Analysis
-
max time kernel
159s -
max time network
164s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
21-01-2022 23:53
Static task
static1
Behavioral task
behavioral1
Sample
23b27a9e7cc687d9249337923cc720c8d3fee98d782f42c9d7fe04738826eb2f.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
23b27a9e7cc687d9249337923cc720c8d3fee98d782f42c9d7fe04738826eb2f.exe
Resource
win10-en-20211208
General
-
Target
23b27a9e7cc687d9249337923cc720c8d3fee98d782f42c9d7fe04738826eb2f.exe
-
Size
89KB
-
MD5
fcad5bdeb3eb2eaa6e1c2bb9d9eb2cc0
-
SHA1
8a32cdd3834e0629eeb47ca2b5f019497cfcb66b
-
SHA256
23b27a9e7cc687d9249337923cc720c8d3fee98d782f42c9d7fe04738826eb2f
-
SHA512
6a3a2f9942ed774f2d2c2839196146666d114473fbc6cced7a36134a5dc373949e2ebb440b21c93d4d6e0e4f120806de3a1d573ca7efe27fff193c420282f35c
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 392 MediaCenter.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
23b27a9e7cc687d9249337923cc720c8d3fee98d782f42c9d7fe04738826eb2f.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 23b27a9e7cc687d9249337923cc720c8d3fee98d782f42c9d7fe04738826eb2f.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
23b27a9e7cc687d9249337923cc720c8d3fee98d782f42c9d7fe04738826eb2f.exedescription pid process Token: SeIncBasePriorityPrivilege 3800 23b27a9e7cc687d9249337923cc720c8d3fee98d782f42c9d7fe04738826eb2f.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
23b27a9e7cc687d9249337923cc720c8d3fee98d782f42c9d7fe04738826eb2f.execmd.exedescription pid process target process PID 3800 wrote to memory of 392 3800 23b27a9e7cc687d9249337923cc720c8d3fee98d782f42c9d7fe04738826eb2f.exe MediaCenter.exe PID 3800 wrote to memory of 392 3800 23b27a9e7cc687d9249337923cc720c8d3fee98d782f42c9d7fe04738826eb2f.exe MediaCenter.exe PID 3800 wrote to memory of 392 3800 23b27a9e7cc687d9249337923cc720c8d3fee98d782f42c9d7fe04738826eb2f.exe MediaCenter.exe PID 3800 wrote to memory of 3940 3800 23b27a9e7cc687d9249337923cc720c8d3fee98d782f42c9d7fe04738826eb2f.exe cmd.exe PID 3800 wrote to memory of 3940 3800 23b27a9e7cc687d9249337923cc720c8d3fee98d782f42c9d7fe04738826eb2f.exe cmd.exe PID 3800 wrote to memory of 3940 3800 23b27a9e7cc687d9249337923cc720c8d3fee98d782f42c9d7fe04738826eb2f.exe cmd.exe PID 3940 wrote to memory of 1928 3940 cmd.exe PING.EXE PID 3940 wrote to memory of 1928 3940 cmd.exe PING.EXE PID 3940 wrote to memory of 1928 3940 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\23b27a9e7cc687d9249337923cc720c8d3fee98d782f42c9d7fe04738826eb2f.exe"C:\Users\Admin\AppData\Local\Temp\23b27a9e7cc687d9249337923cc720c8d3fee98d782f42c9d7fe04738826eb2f.exe"1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3800 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:392 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\23b27a9e7cc687d9249337923cc720c8d3fee98d782f42c9d7fe04738826eb2f.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3940 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1928
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
78b42398f6db4c17d6aa2716077d687e
SHA1fd55190b0658e7e6dad65711538f16038cc3dce8
SHA256e114ab2e0803cac73f515e455fbc9ca82c55ed0278a951ed675166879109d3ac
SHA512f0d9c21c1359810a398d73c889391cd3ebd587a4c53cc21c759151c243e40d0da90169524de9f52c062a1f26cdccd56a98ba144c29c9577c4672703ac4be28da
-
MD5
78b42398f6db4c17d6aa2716077d687e
SHA1fd55190b0658e7e6dad65711538f16038cc3dce8
SHA256e114ab2e0803cac73f515e455fbc9ca82c55ed0278a951ed675166879109d3ac
SHA512f0d9c21c1359810a398d73c889391cd3ebd587a4c53cc21c759151c243e40d0da90169524de9f52c062a1f26cdccd56a98ba144c29c9577c4672703ac4be28da