Analysis
-
max time kernel
140s -
max time network
164s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
30-01-2022 14:10
Static task
static1
Behavioral task
behavioral1
Sample
ee80950f47bb89d573cc3fca7402bdbcf157b89cd82691dafa3f033ed15266ef.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
ee80950f47bb89d573cc3fca7402bdbcf157b89cd82691dafa3f033ed15266ef.exe
Resource
win10-en-20211208
General
-
Target
ee80950f47bb89d573cc3fca7402bdbcf157b89cd82691dafa3f033ed15266ef.exe
-
Size
89KB
-
MD5
7d2c9936bff1e716b8758376cd09505d
-
SHA1
b978f8121314aa8801dd5c03213a603124547d1f
-
SHA256
ee80950f47bb89d573cc3fca7402bdbcf157b89cd82691dafa3f033ed15266ef
-
SHA512
619d3bbd8a46fd30f6f0da24becde4c78d9bbd16e45b4ca8e06787be384206df63685358ca0e27303c618a9b0547c74509b5eed1abad3edf9c8f72346e89664c
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 2372 MediaCenter.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
ee80950f47bb89d573cc3fca7402bdbcf157b89cd82691dafa3f033ed15266ef.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" ee80950f47bb89d573cc3fca7402bdbcf157b89cd82691dafa3f033ed15266ef.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
ee80950f47bb89d573cc3fca7402bdbcf157b89cd82691dafa3f033ed15266ef.exedescription pid process Token: SeIncBasePriorityPrivilege 2240 ee80950f47bb89d573cc3fca7402bdbcf157b89cd82691dafa3f033ed15266ef.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
ee80950f47bb89d573cc3fca7402bdbcf157b89cd82691dafa3f033ed15266ef.execmd.exedescription pid process target process PID 2240 wrote to memory of 2372 2240 ee80950f47bb89d573cc3fca7402bdbcf157b89cd82691dafa3f033ed15266ef.exe MediaCenter.exe PID 2240 wrote to memory of 2372 2240 ee80950f47bb89d573cc3fca7402bdbcf157b89cd82691dafa3f033ed15266ef.exe MediaCenter.exe PID 2240 wrote to memory of 2372 2240 ee80950f47bb89d573cc3fca7402bdbcf157b89cd82691dafa3f033ed15266ef.exe MediaCenter.exe PID 2240 wrote to memory of 1788 2240 ee80950f47bb89d573cc3fca7402bdbcf157b89cd82691dafa3f033ed15266ef.exe cmd.exe PID 2240 wrote to memory of 1788 2240 ee80950f47bb89d573cc3fca7402bdbcf157b89cd82691dafa3f033ed15266ef.exe cmd.exe PID 2240 wrote to memory of 1788 2240 ee80950f47bb89d573cc3fca7402bdbcf157b89cd82691dafa3f033ed15266ef.exe cmd.exe PID 1788 wrote to memory of 408 1788 cmd.exe PING.EXE PID 1788 wrote to memory of 408 1788 cmd.exe PING.EXE PID 1788 wrote to memory of 408 1788 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\ee80950f47bb89d573cc3fca7402bdbcf157b89cd82691dafa3f033ed15266ef.exe"C:\Users\Admin\AppData\Local\Temp\ee80950f47bb89d573cc3fca7402bdbcf157b89cd82691dafa3f033ed15266ef.exe"1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:2372 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\ee80950f47bb89d573cc3fca7402bdbcf157b89cd82691dafa3f033ed15266ef.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1788 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:408
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
e4d0f4c189cac48dd639a98b5c10d703
SHA1a9cac4152e1e539cab73718dc17c067cd5e7573d
SHA256c5ce0327a094218fa09f27ca305f7e59a9fda5f9e38d3c47d2e79ced6d3d6645
SHA512ea3b450b7307715ed1ddc6dbec367cd70fa1af9472ba1c143d678d472b2bcc4d5d33d614d836dbc480aaaf373bba4197c13d1892910d30183381e8398093e8d6
-
MD5
e4d0f4c189cac48dd639a98b5c10d703
SHA1a9cac4152e1e539cab73718dc17c067cd5e7573d
SHA256c5ce0327a094218fa09f27ca305f7e59a9fda5f9e38d3c47d2e79ced6d3d6645
SHA512ea3b450b7307715ed1ddc6dbec367cd70fa1af9472ba1c143d678d472b2bcc4d5d33d614d836dbc480aaaf373bba4197c13d1892910d30183381e8398093e8d6