Analysis
-
max time kernel
142s -
max time network
152s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
30-01-2022 13:20
Static task
static1
Behavioral task
behavioral1
Sample
f022fd6c5c647b58cc4e31d6e19b210eeb689d84b6c5a1eacfede18952b7f264.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
f022fd6c5c647b58cc4e31d6e19b210eeb689d84b6c5a1eacfede18952b7f264.exe
Resource
win10-en-20211208
General
-
Target
f022fd6c5c647b58cc4e31d6e19b210eeb689d84b6c5a1eacfede18952b7f264.exe
-
Size
89KB
-
MD5
8b3de46ecb113cd1ee2d9ec46527358f
-
SHA1
7727b339e73930ab8ffa90e19f6cf7a9d8981e41
-
SHA256
f022fd6c5c647b58cc4e31d6e19b210eeb689d84b6c5a1eacfede18952b7f264
-
SHA512
8e072960e7f7f4c0340cb0140219c6a2ff73c39f6fc0a75929724e494d43b17d8d4c7dc4900b55fc4ebf2b4b9551392f8a7a28ce117970a73f31cd0af09eacf5
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 320 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1624 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
f022fd6c5c647b58cc4e31d6e19b210eeb689d84b6c5a1eacfede18952b7f264.exepid process 1676 f022fd6c5c647b58cc4e31d6e19b210eeb689d84b6c5a1eacfede18952b7f264.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
f022fd6c5c647b58cc4e31d6e19b210eeb689d84b6c5a1eacfede18952b7f264.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" f022fd6c5c647b58cc4e31d6e19b210eeb689d84b6c5a1eacfede18952b7f264.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
f022fd6c5c647b58cc4e31d6e19b210eeb689d84b6c5a1eacfede18952b7f264.exedescription pid process Token: SeIncBasePriorityPrivilege 1676 f022fd6c5c647b58cc4e31d6e19b210eeb689d84b6c5a1eacfede18952b7f264.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
f022fd6c5c647b58cc4e31d6e19b210eeb689d84b6c5a1eacfede18952b7f264.execmd.exedescription pid process target process PID 1676 wrote to memory of 320 1676 f022fd6c5c647b58cc4e31d6e19b210eeb689d84b6c5a1eacfede18952b7f264.exe MediaCenter.exe PID 1676 wrote to memory of 320 1676 f022fd6c5c647b58cc4e31d6e19b210eeb689d84b6c5a1eacfede18952b7f264.exe MediaCenter.exe PID 1676 wrote to memory of 320 1676 f022fd6c5c647b58cc4e31d6e19b210eeb689d84b6c5a1eacfede18952b7f264.exe MediaCenter.exe PID 1676 wrote to memory of 320 1676 f022fd6c5c647b58cc4e31d6e19b210eeb689d84b6c5a1eacfede18952b7f264.exe MediaCenter.exe PID 1676 wrote to memory of 1624 1676 f022fd6c5c647b58cc4e31d6e19b210eeb689d84b6c5a1eacfede18952b7f264.exe cmd.exe PID 1676 wrote to memory of 1624 1676 f022fd6c5c647b58cc4e31d6e19b210eeb689d84b6c5a1eacfede18952b7f264.exe cmd.exe PID 1676 wrote to memory of 1624 1676 f022fd6c5c647b58cc4e31d6e19b210eeb689d84b6c5a1eacfede18952b7f264.exe cmd.exe PID 1676 wrote to memory of 1624 1676 f022fd6c5c647b58cc4e31d6e19b210eeb689d84b6c5a1eacfede18952b7f264.exe cmd.exe PID 1624 wrote to memory of 1268 1624 cmd.exe PING.EXE PID 1624 wrote to memory of 1268 1624 cmd.exe PING.EXE PID 1624 wrote to memory of 1268 1624 cmd.exe PING.EXE PID 1624 wrote to memory of 1268 1624 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\f022fd6c5c647b58cc4e31d6e19b210eeb689d84b6c5a1eacfede18952b7f264.exe"C:\Users\Admin\AppData\Local\Temp\f022fd6c5c647b58cc4e31d6e19b210eeb689d84b6c5a1eacfede18952b7f264.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1676 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:320 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\f022fd6c5c647b58cc4e31d6e19b210eeb689d84b6c5a1eacfede18952b7f264.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1624 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1268
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
06e3a318f2ace72132733604e6eab458
SHA1bdb8803353e4b73dedf7531b9b16eef8bfc26baf
SHA256e57b48c581e49d597bf4f99ce7c40188c3f84dd39ee0d1fcd6bed40275251359
SHA512f69d1438ff0240d04e0b6a8fef212b21b719c56cfde8d3cb409acf8bf4590e7bdbfc13fc3db481f346b78dc3814b0f7e77217ad7afd5a11261759a9b205d261f
-
MD5
06e3a318f2ace72132733604e6eab458
SHA1bdb8803353e4b73dedf7531b9b16eef8bfc26baf
SHA256e57b48c581e49d597bf4f99ce7c40188c3f84dd39ee0d1fcd6bed40275251359
SHA512f69d1438ff0240d04e0b6a8fef212b21b719c56cfde8d3cb409acf8bf4590e7bdbfc13fc3db481f346b78dc3814b0f7e77217ad7afd5a11261759a9b205d261f