Analysis
-
max time kernel
137s -
max time network
166s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
30-01-2022 17:31
Static task
static1
Behavioral task
behavioral1
Sample
d928c51ca6985f9d0c599d60f9f7f3361721c82c8af64bcbd0676ae572691f01.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
d928c51ca6985f9d0c599d60f9f7f3361721c82c8af64bcbd0676ae572691f01.exe
Resource
win10-en-20211208
General
-
Target
d928c51ca6985f9d0c599d60f9f7f3361721c82c8af64bcbd0676ae572691f01.exe
-
Size
89KB
-
MD5
6d308fc42618812073481df1cd0452a7
-
SHA1
1be3725af4eb10309d8c93cb8e6503435ac82e34
-
SHA256
d928c51ca6985f9d0c599d60f9f7f3361721c82c8af64bcbd0676ae572691f01
-
SHA512
cf1e0816513d15451e39470f8da928705d908dddeac36f87f3bfe29dce0c29c4e283baa819141d472db87c4da5e4fccffd5059246944a210f4d444c413dec354
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 2740 MediaCenter.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
d928c51ca6985f9d0c599d60f9f7f3361721c82c8af64bcbd0676ae572691f01.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" d928c51ca6985f9d0c599d60f9f7f3361721c82c8af64bcbd0676ae572691f01.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
d928c51ca6985f9d0c599d60f9f7f3361721c82c8af64bcbd0676ae572691f01.exedescription pid process Token: SeIncBasePriorityPrivilege 2472 d928c51ca6985f9d0c599d60f9f7f3361721c82c8af64bcbd0676ae572691f01.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
d928c51ca6985f9d0c599d60f9f7f3361721c82c8af64bcbd0676ae572691f01.execmd.exedescription pid process target process PID 2472 wrote to memory of 2740 2472 d928c51ca6985f9d0c599d60f9f7f3361721c82c8af64bcbd0676ae572691f01.exe MediaCenter.exe PID 2472 wrote to memory of 2740 2472 d928c51ca6985f9d0c599d60f9f7f3361721c82c8af64bcbd0676ae572691f01.exe MediaCenter.exe PID 2472 wrote to memory of 2740 2472 d928c51ca6985f9d0c599d60f9f7f3361721c82c8af64bcbd0676ae572691f01.exe MediaCenter.exe PID 2472 wrote to memory of 1408 2472 d928c51ca6985f9d0c599d60f9f7f3361721c82c8af64bcbd0676ae572691f01.exe cmd.exe PID 2472 wrote to memory of 1408 2472 d928c51ca6985f9d0c599d60f9f7f3361721c82c8af64bcbd0676ae572691f01.exe cmd.exe PID 2472 wrote to memory of 1408 2472 d928c51ca6985f9d0c599d60f9f7f3361721c82c8af64bcbd0676ae572691f01.exe cmd.exe PID 1408 wrote to memory of 3088 1408 cmd.exe PING.EXE PID 1408 wrote to memory of 3088 1408 cmd.exe PING.EXE PID 1408 wrote to memory of 3088 1408 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\d928c51ca6985f9d0c599d60f9f7f3361721c82c8af64bcbd0676ae572691f01.exe"C:\Users\Admin\AppData\Local\Temp\d928c51ca6985f9d0c599d60f9f7f3361721c82c8af64bcbd0676ae572691f01.exe"1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:2740 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\d928c51ca6985f9d0c599d60f9f7f3361721c82c8af64bcbd0676ae572691f01.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1408 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:3088
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
060561c1d165f6de39d604f924aeb3cb
SHA1b981b400291d926689956cdbbf0e9e3619c4a43d
SHA256859aefe1393822b311684f35048fd188aabc9aefed3f43f3bd1a38ad6a4b84ea
SHA51259ef1fdd766ad9b9318c34eca49108123e4b049f8da901edcac9c0b0c71b586360e44d3ad8ef156e8148139db1f07b1a0b858e17a67910bad49ae356408d6e65
-
MD5
060561c1d165f6de39d604f924aeb3cb
SHA1b981b400291d926689956cdbbf0e9e3619c4a43d
SHA256859aefe1393822b311684f35048fd188aabc9aefed3f43f3bd1a38ad6a4b84ea
SHA51259ef1fdd766ad9b9318c34eca49108123e4b049f8da901edcac9c0b0c71b586360e44d3ad8ef156e8148139db1f07b1a0b858e17a67910bad49ae356408d6e65