Analysis
-
max time kernel
136s -
max time network
135s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
21-01-2022 23:55
Static task
static1
Behavioral task
behavioral1
Sample
bc22523add8140bf785a7a0bb446e95275dcedea3de642f23000e5c705044385.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
bc22523add8140bf785a7a0bb446e95275dcedea3de642f23000e5c705044385.exe
Resource
win10-en-20211208
General
-
Target
bc22523add8140bf785a7a0bb446e95275dcedea3de642f23000e5c705044385.exe
-
Size
89KB
-
MD5
faed2bcd842e81c180a6ac9dde78f8d5
-
SHA1
dca21e88ad4e7ae8b0a7214cb53863ac2dfee60c
-
SHA256
bc22523add8140bf785a7a0bb446e95275dcedea3de642f23000e5c705044385
-
SHA512
1ae6581bde17c7b7836d95713eb38c9e3120345b02d339eaf78d7f4089fb917326ae0d4372ec84ca5855ea4e9cce63f39962ee6712664826afa73a4c0b0656f2
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1600 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 968 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
bc22523add8140bf785a7a0bb446e95275dcedea3de642f23000e5c705044385.exepid process 1204 bc22523add8140bf785a7a0bb446e95275dcedea3de642f23000e5c705044385.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
bc22523add8140bf785a7a0bb446e95275dcedea3de642f23000e5c705044385.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" bc22523add8140bf785a7a0bb446e95275dcedea3de642f23000e5c705044385.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
bc22523add8140bf785a7a0bb446e95275dcedea3de642f23000e5c705044385.exedescription pid process Token: SeIncBasePriorityPrivilege 1204 bc22523add8140bf785a7a0bb446e95275dcedea3de642f23000e5c705044385.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
bc22523add8140bf785a7a0bb446e95275dcedea3de642f23000e5c705044385.execmd.exedescription pid process target process PID 1204 wrote to memory of 1600 1204 bc22523add8140bf785a7a0bb446e95275dcedea3de642f23000e5c705044385.exe MediaCenter.exe PID 1204 wrote to memory of 1600 1204 bc22523add8140bf785a7a0bb446e95275dcedea3de642f23000e5c705044385.exe MediaCenter.exe PID 1204 wrote to memory of 1600 1204 bc22523add8140bf785a7a0bb446e95275dcedea3de642f23000e5c705044385.exe MediaCenter.exe PID 1204 wrote to memory of 1600 1204 bc22523add8140bf785a7a0bb446e95275dcedea3de642f23000e5c705044385.exe MediaCenter.exe PID 1204 wrote to memory of 968 1204 bc22523add8140bf785a7a0bb446e95275dcedea3de642f23000e5c705044385.exe cmd.exe PID 1204 wrote to memory of 968 1204 bc22523add8140bf785a7a0bb446e95275dcedea3de642f23000e5c705044385.exe cmd.exe PID 1204 wrote to memory of 968 1204 bc22523add8140bf785a7a0bb446e95275dcedea3de642f23000e5c705044385.exe cmd.exe PID 1204 wrote to memory of 968 1204 bc22523add8140bf785a7a0bb446e95275dcedea3de642f23000e5c705044385.exe cmd.exe PID 968 wrote to memory of 796 968 cmd.exe PING.EXE PID 968 wrote to memory of 796 968 cmd.exe PING.EXE PID 968 wrote to memory of 796 968 cmd.exe PING.EXE PID 968 wrote to memory of 796 968 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\bc22523add8140bf785a7a0bb446e95275dcedea3de642f23000e5c705044385.exe"C:\Users\Admin\AppData\Local\Temp\bc22523add8140bf785a7a0bb446e95275dcedea3de642f23000e5c705044385.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1204 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1600 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\bc22523add8140bf785a7a0bb446e95275dcedea3de642f23000e5c705044385.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:968 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:796
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
7fafbf38b2e31140750a6c4eb949d8f1
SHA15a6b3331b5b2b4cfb5ee3b994f4b6b0f8aed9d68
SHA256479f9bcdbf0a093556dc0d45f9a053a1b8ce00d571023efa5a903de156fe87d2
SHA512e2570e3ee8cd6a80b4cd8e475b2c6e5a644c77a309d6b76b26f90f1eeb658d7af65dc629e50019b0cd815fd8bed8dcd57b117481c0f116fd73bc0b1e3ed0faa3
-
MD5
7fafbf38b2e31140750a6c4eb949d8f1
SHA15a6b3331b5b2b4cfb5ee3b994f4b6b0f8aed9d68
SHA256479f9bcdbf0a093556dc0d45f9a053a1b8ce00d571023efa5a903de156fe87d2
SHA512e2570e3ee8cd6a80b4cd8e475b2c6e5a644c77a309d6b76b26f90f1eeb658d7af65dc629e50019b0cd815fd8bed8dcd57b117481c0f116fd73bc0b1e3ed0faa3