Analysis
-
max time kernel
152s -
max time network
168s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
21-01-2022 23:55
Static task
static1
Behavioral task
behavioral1
Sample
bc22523add8140bf785a7a0bb446e95275dcedea3de642f23000e5c705044385.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
bc22523add8140bf785a7a0bb446e95275dcedea3de642f23000e5c705044385.exe
Resource
win10-en-20211208
General
-
Target
bc22523add8140bf785a7a0bb446e95275dcedea3de642f23000e5c705044385.exe
-
Size
89KB
-
MD5
faed2bcd842e81c180a6ac9dde78f8d5
-
SHA1
dca21e88ad4e7ae8b0a7214cb53863ac2dfee60c
-
SHA256
bc22523add8140bf785a7a0bb446e95275dcedea3de642f23000e5c705044385
-
SHA512
1ae6581bde17c7b7836d95713eb38c9e3120345b02d339eaf78d7f4089fb917326ae0d4372ec84ca5855ea4e9cce63f39962ee6712664826afa73a4c0b0656f2
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 2816 MediaCenter.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
bc22523add8140bf785a7a0bb446e95275dcedea3de642f23000e5c705044385.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" bc22523add8140bf785a7a0bb446e95275dcedea3de642f23000e5c705044385.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
bc22523add8140bf785a7a0bb446e95275dcedea3de642f23000e5c705044385.exedescription pid process Token: SeIncBasePriorityPrivilege 2384 bc22523add8140bf785a7a0bb446e95275dcedea3de642f23000e5c705044385.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
bc22523add8140bf785a7a0bb446e95275dcedea3de642f23000e5c705044385.execmd.exedescription pid process target process PID 2384 wrote to memory of 2816 2384 bc22523add8140bf785a7a0bb446e95275dcedea3de642f23000e5c705044385.exe MediaCenter.exe PID 2384 wrote to memory of 2816 2384 bc22523add8140bf785a7a0bb446e95275dcedea3de642f23000e5c705044385.exe MediaCenter.exe PID 2384 wrote to memory of 2816 2384 bc22523add8140bf785a7a0bb446e95275dcedea3de642f23000e5c705044385.exe MediaCenter.exe PID 2384 wrote to memory of 3228 2384 bc22523add8140bf785a7a0bb446e95275dcedea3de642f23000e5c705044385.exe cmd.exe PID 2384 wrote to memory of 3228 2384 bc22523add8140bf785a7a0bb446e95275dcedea3de642f23000e5c705044385.exe cmd.exe PID 2384 wrote to memory of 3228 2384 bc22523add8140bf785a7a0bb446e95275dcedea3de642f23000e5c705044385.exe cmd.exe PID 3228 wrote to memory of 2420 3228 cmd.exe PING.EXE PID 3228 wrote to memory of 2420 3228 cmd.exe PING.EXE PID 3228 wrote to memory of 2420 3228 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\bc22523add8140bf785a7a0bb446e95275dcedea3de642f23000e5c705044385.exe"C:\Users\Admin\AppData\Local\Temp\bc22523add8140bf785a7a0bb446e95275dcedea3de642f23000e5c705044385.exe"1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:2816 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\bc22523add8140bf785a7a0bb446e95275dcedea3de642f23000e5c705044385.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3228 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:2420
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
6cf6b18531c1b422e88260ff68e001b1
SHA1d001c020d4550d44d621af7b0e31876e8d7dfede
SHA256f6ef26be172fc5dcd9cc34711504d6360109edbb6b3fb518362bf9693fdd312e
SHA51254e38d8b722a10d5f563dc2eb780745084d970b8c78abebf60c8e7a25fdef94e036d5a08976471370752f3e8559b5c9a6e498e28b807af9d3ca3376c8b933db9
-
MD5
6cf6b18531c1b422e88260ff68e001b1
SHA1d001c020d4550d44d621af7b0e31876e8d7dfede
SHA256f6ef26be172fc5dcd9cc34711504d6360109edbb6b3fb518362bf9693fdd312e
SHA51254e38d8b722a10d5f563dc2eb780745084d970b8c78abebf60c8e7a25fdef94e036d5a08976471370752f3e8559b5c9a6e498e28b807af9d3ca3376c8b933db9