Analysis
-
max time kernel
145s -
max time network
148s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
21-01-2022 23:51
Static task
static1
Behavioral task
behavioral1
Sample
091516a7bc6ff5114ec212a8a33519886f4b3b6889125119bacd5f4bbf7f8362.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
091516a7bc6ff5114ec212a8a33519886f4b3b6889125119bacd5f4bbf7f8362.exe
Resource
win10-en-20211208
General
-
Target
091516a7bc6ff5114ec212a8a33519886f4b3b6889125119bacd5f4bbf7f8362.exe
-
Size
89KB
-
MD5
fedf54586ebd00684e20712ad7eb9189
-
SHA1
da33226bd6f3bb61c7e2b37a731b70ab99367ae2
-
SHA256
091516a7bc6ff5114ec212a8a33519886f4b3b6889125119bacd5f4bbf7f8362
-
SHA512
82ec682ad173eedc9ee51a0238eb4c1175e6d4da74c58261834d0ab38e8b1bc96c82872df27beb9aa69f3a9fb312c941f241a2fe975a9fcd8a41ae65ece81a6b
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 2008 MediaCenter.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
091516a7bc6ff5114ec212a8a33519886f4b3b6889125119bacd5f4bbf7f8362.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 091516a7bc6ff5114ec212a8a33519886f4b3b6889125119bacd5f4bbf7f8362.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
091516a7bc6ff5114ec212a8a33519886f4b3b6889125119bacd5f4bbf7f8362.exedescription pid process Token: SeIncBasePriorityPrivilege 676 091516a7bc6ff5114ec212a8a33519886f4b3b6889125119bacd5f4bbf7f8362.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
091516a7bc6ff5114ec212a8a33519886f4b3b6889125119bacd5f4bbf7f8362.execmd.exedescription pid process target process PID 676 wrote to memory of 2008 676 091516a7bc6ff5114ec212a8a33519886f4b3b6889125119bacd5f4bbf7f8362.exe MediaCenter.exe PID 676 wrote to memory of 2008 676 091516a7bc6ff5114ec212a8a33519886f4b3b6889125119bacd5f4bbf7f8362.exe MediaCenter.exe PID 676 wrote to memory of 2008 676 091516a7bc6ff5114ec212a8a33519886f4b3b6889125119bacd5f4bbf7f8362.exe MediaCenter.exe PID 676 wrote to memory of 3052 676 091516a7bc6ff5114ec212a8a33519886f4b3b6889125119bacd5f4bbf7f8362.exe cmd.exe PID 676 wrote to memory of 3052 676 091516a7bc6ff5114ec212a8a33519886f4b3b6889125119bacd5f4bbf7f8362.exe cmd.exe PID 676 wrote to memory of 3052 676 091516a7bc6ff5114ec212a8a33519886f4b3b6889125119bacd5f4bbf7f8362.exe cmd.exe PID 3052 wrote to memory of 1816 3052 cmd.exe PING.EXE PID 3052 wrote to memory of 1816 3052 cmd.exe PING.EXE PID 3052 wrote to memory of 1816 3052 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\091516a7bc6ff5114ec212a8a33519886f4b3b6889125119bacd5f4bbf7f8362.exe"C:\Users\Admin\AppData\Local\Temp\091516a7bc6ff5114ec212a8a33519886f4b3b6889125119bacd5f4bbf7f8362.exe"1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:676 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:2008 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\091516a7bc6ff5114ec212a8a33519886f4b3b6889125119bacd5f4bbf7f8362.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1816
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
bfe18c8ddc45c5c7c1afe53471756e8a
SHA1d77eb87522652e97c922e5218e4cb90cda66409c
SHA2565c08fb064f1b662cbc947930652d2d56b03a61dde6975955d83ac87b05506d05
SHA512fa8e8ba57293257f8ce71ad69eeda9592631977ab417c9a259d73e27b05cd9e05592621abc35d6da485862546f3045e87a7428dbf5e4e9936b6ae35c53939f85
-
MD5
bfe18c8ddc45c5c7c1afe53471756e8a
SHA1d77eb87522652e97c922e5218e4cb90cda66409c
SHA2565c08fb064f1b662cbc947930652d2d56b03a61dde6975955d83ac87b05506d05
SHA512fa8e8ba57293257f8ce71ad69eeda9592631977ab417c9a259d73e27b05cd9e05592621abc35d6da485862546f3045e87a7428dbf5e4e9936b6ae35c53939f85