Analysis
-
max time kernel
149s -
max time network
167s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
21-01-2022 23:56
Static task
static1
Behavioral task
behavioral1
Sample
58560834b0a0089f012ddb201e1fdc8fd6133fd681621e70052dbb063030942d.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
58560834b0a0089f012ddb201e1fdc8fd6133fd681621e70052dbb063030942d.exe
Resource
win10-en-20211208
General
-
Target
58560834b0a0089f012ddb201e1fdc8fd6133fd681621e70052dbb063030942d.exe
-
Size
89KB
-
MD5
f8dbcfe4f826aa27724ccfd6b080b26d
-
SHA1
24efba130f37ce6f5bdd9da13c12941422d9f3b0
-
SHA256
58560834b0a0089f012ddb201e1fdc8fd6133fd681621e70052dbb063030942d
-
SHA512
26348520fbe4cd73ec95fe52886f51bbb89dac20ab7895fa3180e6fc15e616ec973d7fc23d315ba8e134fe7921e23a33d104071e8401df5858d4a3d991558632
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 2172 MediaCenter.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
58560834b0a0089f012ddb201e1fdc8fd6133fd681621e70052dbb063030942d.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 58560834b0a0089f012ddb201e1fdc8fd6133fd681621e70052dbb063030942d.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
58560834b0a0089f012ddb201e1fdc8fd6133fd681621e70052dbb063030942d.exedescription pid process Token: SeIncBasePriorityPrivilege 4016 58560834b0a0089f012ddb201e1fdc8fd6133fd681621e70052dbb063030942d.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
58560834b0a0089f012ddb201e1fdc8fd6133fd681621e70052dbb063030942d.execmd.exedescription pid process target process PID 4016 wrote to memory of 2172 4016 58560834b0a0089f012ddb201e1fdc8fd6133fd681621e70052dbb063030942d.exe MediaCenter.exe PID 4016 wrote to memory of 2172 4016 58560834b0a0089f012ddb201e1fdc8fd6133fd681621e70052dbb063030942d.exe MediaCenter.exe PID 4016 wrote to memory of 2172 4016 58560834b0a0089f012ddb201e1fdc8fd6133fd681621e70052dbb063030942d.exe MediaCenter.exe PID 4016 wrote to memory of 3312 4016 58560834b0a0089f012ddb201e1fdc8fd6133fd681621e70052dbb063030942d.exe cmd.exe PID 4016 wrote to memory of 3312 4016 58560834b0a0089f012ddb201e1fdc8fd6133fd681621e70052dbb063030942d.exe cmd.exe PID 4016 wrote to memory of 3312 4016 58560834b0a0089f012ddb201e1fdc8fd6133fd681621e70052dbb063030942d.exe cmd.exe PID 3312 wrote to memory of 776 3312 cmd.exe PING.EXE PID 3312 wrote to memory of 776 3312 cmd.exe PING.EXE PID 3312 wrote to memory of 776 3312 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\58560834b0a0089f012ddb201e1fdc8fd6133fd681621e70052dbb063030942d.exe"C:\Users\Admin\AppData\Local\Temp\58560834b0a0089f012ddb201e1fdc8fd6133fd681621e70052dbb063030942d.exe"1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4016 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:2172 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\58560834b0a0089f012ddb201e1fdc8fd6133fd681621e70052dbb063030942d.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3312 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:776
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
27610b902c622b6589c62bbc002bcdc5
SHA1883f1fc558db6d5d151669fece6033b67fc92d1c
SHA2562cbd4692cdf53e8f7e26ae902e331c5c952ec6082c1a6220cd178ab701c11bc8
SHA5126474c1527a9afb59405e7a58f0772c60f463ec01b0adf22d4b3433f4bc2df7664a0fd784d5a1bd18d196980e53bc4b03f401f99309ce2abc92071cc56a40a71e
-
MD5
27610b902c622b6589c62bbc002bcdc5
SHA1883f1fc558db6d5d151669fece6033b67fc92d1c
SHA2562cbd4692cdf53e8f7e26ae902e331c5c952ec6082c1a6220cd178ab701c11bc8
SHA5126474c1527a9afb59405e7a58f0772c60f463ec01b0adf22d4b3433f4bc2df7664a0fd784d5a1bd18d196980e53bc4b03f401f99309ce2abc92071cc56a40a71e