4bbf7f8362.exe cmd.exe PID 632 wrote to memory of 1956 632 cmd.exe PING.EXE PID 632 wrote to memory of 1956 632 cmd.exe PING.EXE PID 632 wrote to memory of 1956 632 cmd.exe PING.EXE PID 632 wrote to memory of 1956 632 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\091516a7bc6ff5114ec212a8a33519886f4b3b6889125119bacd5f4bbf7f8362.exe"C:\Users\Admin\AppData\Local\Temp\091516a7bc6ff5114ec212a8a33519886f4b3b6889125119bacd5f4bbf7f8362.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1724 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1164 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\091516a7bc6ff5114ec212a8a33519886f4b3b6889125119bacd5f4bbf7f8362.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:632 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1956
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
e368ae209e19a45f46900f94d63ab103
SHA16917a9831756ab8b667685c45e9ad813c8da9d94
SHA256ae680fa20e8b1f2f3687fd95250c8062a8274adcb7a60e92087f1e77d338c95b
SHA5128e168207d62287a48db99cf04e5d565e203201c5872bb60f9d5b00f27f42a3620016a33ea1ab0afa3cea811ecbee6d8d2e1d3138bd36e538ba155d98d610d18d
-
MD5
e368ae209e19a45f46900f94d63ab103
SHA16917a9831756ab8b667685c45e9ad813c8da9d94
SHA256ae680fa20e8b1f2f3687fd95250c8062a8274adcb7a60e92087f1e77d338c95b
SHA5128e168207d62287a48db99cf04e5d565e203201c5872bb60f9d5b00f27f42a3620016a33ea1ab0afa3cea811ecbee6d8d2e1d3138bd36e538ba155d98d610d18d