Analysis
-
max time kernel
135s -
max time network
145s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
21-01-2022 23:53
Static task
static1
Behavioral task
behavioral1
Sample
23b27a9e7cc687d9249337923cc720c8d3fee98d782f42c9d7fe04738826eb2f.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
23b27a9e7cc687d9249337923cc720c8d3fee98d782f42c9d7fe04738826eb2f.exe
Resource
win10-en-20211208
General
-
Target
23b27a9e7cc687d9249337923cc720c8d3fee98d782f42c9d7fe04738826eb2f.exe
-
Size
89KB
-
MD5
fcad5bdeb3eb2eaa6e1c2bb9d9eb2cc0
-
SHA1
8a32cdd3834e0629eeb47ca2b5f019497cfcb66b
-
SHA256
23b27a9e7cc687d9249337923cc720c8d3fee98d782f42c9d7fe04738826eb2f
-
SHA512
6a3a2f9942ed774f2d2c2839196146666d114473fbc6cced7a36134a5dc373949e2ebb440b21c93d4d6e0e4f120806de3a1d573ca7efe27fff193c420282f35c
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 308 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 392 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
23b27a9e7cc687d9249337923cc720c8d3fee98d782f42c9d7fe04738826eb2f.exepid process 976 23b27a9e7cc687d9249337923cc720c8d3fee98d782f42c9d7fe04738826eb2f.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
23b27a9e7cc687d9249337923cc720c8d3fee98d782f42c9d7fe04738826eb2f.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 23b27a9e7cc687d9249337923cc720c8d3fee98d782f42c9d7fe04738826eb2f.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
23b27a9e7cc687d9249337923cc720c8d3fee98d782f42c9d7fe04738826eb2f.exedescription pid process Token: SeIncBasePriorityPrivilege 976 23b27a9e7cc687d9249337923cc720c8d3fee98d782f42c9d7fe04738826eb2f.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
23b27a9e7cc687d9249337923cc720c8d3fee98d782f42c9d7fe04738826eb2f.execmd.exedescription pid process target process PID 976 wrote to memory of 308 976 23b27a9e7cc687d9249337923cc720c8d3fee98d782f42c9d7fe04738826eb2f.exe MediaCenter.exe PID 976 wrote to memory of 308 976 23b27a9e7cc687d9249337923cc720c8d3fee98d782f42c9d7fe04738826eb2f.exe MediaCenter.exe PID 976 wrote to memory of 308 976 23b27a9e7cc687d9249337923cc720c8d3fee98d782f42c9d7fe04738826eb2f.exe MediaCenter.exe PID 976 wrote to memory of 308 976 23b27a9e7cc687d9249337923cc720c8d3fee98d782f42c9d7fe04738826eb2f.exe MediaCenter.exe PID 976 wrote to memory of 392 976 23b27a9e7cc687d9249337923cc720c8d3fee98d782f42c9d7fe04738826eb2f.exe cmd.exe PID 976 wrote to memory of 392 976 23b27a9e7cc687d9249337923cc720c8d3fee98d782f42c9d7fe04738826eb2f.exe cmd.exe PID 976 wrote to memory of 392 976 23b27a9e7cc687d9249337923cc720c8d3fee98d782f42c9d7fe04738826eb2f.exe cmd.exe PID 976 wrote to memory of 392 976 23b27a9e7cc687d9249337923cc720c8d3fee98d782f42c9d7fe04738826eb2f.exe cmd.exe PID 392 wrote to memory of 1944 392 cmd.exe PING.EXE PID 392 wrote to memory of 1944 392 cmd.exe PING.EXE PID 392 wrote to memory of 1944 392 cmd.exe PING.EXE PID 392 wrote to memory of 1944 392 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\23b27a9e7cc687d9249337923cc720c8d3fee98d782f42c9d7fe04738826eb2f.exe"C:\Users\Admin\AppData\Local\Temp\23b27a9e7cc687d9249337923cc720c8d3fee98d782f42c9d7fe04738826eb2f.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:976 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:308 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\23b27a9e7cc687d9249337923cc720c8d3fee98d782f42c9d7fe04738826eb2f.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:392 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1944
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
b73ab56f3a6089aaddb108d8cc1ec251
SHA17a8446b1d7f64b8b9b3a0f757bf406d1b7bac459
SHA256d625aa01b1de7618a3b5bc18bb457631f24ef9102d7022c7a81c877b7614fec5
SHA512cc3f63dba0c5dd3beb1a697248814512b70a422ee12d12c12946d5e9fd4eac0c85b3dde17ed69ff38c5e6f9d05ed0a07373173f5638cf717b0ec37e393c74b6a
-
MD5
b73ab56f3a6089aaddb108d8cc1ec251
SHA17a8446b1d7f64b8b9b3a0f757bf406d1b7bac459
SHA256d625aa01b1de7618a3b5bc18bb457631f24ef9102d7022c7a81c877b7614fec5
SHA512cc3f63dba0c5dd3beb1a697248814512b70a422ee12d12c12946d5e9fd4eac0c85b3dde17ed69ff38c5e6f9d05ed0a07373173f5638cf717b0ec37e393c74b6a