Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
30-01-2022 18:30
Static task
static1
Behavioral task
behavioral1
Sample
7777996703326ba738bf90d4b0b2fc302cb395f1f03e628c47cdec113bdfcf85.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
7777996703326ba738bf90d4b0b2fc302cb395f1f03e628c47cdec113bdfcf85.exe
Resource
win10-en-20211208
General
-
Target
7777996703326ba738bf90d4b0b2fc302cb395f1f03e628c47cdec113bdfcf85.exe
-
Size
89KB
-
MD5
5b76c68f9ca61bfd8a5bcbf2817a1437
-
SHA1
1f523f98e28063463ff402ac39bcea28da8661b5
-
SHA256
7777996703326ba738bf90d4b0b2fc302cb395f1f03e628c47cdec113bdfcf85
-
SHA512
a479a38c66899e2341abbe422348aa26f43a37b83c12b59177cd9f34cedf293ee42daef6d533d4ed01f37f99a681995ac05cfd8ed08c6dd7183609776992d56e
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1268 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 596 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
7777996703326ba738bf90d4b0b2fc302cb395f1f03e628c47cdec113bdfcf85.exepid process 1660 7777996703326ba738bf90d4b0b2fc302cb395f1f03e628c47cdec113bdfcf85.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
7777996703326ba738bf90d4b0b2fc302cb395f1f03e628c47cdec113bdfcf85.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 7777996703326ba738bf90d4b0b2fc302cb395f1f03e628c47cdec113bdfcf85.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
7777996703326ba738bf90d4b0b2fc302cb395f1f03e628c47cdec113bdfcf85.exedescription pid process Token: SeIncBasePriorityPrivilege 1660 7777996703326ba738bf90d4b0b2fc302cb395f1f03e628c47cdec113bdfcf85.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
7777996703326ba738bf90d4b0b2fc302cb395f1f03e628c47cdec113bdfcf85.execmd.exedescription pid process target process PID 1660 wrote to memory of 1268 1660 7777996703326ba738bf90d4b0b2fc302cb395f1f03e628c47cdec113bdfcf85.exe MediaCenter.exe PID 1660 wrote to memory of 1268 1660 7777996703326ba738bf90d4b0b2fc302cb395f1f03e628c47cdec113bdfcf85.exe MediaCenter.exe PID 1660 wrote to memory of 1268 1660 7777996703326ba738bf90d4b0b2fc302cb395f1f03e628c47cdec113bdfcf85.exe MediaCenter.exe PID 1660 wrote to memory of 1268 1660 7777996703326ba738bf90d4b0b2fc302cb395f1f03e628c47cdec113bdfcf85.exe MediaCenter.exe PID 1660 wrote to memory of 596 1660 7777996703326ba738bf90d4b0b2fc302cb395f1f03e628c47cdec113bdfcf85.exe cmd.exe PID 1660 wrote to memory of 596 1660 7777996703326ba738bf90d4b0b2fc302cb395f1f03e628c47cdec113bdfcf85.exe cmd.exe PID 1660 wrote to memory of 596 1660 7777996703326ba738bf90d4b0b2fc302cb395f1f03e628c47cdec113bdfcf85.exe cmd.exe PID 1660 wrote to memory of 596 1660 7777996703326ba738bf90d4b0b2fc302cb395f1f03e628c47cdec113bdfcf85.exe cmd.exe PID 596 wrote to memory of 964 596 cmd.exe PING.EXE PID 596 wrote to memory of 964 596 cmd.exe PING.EXE PID 596 wrote to memory of 964 596 cmd.exe PING.EXE PID 596 wrote to memory of 964 596 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\7777996703326ba738bf90d4b0b2fc302cb395f1f03e628c47cdec113bdfcf85.exe"C:\Users\Admin\AppData\Local\Temp\7777996703326ba738bf90d4b0b2fc302cb395f1f03e628c47cdec113bdfcf85.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1660 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1268 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\7777996703326ba738bf90d4b0b2fc302cb395f1f03e628c47cdec113bdfcf85.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:596 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:964
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
a66a465e2167b0c12ce31e29a040af09
SHA1798fdcd0f18abfa84e6abd1f247b35d2c4bc201c
SHA25631753c9eec867233f3ca3ffeb65067513bf4b7b6aa3e2cf662b3bd0306060063
SHA5124681c25d7d0010c651d2bfa9f78db72106b3df69b05d79c94b4e1bc973cd492d75d4adc807a39d0a2c62a9a242d0280e803cf465d7f9a76b95eb956cd924b972
-
MD5
a66a465e2167b0c12ce31e29a040af09
SHA1798fdcd0f18abfa84e6abd1f247b35d2c4bc201c
SHA25631753c9eec867233f3ca3ffeb65067513bf4b7b6aa3e2cf662b3bd0306060063
SHA5124681c25d7d0010c651d2bfa9f78db72106b3df69b05d79c94b4e1bc973cd492d75d4adc807a39d0a2c62a9a242d0280e803cf465d7f9a76b95eb956cd924b972