Analysis
-
max time kernel
140s -
max time network
151s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
22-01-2022 00:57
Static task
static1
Behavioral task
behavioral1
Sample
ccf1dd2cd1f266006b2e70ab613bdd007fc03018c661f575d028443055d743b6.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
ccf1dd2cd1f266006b2e70ab613bdd007fc03018c661f575d028443055d743b6.exe
Resource
win10-en-20211208
General
-
Target
ccf1dd2cd1f266006b2e70ab613bdd007fc03018c661f575d028443055d743b6.exe
-
Size
89KB
-
MD5
b4e24a4edba2d2644877cfc933973228
-
SHA1
2abab34395c5754383dea6cf00fa7ab4c410a6ef
-
SHA256
ccf1dd2cd1f266006b2e70ab613bdd007fc03018c661f575d028443055d743b6
-
SHA512
3da7a0646f975c0e6c968ae888cd7b5bad2f7d4dafbd35c14a4b939e8801fa45cb6585838d80429d3fed6fd31161cd64d3b0159aefa32d39a5a4bb3931244a32
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1628 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1972 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
ccf1dd2cd1f266006b2e70ab613bdd007fc03018c661f575d028443055d743b6.exepid process 1212 ccf1dd2cd1f266006b2e70ab613bdd007fc03018c661f575d028443055d743b6.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
ccf1dd2cd1f266006b2e70ab613bdd007fc03018c661f575d028443055d743b6.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" ccf1dd2cd1f266006b2e70ab613bdd007fc03018c661f575d028443055d743b6.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
ccf1dd2cd1f266006b2e70ab613bdd007fc03018c661f575d028443055d743b6.exedescription pid process Token: SeIncBasePriorityPrivilege 1212 ccf1dd2cd1f266006b2e70ab613bdd007fc03018c661f575d028443055d743b6.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
ccf1dd2cd1f266006b2e70ab613bdd007fc03018c661f575d028443055d743b6.execmd.exedescription pid process target process PID 1212 wrote to memory of 1628 1212 ccf1dd2cd1f266006b2e70ab613bdd007fc03018c661f575d028443055d743b6.exe MediaCenter.exe PID 1212 wrote to memory of 1628 1212 ccf1dd2cd1f266006b2e70ab613bdd007fc03018c661f575d028443055d743b6.exe MediaCenter.exe PID 1212 wrote to memory of 1628 1212 ccf1dd2cd1f266006b2e70ab613bdd007fc03018c661f575d028443055d743b6.exe MediaCenter.exe PID 1212 wrote to memory of 1628 1212 ccf1dd2cd1f266006b2e70ab613bdd007fc03018c661f575d028443055d743b6.exe MediaCenter.exe PID 1212 wrote to memory of 1972 1212 ccf1dd2cd1f266006b2e70ab613bdd007fc03018c661f575d028443055d743b6.exe cmd.exe PID 1212 wrote to memory of 1972 1212 ccf1dd2cd1f266006b2e70ab613bdd007fc03018c661f575d028443055d743b6.exe cmd.exe PID 1212 wrote to memory of 1972 1212 ccf1dd2cd1f266006b2e70ab613bdd007fc03018c661f575d028443055d743b6.exe cmd.exe PID 1212 wrote to memory of 1972 1212 ccf1dd2cd1f266006b2e70ab613bdd007fc03018c661f575d028443055d743b6.exe cmd.exe PID 1972 wrote to memory of 1044 1972 cmd.exe PING.EXE PID 1972 wrote to memory of 1044 1972 cmd.exe PING.EXE PID 1972 wrote to memory of 1044 1972 cmd.exe PING.EXE PID 1972 wrote to memory of 1044 1972 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\ccf1dd2cd1f266006b2e70ab613bdd007fc03018c661f575d028443055d743b6.exe"C:\Users\Admin\AppData\Local\Temp\ccf1dd2cd1f266006b2e70ab613bdd007fc03018c661f575d028443055d743b6.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1212 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1628 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\ccf1dd2cd1f266006b2e70ab613bdd007fc03018c661f575d028443055d743b6.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1972 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1044
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
e47fdccc7f68b4aa781e74be49ffe23d
SHA14062762ff2fe0ba706e17f5af3f56894ce1a04ee
SHA25668c8e2883539d583aaf6a2d943b9f49f63434e227194d91c99c10c11e3313942
SHA5127abb1c885cf26aab3c090ebd5cbdaf4abeef09c313fe8d73fedbe0e6dadcf970e6b249c7c0ab01deb80f909e9faaa2bcad284ea2041b84d4cde87a6955500a6d
-
MD5
e47fdccc7f68b4aa781e74be49ffe23d
SHA14062762ff2fe0ba706e17f5af3f56894ce1a04ee
SHA25668c8e2883539d583aaf6a2d943b9f49f63434e227194d91c99c10c11e3313942
SHA5127abb1c885cf26aab3c090ebd5cbdaf4abeef09c313fe8d73fedbe0e6dadcf970e6b249c7c0ab01deb80f909e9faaa2bcad284ea2041b84d4cde87a6955500a6d