Analysis
-
max time kernel
158s -
max time network
167s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
30-01-2022 14:03
Static task
static1
Behavioral task
behavioral1
Sample
121c223861d712f506d88d5a54a3588c65bec5e4b82b4d3435bb73008a287074.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
121c223861d712f506d88d5a54a3588c65bec5e4b82b4d3435bb73008a287074.exe
Resource
win10-en-20211208
General
-
Target
121c223861d712f506d88d5a54a3588c65bec5e4b82b4d3435bb73008a287074.exe
-
Size
89KB
-
MD5
7ee7a9446d7cf886223274d809d375d6
-
SHA1
17dc2bae830c49cf8ab2c24dedc38f78c7b8a430
-
SHA256
121c223861d712f506d88d5a54a3588c65bec5e4b82b4d3435bb73008a287074
-
SHA512
c4e23aa07240675d6bd023863bc6a4d91ee9c9e4e64136db957b8803fde44ffb86b9f6b02db4f2c2f9edb153340d57d1b281331e53418f901fb77919facc2ad9
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 708 MediaCenter.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
121c223861d712f506d88d5a54a3588c65bec5e4b82b4d3435bb73008a287074.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 121c223861d712f506d88d5a54a3588c65bec5e4b82b4d3435bb73008a287074.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
121c223861d712f506d88d5a54a3588c65bec5e4b82b4d3435bb73008a287074.exedescription pid process Token: SeIncBasePriorityPrivilege 3492 121c223861d712f506d88d5a54a3588c65bec5e4b82b4d3435bb73008a287074.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
121c223861d712f506d88d5a54a3588c65bec5e4b82b4d3435bb73008a287074.execmd.exedescription pid process target process PID 3492 wrote to memory of 708 3492 121c223861d712f506d88d5a54a3588c65bec5e4b82b4d3435bb73008a287074.exe MediaCenter.exe PID 3492 wrote to memory of 708 3492 121c223861d712f506d88d5a54a3588c65bec5e4b82b4d3435bb73008a287074.exe MediaCenter.exe PID 3492 wrote to memory of 708 3492 121c223861d712f506d88d5a54a3588c65bec5e4b82b4d3435bb73008a287074.exe MediaCenter.exe PID 3492 wrote to memory of 872 3492 121c223861d712f506d88d5a54a3588c65bec5e4b82b4d3435bb73008a287074.exe cmd.exe PID 3492 wrote to memory of 872 3492 121c223861d712f506d88d5a54a3588c65bec5e4b82b4d3435bb73008a287074.exe cmd.exe PID 3492 wrote to memory of 872 3492 121c223861d712f506d88d5a54a3588c65bec5e4b82b4d3435bb73008a287074.exe cmd.exe PID 872 wrote to memory of 776 872 cmd.exe PING.EXE PID 872 wrote to memory of 776 872 cmd.exe PING.EXE PID 872 wrote to memory of 776 872 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\121c223861d712f506d88d5a54a3588c65bec5e4b82b4d3435bb73008a287074.exe"C:\Users\Admin\AppData\Local\Temp\121c223861d712f506d88d5a54a3588c65bec5e4b82b4d3435bb73008a287074.exe"1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3492 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:708 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\121c223861d712f506d88d5a54a3588c65bec5e4b82b4d3435bb73008a287074.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:872 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:776
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
66f0eb15ff52684fd3f7b19dd9d23cf2
SHA137b6da29ae5edcd614d2aa1a7bd71ab429732b44
SHA2567d05866747fbbb769f266837d61ae0404e9fb591c0bf5b27900f2b52a8583bd5
SHA5129373fb94c72371a2325346ca586efcafafbb4e6ab81531d063be99d64a2b8ae90b06e6669447631fdafb4041483519a39622c7e8c021808220c4739a3213e374
-
MD5
66f0eb15ff52684fd3f7b19dd9d23cf2
SHA137b6da29ae5edcd614d2aa1a7bd71ab429732b44
SHA2567d05866747fbbb769f266837d61ae0404e9fb591c0bf5b27900f2b52a8583bd5
SHA5129373fb94c72371a2325346ca586efcafafbb4e6ab81531d063be99d64a2b8ae90b06e6669447631fdafb4041483519a39622c7e8c021808220c4739a3213e374