Analysis
-
max time kernel
161s -
max time network
171s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
30-01-2022 17:13
Static task
static1
Behavioral task
behavioral1
Sample
7aa27098a1f4ac60b5037c018f0092dc9f70e7efcbfc0dc3def4f8e80a40a459.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
7aa27098a1f4ac60b5037c018f0092dc9f70e7efcbfc0dc3def4f8e80a40a459.exe
Resource
win10-en-20211208
General
-
Target
7aa27098a1f4ac60b5037c018f0092dc9f70e7efcbfc0dc3def4f8e80a40a459.exe
-
Size
89KB
-
MD5
7248d4b73d68cfc023d8d156c63f6b74
-
SHA1
30b8700e5ec31630967fbcc8a3b8fb3fa8b1df7f
-
SHA256
7aa27098a1f4ac60b5037c018f0092dc9f70e7efcbfc0dc3def4f8e80a40a459
-
SHA512
21b4b428131670178efb68c7460ed24bffedc9306069cd4ca9063219962a3b71d100d0d67bc40439455c5c54cf2487652f4f97cda720846c7f253e50bebf0816
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 3868 MediaCenter.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
7aa27098a1f4ac60b5037c018f0092dc9f70e7efcbfc0dc3def4f8e80a40a459.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 7aa27098a1f4ac60b5037c018f0092dc9f70e7efcbfc0dc3def4f8e80a40a459.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
7aa27098a1f4ac60b5037c018f0092dc9f70e7efcbfc0dc3def4f8e80a40a459.exedescription pid process Token: SeIncBasePriorityPrivilege 64 7aa27098a1f4ac60b5037c018f0092dc9f70e7efcbfc0dc3def4f8e80a40a459.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
7aa27098a1f4ac60b5037c018f0092dc9f70e7efcbfc0dc3def4f8e80a40a459.execmd.exedescription pid process target process PID 64 wrote to memory of 3868 64 7aa27098a1f4ac60b5037c018f0092dc9f70e7efcbfc0dc3def4f8e80a40a459.exe MediaCenter.exe PID 64 wrote to memory of 3868 64 7aa27098a1f4ac60b5037c018f0092dc9f70e7efcbfc0dc3def4f8e80a40a459.exe MediaCenter.exe PID 64 wrote to memory of 3868 64 7aa27098a1f4ac60b5037c018f0092dc9f70e7efcbfc0dc3def4f8e80a40a459.exe MediaCenter.exe PID 64 wrote to memory of 4040 64 7aa27098a1f4ac60b5037c018f0092dc9f70e7efcbfc0dc3def4f8e80a40a459.exe cmd.exe PID 64 wrote to memory of 4040 64 7aa27098a1f4ac60b5037c018f0092dc9f70e7efcbfc0dc3def4f8e80a40a459.exe cmd.exe PID 64 wrote to memory of 4040 64 7aa27098a1f4ac60b5037c018f0092dc9f70e7efcbfc0dc3def4f8e80a40a459.exe cmd.exe PID 4040 wrote to memory of 3048 4040 cmd.exe PING.EXE PID 4040 wrote to memory of 3048 4040 cmd.exe PING.EXE PID 4040 wrote to memory of 3048 4040 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\7aa27098a1f4ac60b5037c018f0092dc9f70e7efcbfc0dc3def4f8e80a40a459.exe"C:\Users\Admin\AppData\Local\Temp\7aa27098a1f4ac60b5037c018f0092dc9f70e7efcbfc0dc3def4f8e80a40a459.exe"1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:64 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:3868 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\7aa27098a1f4ac60b5037c018f0092dc9f70e7efcbfc0dc3def4f8e80a40a459.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4040 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:3048
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
db0e1efea3a0f59a4d25d097b6f382a7
SHA1a8e109937970c9864a00df7546472211ecdd2d68
SHA2561cf4171fcf28f2fd8942b780b866bcb5f317ad8f8d5144d23342b0620f1ec1b4
SHA512f16f38eb9eee657ef39db83243cc780d6f0f3782cac0b80b5702b7a82df67c4bdb054fcb12670c052b987035ff44db6f4fdea404cba31af0c7fbdb0bfbb5d5dd
-
MD5
db0e1efea3a0f59a4d25d097b6f382a7
SHA1a8e109937970c9864a00df7546472211ecdd2d68
SHA2561cf4171fcf28f2fd8942b780b866bcb5f317ad8f8d5144d23342b0620f1ec1b4
SHA512f16f38eb9eee657ef39db83243cc780d6f0f3782cac0b80b5702b7a82df67c4bdb054fcb12670c052b987035ff44db6f4fdea404cba31af0c7fbdb0bfbb5d5dd