Analysis
-
max time kernel
192s -
max time network
212s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
22-01-2022 00:00
Static task
static1
Behavioral task
behavioral1
Sample
a087f8ae228817bdeeabb843bcd680dcf2c3c90f24405f35e0f7de358e9f9182.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
a087f8ae228817bdeeabb843bcd680dcf2c3c90f24405f35e0f7de358e9f9182.exe
Resource
win10-en-20211208
General
-
Target
a087f8ae228817bdeeabb843bcd680dcf2c3c90f24405f35e0f7de358e9f9182.exe
-
Size
89KB
-
MD5
f4862b793f89b9ca59da6ac38dff0e2d
-
SHA1
f5cee3ad917b2d19e507387c912b577e2ba036db
-
SHA256
a087f8ae228817bdeeabb843bcd680dcf2c3c90f24405f35e0f7de358e9f9182
-
SHA512
f19a5e955748158d7627a94dd7373e25a1dd674c5453d480238b3c883367349ac6eda088c35806fa4c0adca8489b5467cb990b40d129279ddd5caf099cb78222
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 2228 MediaCenter.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
a087f8ae228817bdeeabb843bcd680dcf2c3c90f24405f35e0f7de358e9f9182.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" a087f8ae228817bdeeabb843bcd680dcf2c3c90f24405f35e0f7de358e9f9182.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
a087f8ae228817bdeeabb843bcd680dcf2c3c90f24405f35e0f7de358e9f9182.exedescription pid process Token: SeIncBasePriorityPrivilege 756 a087f8ae228817bdeeabb843bcd680dcf2c3c90f24405f35e0f7de358e9f9182.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
a087f8ae228817bdeeabb843bcd680dcf2c3c90f24405f35e0f7de358e9f9182.execmd.exedescription pid process target process PID 756 wrote to memory of 2228 756 a087f8ae228817bdeeabb843bcd680dcf2c3c90f24405f35e0f7de358e9f9182.exe MediaCenter.exe PID 756 wrote to memory of 2228 756 a087f8ae228817bdeeabb843bcd680dcf2c3c90f24405f35e0f7de358e9f9182.exe MediaCenter.exe PID 756 wrote to memory of 2228 756 a087f8ae228817bdeeabb843bcd680dcf2c3c90f24405f35e0f7de358e9f9182.exe MediaCenter.exe PID 756 wrote to memory of 3700 756 a087f8ae228817bdeeabb843bcd680dcf2c3c90f24405f35e0f7de358e9f9182.exe cmd.exe PID 756 wrote to memory of 3700 756 a087f8ae228817bdeeabb843bcd680dcf2c3c90f24405f35e0f7de358e9f9182.exe cmd.exe PID 756 wrote to memory of 3700 756 a087f8ae228817bdeeabb843bcd680dcf2c3c90f24405f35e0f7de358e9f9182.exe cmd.exe PID 3700 wrote to memory of 912 3700 cmd.exe PING.EXE PID 3700 wrote to memory of 912 3700 cmd.exe PING.EXE PID 3700 wrote to memory of 912 3700 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\a087f8ae228817bdeeabb843bcd680dcf2c3c90f24405f35e0f7de358e9f9182.exe"C:\Users\Admin\AppData\Local\Temp\a087f8ae228817bdeeabb843bcd680dcf2c3c90f24405f35e0f7de358e9f9182.exe"1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:756 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:2228 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\a087f8ae228817bdeeabb843bcd680dcf2c3c90f24405f35e0f7de358e9f9182.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3700 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:912
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
605747480275eb14ea16fd7addea209e
SHA1333d407f55e8b4cd8813abdd045b5f60c9add49d
SHA2563f3606f71b0ea39297d95c26869ed6567c152d6e8ade08af0eec8ccde033502a
SHA512d77733681aff94a71b067aa37e9a9cef601d9ab48c95efc848b8997bd6647005e198d2b8de19150a266f91b231bc02c3b91b51cb410523856a86e0a0af6893e0
-
MD5
605747480275eb14ea16fd7addea209e
SHA1333d407f55e8b4cd8813abdd045b5f60c9add49d
SHA2563f3606f71b0ea39297d95c26869ed6567c152d6e8ade08af0eec8ccde033502a
SHA512d77733681aff94a71b067aa37e9a9cef601d9ab48c95efc848b8997bd6647005e198d2b8de19150a266f91b231bc02c3b91b51cb410523856a86e0a0af6893e0