Analysis
-
max time kernel
152s -
max time network
152s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
30-01-2022 17:40
Static task
static1
Behavioral task
behavioral1
Sample
45f5f8ce9bb7103e382d9c1158703b9b655d37a6ff31227132477e3600af9a8b.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
45f5f8ce9bb7103e382d9c1158703b9b655d37a6ff31227132477e3600af9a8b.exe
Resource
win10-en-20211208
General
-
Target
45f5f8ce9bb7103e382d9c1158703b9b655d37a6ff31227132477e3600af9a8b.exe
-
Size
89KB
-
MD5
6a7b2feed82d8d1746ac78df5a429bce
-
SHA1
da3cf059828c3b3304fe0713ae2460f22c966f40
-
SHA256
45f5f8ce9bb7103e382d9c1158703b9b655d37a6ff31227132477e3600af9a8b
-
SHA512
c6a9b673184f14f082abbf1ae0e723d8afac6f773ff5114f03ef2253caa29c4dfbb3b6f4513ee0418c281a0587eb470e9c683e421748524e6525e335574eb1b3
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1096 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1808 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
45f5f8ce9bb7103e382d9c1158703b9b655d37a6ff31227132477e3600af9a8b.exepid process 1584 45f5f8ce9bb7103e382d9c1158703b9b655d37a6ff31227132477e3600af9a8b.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
45f5f8ce9bb7103e382d9c1158703b9b655d37a6ff31227132477e3600af9a8b.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 45f5f8ce9bb7103e382d9c1158703b9b655d37a6ff31227132477e3600af9a8b.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
45f5f8ce9bb7103e382d9c1158703b9b655d37a6ff31227132477e3600af9a8b.exedescription pid process Token: SeIncBasePriorityPrivilege 1584 45f5f8ce9bb7103e382d9c1158703b9b655d37a6ff31227132477e3600af9a8b.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
45f5f8ce9bb7103e382d9c1158703b9b655d37a6ff31227132477e3600af9a8b.execmd.exedescription pid process target process PID 1584 wrote to memory of 1096 1584 45f5f8ce9bb7103e382d9c1158703b9b655d37a6ff31227132477e3600af9a8b.exe MediaCenter.exe PID 1584 wrote to memory of 1096 1584 45f5f8ce9bb7103e382d9c1158703b9b655d37a6ff31227132477e3600af9a8b.exe MediaCenter.exe PID 1584 wrote to memory of 1096 1584 45f5f8ce9bb7103e382d9c1158703b9b655d37a6ff31227132477e3600af9a8b.exe MediaCenter.exe PID 1584 wrote to memory of 1096 1584 45f5f8ce9bb7103e382d9c1158703b9b655d37a6ff31227132477e3600af9a8b.exe MediaCenter.exe PID 1584 wrote to memory of 1808 1584 45f5f8ce9bb7103e382d9c1158703b9b655d37a6ff31227132477e3600af9a8b.exe cmd.exe PID 1584 wrote to memory of 1808 1584 45f5f8ce9bb7103e382d9c1158703b9b655d37a6ff31227132477e3600af9a8b.exe cmd.exe PID 1584 wrote to memory of 1808 1584 45f5f8ce9bb7103e382d9c1158703b9b655d37a6ff31227132477e3600af9a8b.exe cmd.exe PID 1584 wrote to memory of 1808 1584 45f5f8ce9bb7103e382d9c1158703b9b655d37a6ff31227132477e3600af9a8b.exe cmd.exe PID 1808 wrote to memory of 1160 1808 cmd.exe PING.EXE PID 1808 wrote to memory of 1160 1808 cmd.exe PING.EXE PID 1808 wrote to memory of 1160 1808 cmd.exe PING.EXE PID 1808 wrote to memory of 1160 1808 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\45f5f8ce9bb7103e382d9c1158703b9b655d37a6ff31227132477e3600af9a8b.exe"C:\Users\Admin\AppData\Local\Temp\45f5f8ce9bb7103e382d9c1158703b9b655d37a6ff31227132477e3600af9a8b.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1584 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1096 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\45f5f8ce9bb7103e382d9c1158703b9b655d37a6ff31227132477e3600af9a8b.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1808 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1160
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
43b6a89a1f31a40e798736fd7050e570
SHA199e190b24c99f8a77492deeef439172e8eb73a5c
SHA256e63e89225d2f5cd48d66b419ac3980cc5085381504ca2176fd2380552ed9b51a
SHA512c8f58112b4d58c7a73d461d3aca332da688ef014ac940d63c61ebc00edcdabbb7bf1e6972d5d7044ea7dc6ef73be706889f5a43696b86d1f0694f8c683dab2cd
-
MD5
43b6a89a1f31a40e798736fd7050e570
SHA199e190b24c99f8a77492deeef439172e8eb73a5c
SHA256e63e89225d2f5cd48d66b419ac3980cc5085381504ca2176fd2380552ed9b51a
SHA512c8f58112b4d58c7a73d461d3aca332da688ef014ac940d63c61ebc00edcdabbb7bf1e6972d5d7044ea7dc6ef73be706889f5a43696b86d1f0694f8c683dab2cd