Analysis
-
max time kernel
127s -
max time network
139s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
30-01-2022 14:10
Static task
static1
Behavioral task
behavioral1
Sample
ee80950f47bb89d573cc3fca7402bdbcf157b89cd82691dafa3f033ed15266ef.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
ee80950f47bb89d573cc3fca7402bdbcf157b89cd82691dafa3f033ed15266ef.exe
Resource
win10-en-20211208
General
-
Target
ee80950f47bb89d573cc3fca7402bdbcf157b89cd82691dafa3f033ed15266ef.exe
-
Size
89KB
-
MD5
7d2c9936bff1e716b8758376cd09505d
-
SHA1
b978f8121314aa8801dd5c03213a603124547d1f
-
SHA256
ee80950f47bb89d573cc3fca7402bdbcf157b89cd82691dafa3f033ed15266ef
-
SHA512
619d3bbd8a46fd30f6f0da24becde4c78d9bbd16e45b4ca8e06787be384206df63685358ca0e27303c618a9b0547c74509b5eed1abad3edf9c8f72346e89664c
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 652 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1948 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
ee80950f47bb89d573cc3fca7402bdbcf157b89cd82691dafa3f033ed15266ef.exepid process 1668 ee80950f47bb89d573cc3fca7402bdbcf157b89cd82691dafa3f033ed15266ef.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
ee80950f47bb89d573cc3fca7402bdbcf157b89cd82691dafa3f033ed15266ef.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" ee80950f47bb89d573cc3fca7402bdbcf157b89cd82691dafa3f033ed15266ef.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
ee80950f47bb89d573cc3fca7402bdbcf157b89cd82691dafa3f033ed15266ef.exedescription pid process Token: SeIncBasePriorityPrivilege 1668 ee80950f47bb89d573cc3fca7402bdbcf157b89cd82691dafa3f033ed15266ef.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
ee80950f47bb89d573cc3fca7402bdbcf157b89cd82691dafa3f033ed15266ef.execmd.exedescription pid process target process PID 1668 wrote to memory of 652 1668 ee80950f47bb89d573cc3fca7402bdbcf157b89cd82691dafa3f033ed15266ef.exe MediaCenter.exe PID 1668 wrote to memory of 652 1668 ee80950f47bb89d573cc3fca7402bdbcf157b89cd82691dafa3f033ed15266ef.exe MediaCenter.exe PID 1668 wrote to memory of 652 1668 ee80950f47bb89d573cc3fca7402bdbcf157b89cd82691dafa3f033ed15266ef.exe MediaCenter.exe PID 1668 wrote to memory of 652 1668 ee80950f47bb89d573cc3fca7402bdbcf157b89cd82691dafa3f033ed15266ef.exe MediaCenter.exe PID 1668 wrote to memory of 1948 1668 ee80950f47bb89d573cc3fca7402bdbcf157b89cd82691dafa3f033ed15266ef.exe cmd.exe PID 1668 wrote to memory of 1948 1668 ee80950f47bb89d573cc3fca7402bdbcf157b89cd82691dafa3f033ed15266ef.exe cmd.exe PID 1668 wrote to memory of 1948 1668 ee80950f47bb89d573cc3fca7402bdbcf157b89cd82691dafa3f033ed15266ef.exe cmd.exe PID 1668 wrote to memory of 1948 1668 ee80950f47bb89d573cc3fca7402bdbcf157b89cd82691dafa3f033ed15266ef.exe cmd.exe PID 1948 wrote to memory of 1524 1948 cmd.exe PING.EXE PID 1948 wrote to memory of 1524 1948 cmd.exe PING.EXE PID 1948 wrote to memory of 1524 1948 cmd.exe PING.EXE PID 1948 wrote to memory of 1524 1948 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\ee80950f47bb89d573cc3fca7402bdbcf157b89cd82691dafa3f033ed15266ef.exe"C:\Users\Admin\AppData\Local\Temp\ee80950f47bb89d573cc3fca7402bdbcf157b89cd82691dafa3f033ed15266ef.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1668 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:652 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\ee80950f47bb89d573cc3fca7402bdbcf157b89cd82691dafa3f033ed15266ef.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1948 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1524
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
85607da826705efa939d2d72909869f9
SHA1a429e95cd58dae8db44f9102887b359dd7352bf9
SHA2567f7fefc734c94cc1a3c5d58dc35bd8eedac667735541d8c53e3033710ed999b3
SHA51288e728c6c055211126f23f8ef1e45ce9cb2bb32539225942a7e6cd5864674ce2b298dc30344ac50869f3adddd85df80d9b5380982d976da621aae9dae5f792d6
-
MD5
85607da826705efa939d2d72909869f9
SHA1a429e95cd58dae8db44f9102887b359dd7352bf9
SHA2567f7fefc734c94cc1a3c5d58dc35bd8eedac667735541d8c53e3033710ed999b3
SHA51288e728c6c055211126f23f8ef1e45ce9cb2bb32539225942a7e6cd5864674ce2b298dc30344ac50869f3adddd85df80d9b5380982d976da621aae9dae5f792d6