Analysis
-
max time kernel
126s -
max time network
127s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
21-01-2022 23:56
Static task
static1
Behavioral task
behavioral1
Sample
58560834b0a0089f012ddb201e1fdc8fd6133fd681621e70052dbb063030942d.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
58560834b0a0089f012ddb201e1fdc8fd6133fd681621e70052dbb063030942d.exe
Resource
win10-en-20211208
General
-
Target
58560834b0a0089f012ddb201e1fdc8fd6133fd681621e70052dbb063030942d.exe
-
Size
89KB
-
MD5
f8dbcfe4f826aa27724ccfd6b080b26d
-
SHA1
24efba130f37ce6f5bdd9da13c12941422d9f3b0
-
SHA256
58560834b0a0089f012ddb201e1fdc8fd6133fd681621e70052dbb063030942d
-
SHA512
26348520fbe4cd73ec95fe52886f51bbb89dac20ab7895fa3180e6fc15e616ec973d7fc23d315ba8e134fe7921e23a33d104071e8401df5858d4a3d991558632
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1472 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1124 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
58560834b0a0089f012ddb201e1fdc8fd6133fd681621e70052dbb063030942d.exepid process 1720 58560834b0a0089f012ddb201e1fdc8fd6133fd681621e70052dbb063030942d.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
58560834b0a0089f012ddb201e1fdc8fd6133fd681621e70052dbb063030942d.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 58560834b0a0089f012ddb201e1fdc8fd6133fd681621e70052dbb063030942d.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
58560834b0a0089f012ddb201e1fdc8fd6133fd681621e70052dbb063030942d.exedescription pid process Token: SeIncBasePriorityPrivilege 1720 58560834b0a0089f012ddb201e1fdc8fd6133fd681621e70052dbb063030942d.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
58560834b0a0089f012ddb201e1fdc8fd6133fd681621e70052dbb063030942d.execmd.exedescription pid process target process PID 1720 wrote to memory of 1472 1720 58560834b0a0089f012ddb201e1fdc8fd6133fd681621e70052dbb063030942d.exe MediaCenter.exe PID 1720 wrote to memory of 1472 1720 58560834b0a0089f012ddb201e1fdc8fd6133fd681621e70052dbb063030942d.exe MediaCenter.exe PID 1720 wrote to memory of 1472 1720 58560834b0a0089f012ddb201e1fdc8fd6133fd681621e70052dbb063030942d.exe MediaCenter.exe PID 1720 wrote to memory of 1472 1720 58560834b0a0089f012ddb201e1fdc8fd6133fd681621e70052dbb063030942d.exe MediaCenter.exe PID 1720 wrote to memory of 1124 1720 58560834b0a0089f012ddb201e1fdc8fd6133fd681621e70052dbb063030942d.exe cmd.exe PID 1720 wrote to memory of 1124 1720 58560834b0a0089f012ddb201e1fdc8fd6133fd681621e70052dbb063030942d.exe cmd.exe PID 1720 wrote to memory of 1124 1720 58560834b0a0089f012ddb201e1fdc8fd6133fd681621e70052dbb063030942d.exe cmd.exe PID 1720 wrote to memory of 1124 1720 58560834b0a0089f012ddb201e1fdc8fd6133fd681621e70052dbb063030942d.exe cmd.exe PID 1124 wrote to memory of 660 1124 cmd.exe PING.EXE PID 1124 wrote to memory of 660 1124 cmd.exe PING.EXE PID 1124 wrote to memory of 660 1124 cmd.exe PING.EXE PID 1124 wrote to memory of 660 1124 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\58560834b0a0089f012ddb201e1fdc8fd6133fd681621e70052dbb063030942d.exe"C:\Users\Admin\AppData\Local\Temp\58560834b0a0089f012ddb201e1fdc8fd6133fd681621e70052dbb063030942d.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1720 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1472 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\58560834b0a0089f012ddb201e1fdc8fd6133fd681621e70052dbb063030942d.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1124 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:660
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
3d777123cdbf5ee999c4ab7cd6d5c6fd
SHA154c6f1aa5a7fc666bff43496491e08df38054a36
SHA2569d130e94d106036fe2aa2bf1e42fe10a166da8528211a39af5a1bb4bc4faccae
SHA512bbf6ccbea0eecb84784cd1a71ecf4aebc491d08dbd361145572cdfec396460c5ef3037f06d6e79829f584e29e01bf84183c8fc8418b7a4aaebcfd569a479e9cf
-
MD5
3d777123cdbf5ee999c4ab7cd6d5c6fd
SHA154c6f1aa5a7fc666bff43496491e08df38054a36
SHA2569d130e94d106036fe2aa2bf1e42fe10a166da8528211a39af5a1bb4bc4faccae
SHA512bbf6ccbea0eecb84784cd1a71ecf4aebc491d08dbd361145572cdfec396460c5ef3037f06d6e79829f584e29e01bf84183c8fc8418b7a4aaebcfd569a479e9cf