Analysis
-
max time kernel
159s -
max time network
160s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
30-01-2022 22:36
Static task
static1
Behavioral task
behavioral1
Sample
8f06f8a601b7cae793c0ce06739742e2a1fdbba3e956e95739faeb7a87ef7dce.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
8f06f8a601b7cae793c0ce06739742e2a1fdbba3e956e95739faeb7a87ef7dce.exe
Resource
win10-en-20211208
General
-
Target
8f06f8a601b7cae793c0ce06739742e2a1fdbba3e956e95739faeb7a87ef7dce.exe
-
Size
89KB
-
MD5
127cd711193603b4725094dac1bd26f6
-
SHA1
255ebd7c7276d9b9e9e7cc3119afe66696a8a0ea
-
SHA256
8f06f8a601b7cae793c0ce06739742e2a1fdbba3e956e95739faeb7a87ef7dce
-
SHA512
f71adfeba536d70edd8b76ee60a5639b9b5f9b3251a51a762154226fce7deabd65cc813d01b1428eedfcc122b0630dd6b91f503904697806b2b2ea84d1db5479
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 388 MediaCenter.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
8f06f8a601b7cae793c0ce06739742e2a1fdbba3e956e95739faeb7a87ef7dce.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 8f06f8a601b7cae793c0ce06739742e2a1fdbba3e956e95739faeb7a87ef7dce.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
8f06f8a601b7cae793c0ce06739742e2a1fdbba3e956e95739faeb7a87ef7dce.exedescription pid process Token: SeIncBasePriorityPrivilege 3104 8f06f8a601b7cae793c0ce06739742e2a1fdbba3e956e95739faeb7a87ef7dce.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
8f06f8a601b7cae793c0ce06739742e2a1fdbba3e956e95739faeb7a87ef7dce.execmd.exedescription pid process target process PID 3104 wrote to memory of 388 3104 8f06f8a601b7cae793c0ce06739742e2a1fdbba3e956e95739faeb7a87ef7dce.exe MediaCenter.exe PID 3104 wrote to memory of 388 3104 8f06f8a601b7cae793c0ce06739742e2a1fdbba3e956e95739faeb7a87ef7dce.exe MediaCenter.exe PID 3104 wrote to memory of 388 3104 8f06f8a601b7cae793c0ce06739742e2a1fdbba3e956e95739faeb7a87ef7dce.exe MediaCenter.exe PID 3104 wrote to memory of 1868 3104 8f06f8a601b7cae793c0ce06739742e2a1fdbba3e956e95739faeb7a87ef7dce.exe cmd.exe PID 3104 wrote to memory of 1868 3104 8f06f8a601b7cae793c0ce06739742e2a1fdbba3e956e95739faeb7a87ef7dce.exe cmd.exe PID 3104 wrote to memory of 1868 3104 8f06f8a601b7cae793c0ce06739742e2a1fdbba3e956e95739faeb7a87ef7dce.exe cmd.exe PID 1868 wrote to memory of 3420 1868 cmd.exe PING.EXE PID 1868 wrote to memory of 3420 1868 cmd.exe PING.EXE PID 1868 wrote to memory of 3420 1868 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\8f06f8a601b7cae793c0ce06739742e2a1fdbba3e956e95739faeb7a87ef7dce.exe"C:\Users\Admin\AppData\Local\Temp\8f06f8a601b7cae793c0ce06739742e2a1fdbba3e956e95739faeb7a87ef7dce.exe"1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3104 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:388 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\8f06f8a601b7cae793c0ce06739742e2a1fdbba3e956e95739faeb7a87ef7dce.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1868 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:3420
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
bca812ab9e40c0c10f3d6a985b275c89
SHA1e3538b8b91f18239fe3cb41f2e6392fd33ce61ab
SHA256958008119d51958c09da452dc4fcf915eedfd6afaa5d4bfafc8ee68c65f55f0d
SHA512eb511b53263d7bb803fb535bbc88360df3efca61ae2ddb54e6c1c0032155039632666b9d57daf748ec9548fb9323a109041657987e42c0508d04812db25d6683
-
MD5
bca812ab9e40c0c10f3d6a985b275c89
SHA1e3538b8b91f18239fe3cb41f2e6392fd33ce61ab
SHA256958008119d51958c09da452dc4fcf915eedfd6afaa5d4bfafc8ee68c65f55f0d
SHA512eb511b53263d7bb803fb535bbc88360df3efca61ae2ddb54e6c1c0032155039632666b9d57daf748ec9548fb9323a109041657987e42c0508d04812db25d6683