Analysis
-
max time kernel
153s -
max time network
152s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
30-01-2022 13:20
Static task
static1
Behavioral task
behavioral1
Sample
f022fd6c5c647b58cc4e31d6e19b210eeb689d84b6c5a1eacfede18952b7f264.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
f022fd6c5c647b58cc4e31d6e19b210eeb689d84b6c5a1eacfede18952b7f264.exe
Resource
win10-en-20211208
General
-
Target
f022fd6c5c647b58cc4e31d6e19b210eeb689d84b6c5a1eacfede18952b7f264.exe
-
Size
89KB
-
MD5
8b3de46ecb113cd1ee2d9ec46527358f
-
SHA1
7727b339e73930ab8ffa90e19f6cf7a9d8981e41
-
SHA256
f022fd6c5c647b58cc4e31d6e19b210eeb689d84b6c5a1eacfede18952b7f264
-
SHA512
8e072960e7f7f4c0340cb0140219c6a2ff73c39f6fc0a75929724e494d43b17d8d4c7dc4900b55fc4ebf2b4b9551392f8a7a28ce117970a73f31cd0af09eacf5
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 3172 MediaCenter.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
f022fd6c5c647b58cc4e31d6e19b210eeb689d84b6c5a1eacfede18952b7f264.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" f022fd6c5c647b58cc4e31d6e19b210eeb689d84b6c5a1eacfede18952b7f264.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
f022fd6c5c647b58cc4e31d6e19b210eeb689d84b6c5a1eacfede18952b7f264.exedescription pid process Token: SeIncBasePriorityPrivilege 2768 f022fd6c5c647b58cc4e31d6e19b210eeb689d84b6c5a1eacfede18952b7f264.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
f022fd6c5c647b58cc4e31d6e19b210eeb689d84b6c5a1eacfede18952b7f264.execmd.exedescription pid process target process PID 2768 wrote to memory of 3172 2768 f022fd6c5c647b58cc4e31d6e19b210eeb689d84b6c5a1eacfede18952b7f264.exe MediaCenter.exe PID 2768 wrote to memory of 3172 2768 f022fd6c5c647b58cc4e31d6e19b210eeb689d84b6c5a1eacfede18952b7f264.exe MediaCenter.exe PID 2768 wrote to memory of 3172 2768 f022fd6c5c647b58cc4e31d6e19b210eeb689d84b6c5a1eacfede18952b7f264.exe MediaCenter.exe PID 2768 wrote to memory of 3032 2768 f022fd6c5c647b58cc4e31d6e19b210eeb689d84b6c5a1eacfede18952b7f264.exe cmd.exe PID 2768 wrote to memory of 3032 2768 f022fd6c5c647b58cc4e31d6e19b210eeb689d84b6c5a1eacfede18952b7f264.exe cmd.exe PID 2768 wrote to memory of 3032 2768 f022fd6c5c647b58cc4e31d6e19b210eeb689d84b6c5a1eacfede18952b7f264.exe cmd.exe PID 3032 wrote to memory of 3696 3032 cmd.exe PING.EXE PID 3032 wrote to memory of 3696 3032 cmd.exe PING.EXE PID 3032 wrote to memory of 3696 3032 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\f022fd6c5c647b58cc4e31d6e19b210eeb689d84b6c5a1eacfede18952b7f264.exe"C:\Users\Admin\AppData\Local\Temp\f022fd6c5c647b58cc4e31d6e19b210eeb689d84b6c5a1eacfede18952b7f264.exe"1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:3172 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\f022fd6c5c647b58cc4e31d6e19b210eeb689d84b6c5a1eacfede18952b7f264.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:3696
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
ccdfc44843d71c41df01faf188450a45
SHA16054feee3ec859991647e897516b80c4c9de273d
SHA256fecf2d6124f44d22fb28654fd928da783a69d3aa88f56fc21fa091ddbe41c43d
SHA5120380e2173eaffaf4ca0b6f6d73a550795e2083670a4e7a9bfd07316c4c8c54e7ca0daf33a72bff8985fd9df4efeb6341c237c2603f4303b42c7155d2176a8c2b
-
MD5
ccdfc44843d71c41df01faf188450a45
SHA16054feee3ec859991647e897516b80c4c9de273d
SHA256fecf2d6124f44d22fb28654fd928da783a69d3aa88f56fc21fa091ddbe41c43d
SHA5120380e2173eaffaf4ca0b6f6d73a550795e2083670a4e7a9bfd07316c4c8c54e7ca0daf33a72bff8985fd9df4efeb6341c237c2603f4303b42c7155d2176a8c2b