Analysis
-
max time kernel
147s -
max time network
154s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
22-01-2022 00:50
Static task
static1
Behavioral task
behavioral1
Sample
29fce7d6b08acaf601c149c254fa3184556ff544bb20c90b9664ebdf85cc3a6d.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
29fce7d6b08acaf601c149c254fa3184556ff544bb20c90b9664ebdf85cc3a6d.exe
Resource
win10-en-20211208
General
-
Target
29fce7d6b08acaf601c149c254fa3184556ff544bb20c90b9664ebdf85cc3a6d.exe
-
Size
89KB
-
MD5
bc74a557e91597d8b37ed357c367643e
-
SHA1
0f7ccd39a0c4c5846da1dc5330c918316c917da8
-
SHA256
29fce7d6b08acaf601c149c254fa3184556ff544bb20c90b9664ebdf85cc3a6d
-
SHA512
88f9d398a7a806bde6be8bfd743848b7d72ed28c39f969f7e594358a602c707a2e1dc0d3691af58c7d379f26745973cb3320bc46c24d2110115e4448219cb89e
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1284 MediaCenter.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
29fce7d6b08acaf601c149c254fa3184556ff544bb20c90b9664ebdf85cc3a6d.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 29fce7d6b08acaf601c149c254fa3184556ff544bb20c90b9664ebdf85cc3a6d.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
29fce7d6b08acaf601c149c254fa3184556ff544bb20c90b9664ebdf85cc3a6d.exedescription pid process Token: SeIncBasePriorityPrivilege 2708 29fce7d6b08acaf601c149c254fa3184556ff544bb20c90b9664ebdf85cc3a6d.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
29fce7d6b08acaf601c149c254fa3184556ff544bb20c90b9664ebdf85cc3a6d.execmd.exedescription pid process target process PID 2708 wrote to memory of 1284 2708 29fce7d6b08acaf601c149c254fa3184556ff544bb20c90b9664ebdf85cc3a6d.exe MediaCenter.exe PID 2708 wrote to memory of 1284 2708 29fce7d6b08acaf601c149c254fa3184556ff544bb20c90b9664ebdf85cc3a6d.exe MediaCenter.exe PID 2708 wrote to memory of 1284 2708 29fce7d6b08acaf601c149c254fa3184556ff544bb20c90b9664ebdf85cc3a6d.exe MediaCenter.exe PID 2708 wrote to memory of 496 2708 29fce7d6b08acaf601c149c254fa3184556ff544bb20c90b9664ebdf85cc3a6d.exe cmd.exe PID 2708 wrote to memory of 496 2708 29fce7d6b08acaf601c149c254fa3184556ff544bb20c90b9664ebdf85cc3a6d.exe cmd.exe PID 2708 wrote to memory of 496 2708 29fce7d6b08acaf601c149c254fa3184556ff544bb20c90b9664ebdf85cc3a6d.exe cmd.exe PID 496 wrote to memory of 1724 496 cmd.exe PING.EXE PID 496 wrote to memory of 1724 496 cmd.exe PING.EXE PID 496 wrote to memory of 1724 496 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\29fce7d6b08acaf601c149c254fa3184556ff544bb20c90b9664ebdf85cc3a6d.exe"C:\Users\Admin\AppData\Local\Temp\29fce7d6b08acaf601c149c254fa3184556ff544bb20c90b9664ebdf85cc3a6d.exe"1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1284 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\29fce7d6b08acaf601c149c254fa3184556ff544bb20c90b9664ebdf85cc3a6d.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:496 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1724
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
f6b479a4b38c8af6ad2a4bf7e3d722fc
SHA1fe46148e55a135074a63bdf32cfbc89e2bc072c8
SHA2565721944e9965526376df159e32cc3f4c55c7788de2ea28986176d115278c0cba
SHA512042c7820a3f717fcb4d624ce3154fde1073edb27d30991bea172856794faa42aa241c4072a262a4d657d51bc7cb1b46fe591fa39d2d039d54d275f13f2ff4e8e
-
MD5
f6b479a4b38c8af6ad2a4bf7e3d722fc
SHA1fe46148e55a135074a63bdf32cfbc89e2bc072c8
SHA2565721944e9965526376df159e32cc3f4c55c7788de2ea28986176d115278c0cba
SHA512042c7820a3f717fcb4d624ce3154fde1073edb27d30991bea172856794faa42aa241c4072a262a4d657d51bc7cb1b46fe591fa39d2d039d54d275f13f2ff4e8e