Analysis
-
max time kernel
128s -
max time network
160s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
30-01-2022 17:40
Static task
static1
Behavioral task
behavioral1
Sample
45f5f8ce9bb7103e382d9c1158703b9b655d37a6ff31227132477e3600af9a8b.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
45f5f8ce9bb7103e382d9c1158703b9b655d37a6ff31227132477e3600af9a8b.exe
Resource
win10-en-20211208
General
-
Target
45f5f8ce9bb7103e382d9c1158703b9b655d37a6ff31227132477e3600af9a8b.exe
-
Size
89KB
-
MD5
6a7b2feed82d8d1746ac78df5a429bce
-
SHA1
da3cf059828c3b3304fe0713ae2460f22c966f40
-
SHA256
45f5f8ce9bb7103e382d9c1158703b9b655d37a6ff31227132477e3600af9a8b
-
SHA512
c6a9b673184f14f082abbf1ae0e723d8afac6f773ff5114f03ef2253caa29c4dfbb3b6f4513ee0418c281a0587eb470e9c683e421748524e6525e335574eb1b3
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 3620 MediaCenter.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
45f5f8ce9bb7103e382d9c1158703b9b655d37a6ff31227132477e3600af9a8b.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 45f5f8ce9bb7103e382d9c1158703b9b655d37a6ff31227132477e3600af9a8b.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
45f5f8ce9bb7103e382d9c1158703b9b655d37a6ff31227132477e3600af9a8b.exedescription pid process Token: SeIncBasePriorityPrivilege 3664 45f5f8ce9bb7103e382d9c1158703b9b655d37a6ff31227132477e3600af9a8b.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
45f5f8ce9bb7103e382d9c1158703b9b655d37a6ff31227132477e3600af9a8b.execmd.exedescription pid process target process PID 3664 wrote to memory of 3620 3664 45f5f8ce9bb7103e382d9c1158703b9b655d37a6ff31227132477e3600af9a8b.exe MediaCenter.exe PID 3664 wrote to memory of 3620 3664 45f5f8ce9bb7103e382d9c1158703b9b655d37a6ff31227132477e3600af9a8b.exe MediaCenter.exe PID 3664 wrote to memory of 3620 3664 45f5f8ce9bb7103e382d9c1158703b9b655d37a6ff31227132477e3600af9a8b.exe MediaCenter.exe PID 3664 wrote to memory of 4440 3664 45f5f8ce9bb7103e382d9c1158703b9b655d37a6ff31227132477e3600af9a8b.exe cmd.exe PID 3664 wrote to memory of 4440 3664 45f5f8ce9bb7103e382d9c1158703b9b655d37a6ff31227132477e3600af9a8b.exe cmd.exe PID 3664 wrote to memory of 4440 3664 45f5f8ce9bb7103e382d9c1158703b9b655d37a6ff31227132477e3600af9a8b.exe cmd.exe PID 4440 wrote to memory of 4332 4440 cmd.exe PING.EXE PID 4440 wrote to memory of 4332 4440 cmd.exe PING.EXE PID 4440 wrote to memory of 4332 4440 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\45f5f8ce9bb7103e382d9c1158703b9b655d37a6ff31227132477e3600af9a8b.exe"C:\Users\Admin\AppData\Local\Temp\45f5f8ce9bb7103e382d9c1158703b9b655d37a6ff31227132477e3600af9a8b.exe"1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3664 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:3620 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\45f5f8ce9bb7103e382d9c1158703b9b655d37a6ff31227132477e3600af9a8b.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4440 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:4332
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
c92e6c3f5e0d70e6c79867924a200450
SHA132acdacf27bcc34b7692d48d71e92f36a036c27d
SHA2569e0932e7766ab05811982d49097310c380a7b59d6d7b7627a3201eee7ef9489b
SHA512ce67de8f79be8941c61b320a1095a319421a8584cda35801689a5c270f214fcb8ada4ca5daf584ab111ec2916081899c1e8f0cccfe08c0467a41e0d541c32404
-
MD5
c92e6c3f5e0d70e6c79867924a200450
SHA132acdacf27bcc34b7692d48d71e92f36a036c27d
SHA2569e0932e7766ab05811982d49097310c380a7b59d6d7b7627a3201eee7ef9489b
SHA512ce67de8f79be8941c61b320a1095a319421a8584cda35801689a5c270f214fcb8ada4ca5daf584ab111ec2916081899c1e8f0cccfe08c0467a41e0d541c32404