Analysis
-
max time kernel
144s -
max time network
145s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
30-01-2022 18:32
Static task
static1
Behavioral task
behavioral1
Sample
942e69a2eff2b922c28ff36c4f02d08b5eb35123ab5de83a9d23fcfa806ccdc5.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
942e69a2eff2b922c28ff36c4f02d08b5eb35123ab5de83a9d23fcfa806ccdc5.exe
Resource
win10-en-20211208
General
-
Target
942e69a2eff2b922c28ff36c4f02d08b5eb35123ab5de83a9d23fcfa806ccdc5.exe
-
Size
89KB
-
MD5
5b27234b7f28316303351ea8bcfaa740
-
SHA1
7dcf0c208a5521ed0b68b8216e5f3238b48ba7be
-
SHA256
942e69a2eff2b922c28ff36c4f02d08b5eb35123ab5de83a9d23fcfa806ccdc5
-
SHA512
80a7a833a588eced6d3feca136600fb2a1734510975761d7116ee4acdc717c2b672f560603f70a0e8092acf4b9a266dc696518caf6bb867d3a2b307492e715ce
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 576 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1792 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
942e69a2eff2b922c28ff36c4f02d08b5eb35123ab5de83a9d23fcfa806ccdc5.exepid process 1068 942e69a2eff2b922c28ff36c4f02d08b5eb35123ab5de83a9d23fcfa806ccdc5.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
942e69a2eff2b922c28ff36c4f02d08b5eb35123ab5de83a9d23fcfa806ccdc5.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 942e69a2eff2b922c28ff36c4f02d08b5eb35123ab5de83a9d23fcfa806ccdc5.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
942e69a2eff2b922c28ff36c4f02d08b5eb35123ab5de83a9d23fcfa806ccdc5.exedescription pid process Token: SeIncBasePriorityPrivilege 1068 942e69a2eff2b922c28ff36c4f02d08b5eb35123ab5de83a9d23fcfa806ccdc5.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
942e69a2eff2b922c28ff36c4f02d08b5eb35123ab5de83a9d23fcfa806ccdc5.execmd.exedescription pid process target process PID 1068 wrote to memory of 576 1068 942e69a2eff2b922c28ff36c4f02d08b5eb35123ab5de83a9d23fcfa806ccdc5.exe MediaCenter.exe PID 1068 wrote to memory of 576 1068 942e69a2eff2b922c28ff36c4f02d08b5eb35123ab5de83a9d23fcfa806ccdc5.exe MediaCenter.exe PID 1068 wrote to memory of 576 1068 942e69a2eff2b922c28ff36c4f02d08b5eb35123ab5de83a9d23fcfa806ccdc5.exe MediaCenter.exe PID 1068 wrote to memory of 576 1068 942e69a2eff2b922c28ff36c4f02d08b5eb35123ab5de83a9d23fcfa806ccdc5.exe MediaCenter.exe PID 1068 wrote to memory of 1792 1068 942e69a2eff2b922c28ff36c4f02d08b5eb35123ab5de83a9d23fcfa806ccdc5.exe cmd.exe PID 1068 wrote to memory of 1792 1068 942e69a2eff2b922c28ff36c4f02d08b5eb35123ab5de83a9d23fcfa806ccdc5.exe cmd.exe PID 1068 wrote to memory of 1792 1068 942e69a2eff2b922c28ff36c4f02d08b5eb35123ab5de83a9d23fcfa806ccdc5.exe cmd.exe PID 1068 wrote to memory of 1792 1068 942e69a2eff2b922c28ff36c4f02d08b5eb35123ab5de83a9d23fcfa806ccdc5.exe cmd.exe PID 1792 wrote to memory of 1496 1792 cmd.exe PING.EXE PID 1792 wrote to memory of 1496 1792 cmd.exe PING.EXE PID 1792 wrote to memory of 1496 1792 cmd.exe PING.EXE PID 1792 wrote to memory of 1496 1792 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\942e69a2eff2b922c28ff36c4f02d08b5eb35123ab5de83a9d23fcfa806ccdc5.exe"C:\Users\Admin\AppData\Local\Temp\942e69a2eff2b922c28ff36c4f02d08b5eb35123ab5de83a9d23fcfa806ccdc5.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1068 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:576 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\942e69a2eff2b922c28ff36c4f02d08b5eb35123ab5de83a9d23fcfa806ccdc5.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1792 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1496
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
6544a6dd71c64f4c030730996ca15332
SHA1540993b0cb22046a51cfd5e13193db410c3ede88
SHA2562c0ca6a639d64bbaba56af1d05ec9309e4eb414d257117327e4f5206ba859da7
SHA512095bc336a5e15ee7235200e1cf7a0ddfb02dc9e70bbe486b5795db05b9c7a09a520cf324fbb2bcf266b1f2e04b3e60ff0874cc5f9a941a0e29af9c1faf8af229
-
MD5
6544a6dd71c64f4c030730996ca15332
SHA1540993b0cb22046a51cfd5e13193db410c3ede88
SHA2562c0ca6a639d64bbaba56af1d05ec9309e4eb414d257117327e4f5206ba859da7
SHA512095bc336a5e15ee7235200e1cf7a0ddfb02dc9e70bbe486b5795db05b9c7a09a520cf324fbb2bcf266b1f2e04b3e60ff0874cc5f9a941a0e29af9c1faf8af229