Analysis
-
max time kernel
146s -
max time network
146s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
30-01-2022 22:36
Static task
static1
Behavioral task
behavioral1
Sample
8f06f8a601b7cae793c0ce06739742e2a1fdbba3e956e95739faeb7a87ef7dce.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
8f06f8a601b7cae793c0ce06739742e2a1fdbba3e956e95739faeb7a87ef7dce.exe
Resource
win10-en-20211208
General
-
Target
8f06f8a601b7cae793c0ce06739742e2a1fdbba3e956e95739faeb7a87ef7dce.exe
-
Size
89KB
-
MD5
127cd711193603b4725094dac1bd26f6
-
SHA1
255ebd7c7276d9b9e9e7cc3119afe66696a8a0ea
-
SHA256
8f06f8a601b7cae793c0ce06739742e2a1fdbba3e956e95739faeb7a87ef7dce
-
SHA512
f71adfeba536d70edd8b76ee60a5639b9b5f9b3251a51a762154226fce7deabd65cc813d01b1428eedfcc122b0630dd6b91f503904697806b2b2ea84d1db5479
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 460 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1196 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
8f06f8a601b7cae793c0ce06739742e2a1fdbba3e956e95739faeb7a87ef7dce.exepid process 1100 8f06f8a601b7cae793c0ce06739742e2a1fdbba3e956e95739faeb7a87ef7dce.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
8f06f8a601b7cae793c0ce06739742e2a1fdbba3e956e95739faeb7a87ef7dce.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 8f06f8a601b7cae793c0ce06739742e2a1fdbba3e956e95739faeb7a87ef7dce.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
8f06f8a601b7cae793c0ce06739742e2a1fdbba3e956e95739faeb7a87ef7dce.exedescription pid process Token: SeIncBasePriorityPrivilege 1100 8f06f8a601b7cae793c0ce06739742e2a1fdbba3e956e95739faeb7a87ef7dce.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
8f06f8a601b7cae793c0ce06739742e2a1fdbba3e956e95739faeb7a87ef7dce.execmd.exedescription pid process target process PID 1100 wrote to memory of 460 1100 8f06f8a601b7cae793c0ce06739742e2a1fdbba3e956e95739faeb7a87ef7dce.exe MediaCenter.exe PID 1100 wrote to memory of 460 1100 8f06f8a601b7cae793c0ce06739742e2a1fdbba3e956e95739faeb7a87ef7dce.exe MediaCenter.exe PID 1100 wrote to memory of 460 1100 8f06f8a601b7cae793c0ce06739742e2a1fdbba3e956e95739faeb7a87ef7dce.exe MediaCenter.exe PID 1100 wrote to memory of 460 1100 8f06f8a601b7cae793c0ce06739742e2a1fdbba3e956e95739faeb7a87ef7dce.exe MediaCenter.exe PID 1100 wrote to memory of 1196 1100 8f06f8a601b7cae793c0ce06739742e2a1fdbba3e956e95739faeb7a87ef7dce.exe cmd.exe PID 1100 wrote to memory of 1196 1100 8f06f8a601b7cae793c0ce06739742e2a1fdbba3e956e95739faeb7a87ef7dce.exe cmd.exe PID 1100 wrote to memory of 1196 1100 8f06f8a601b7cae793c0ce06739742e2a1fdbba3e956e95739faeb7a87ef7dce.exe cmd.exe PID 1100 wrote to memory of 1196 1100 8f06f8a601b7cae793c0ce06739742e2a1fdbba3e956e95739faeb7a87ef7dce.exe cmd.exe PID 1196 wrote to memory of 652 1196 cmd.exe PING.EXE PID 1196 wrote to memory of 652 1196 cmd.exe PING.EXE PID 1196 wrote to memory of 652 1196 cmd.exe PING.EXE PID 1196 wrote to memory of 652 1196 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\8f06f8a601b7cae793c0ce06739742e2a1fdbba3e956e95739faeb7a87ef7dce.exe"C:\Users\Admin\AppData\Local\Temp\8f06f8a601b7cae793c0ce06739742e2a1fdbba3e956e95739faeb7a87ef7dce.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1100 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:460 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\8f06f8a601b7cae793c0ce06739742e2a1fdbba3e956e95739faeb7a87ef7dce.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1196 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:652
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
007845138c068f1232b905a48f88c344
SHA19f9519e2e7cad143df26ca0de2111daad35e34b6
SHA25690494ff75bd6a1a73f007cc08ebd061552fb2b25d1460d8dbe63cf686d632d8d
SHA512ca7eb86d954ea6bfc2488d43dffafea3c6a8008b457897f8303ac860541e012f1202061cc3ec4f732e562fb2f066390fcb0054afbdd082969748b21fa2541db8
-
MD5
007845138c068f1232b905a48f88c344
SHA19f9519e2e7cad143df26ca0de2111daad35e34b6
SHA25690494ff75bd6a1a73f007cc08ebd061552fb2b25d1460d8dbe63cf686d632d8d
SHA512ca7eb86d954ea6bfc2488d43dffafea3c6a8008b457897f8303ac860541e012f1202061cc3ec4f732e562fb2f066390fcb0054afbdd082969748b21fa2541db8