Analysis
-
max time kernel
152s -
max time network
164s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
30-01-2022 17:13
Static task
static1
Behavioral task
behavioral1
Sample
7aa27098a1f4ac60b5037c018f0092dc9f70e7efcbfc0dc3def4f8e80a40a459.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
7aa27098a1f4ac60b5037c018f0092dc9f70e7efcbfc0dc3def4f8e80a40a459.exe
Resource
win10-en-20211208
General
-
Target
7aa27098a1f4ac60b5037c018f0092dc9f70e7efcbfc0dc3def4f8e80a40a459.exe
-
Size
89KB
-
MD5
7248d4b73d68cfc023d8d156c63f6b74
-
SHA1
30b8700e5ec31630967fbcc8a3b8fb3fa8b1df7f
-
SHA256
7aa27098a1f4ac60b5037c018f0092dc9f70e7efcbfc0dc3def4f8e80a40a459
-
SHA512
21b4b428131670178efb68c7460ed24bffedc9306069cd4ca9063219962a3b71d100d0d67bc40439455c5c54cf2487652f4f97cda720846c7f253e50bebf0816
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1744 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 640 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
7aa27098a1f4ac60b5037c018f0092dc9f70e7efcbfc0dc3def4f8e80a40a459.exepid process 1512 7aa27098a1f4ac60b5037c018f0092dc9f70e7efcbfc0dc3def4f8e80a40a459.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
7aa27098a1f4ac60b5037c018f0092dc9f70e7efcbfc0dc3def4f8e80a40a459.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 7aa27098a1f4ac60b5037c018f0092dc9f70e7efcbfc0dc3def4f8e80a40a459.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
7aa27098a1f4ac60b5037c018f0092dc9f70e7efcbfc0dc3def4f8e80a40a459.exedescription pid process Token: SeIncBasePriorityPrivilege 1512 7aa27098a1f4ac60b5037c018f0092dc9f70e7efcbfc0dc3def4f8e80a40a459.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
7aa27098a1f4ac60b5037c018f0092dc9f70e7efcbfc0dc3def4f8e80a40a459.execmd.exedescription pid process target process PID 1512 wrote to memory of 1744 1512 7aa27098a1f4ac60b5037c018f0092dc9f70e7efcbfc0dc3def4f8e80a40a459.exe MediaCenter.exe PID 1512 wrote to memory of 1744 1512 7aa27098a1f4ac60b5037c018f0092dc9f70e7efcbfc0dc3def4f8e80a40a459.exe MediaCenter.exe PID 1512 wrote to memory of 1744 1512 7aa27098a1f4ac60b5037c018f0092dc9f70e7efcbfc0dc3def4f8e80a40a459.exe MediaCenter.exe PID 1512 wrote to memory of 1744 1512 7aa27098a1f4ac60b5037c018f0092dc9f70e7efcbfc0dc3def4f8e80a40a459.exe MediaCenter.exe PID 1512 wrote to memory of 640 1512 7aa27098a1f4ac60b5037c018f0092dc9f70e7efcbfc0dc3def4f8e80a40a459.exe cmd.exe PID 1512 wrote to memory of 640 1512 7aa27098a1f4ac60b5037c018f0092dc9f70e7efcbfc0dc3def4f8e80a40a459.exe cmd.exe PID 1512 wrote to memory of 640 1512 7aa27098a1f4ac60b5037c018f0092dc9f70e7efcbfc0dc3def4f8e80a40a459.exe cmd.exe PID 1512 wrote to memory of 640 1512 7aa27098a1f4ac60b5037c018f0092dc9f70e7efcbfc0dc3def4f8e80a40a459.exe cmd.exe PID 640 wrote to memory of 1140 640 cmd.exe PING.EXE PID 640 wrote to memory of 1140 640 cmd.exe PING.EXE PID 640 wrote to memory of 1140 640 cmd.exe PING.EXE PID 640 wrote to memory of 1140 640 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\7aa27098a1f4ac60b5037c018f0092dc9f70e7efcbfc0dc3def4f8e80a40a459.exe"C:\Users\Admin\AppData\Local\Temp\7aa27098a1f4ac60b5037c018f0092dc9f70e7efcbfc0dc3def4f8e80a40a459.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1512 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1744 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\7aa27098a1f4ac60b5037c018f0092dc9f70e7efcbfc0dc3def4f8e80a40a459.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:640 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1140
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
9ab6c871b7e6b64260eb6eb897eb6fb9
SHA17ca30a15169e023fe701a81cbbb7ea2225b3585b
SHA2560c29500a4d69398a368a318305f5abf9fdf69a940969a5020938073fddbf7f1a
SHA5125d17a8f43eada1ef882c5d557777320cf3b880e2110a6ae8d0d78e55bd9f090895fc7b3efc4b55eb03e1c6dea837270fb2a74eece1ccd5a4dea8d90dc85a0bc4
-
MD5
9ab6c871b7e6b64260eb6eb897eb6fb9
SHA17ca30a15169e023fe701a81cbbb7ea2225b3585b
SHA2560c29500a4d69398a368a318305f5abf9fdf69a940969a5020938073fddbf7f1a
SHA5125d17a8f43eada1ef882c5d557777320cf3b880e2110a6ae8d0d78e55bd9f090895fc7b3efc4b55eb03e1c6dea837270fb2a74eece1ccd5a4dea8d90dc85a0bc4