Analysis
-
max time kernel
161s -
max time network
181s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
30-01-2022 18:32
Static task
static1
Behavioral task
behavioral1
Sample
942e69a2eff2b922c28ff36c4f02d08b5eb35123ab5de83a9d23fcfa806ccdc5.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
942e69a2eff2b922c28ff36c4f02d08b5eb35123ab5de83a9d23fcfa806ccdc5.exe
Resource
win10-en-20211208
General
-
Target
942e69a2eff2b922c28ff36c4f02d08b5eb35123ab5de83a9d23fcfa806ccdc5.exe
-
Size
89KB
-
MD5
5b27234b7f28316303351ea8bcfaa740
-
SHA1
7dcf0c208a5521ed0b68b8216e5f3238b48ba7be
-
SHA256
942e69a2eff2b922c28ff36c4f02d08b5eb35123ab5de83a9d23fcfa806ccdc5
-
SHA512
80a7a833a588eced6d3feca136600fb2a1734510975761d7116ee4acdc717c2b672f560603f70a0e8092acf4b9a266dc696518caf6bb867d3a2b307492e715ce
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1236 MediaCenter.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
942e69a2eff2b922c28ff36c4f02d08b5eb35123ab5de83a9d23fcfa806ccdc5.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 942e69a2eff2b922c28ff36c4f02d08b5eb35123ab5de83a9d23fcfa806ccdc5.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
942e69a2eff2b922c28ff36c4f02d08b5eb35123ab5de83a9d23fcfa806ccdc5.exedescription pid process Token: SeIncBasePriorityPrivilege 2808 942e69a2eff2b922c28ff36c4f02d08b5eb35123ab5de83a9d23fcfa806ccdc5.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
942e69a2eff2b922c28ff36c4f02d08b5eb35123ab5de83a9d23fcfa806ccdc5.execmd.exedescription pid process target process PID 2808 wrote to memory of 1236 2808 942e69a2eff2b922c28ff36c4f02d08b5eb35123ab5de83a9d23fcfa806ccdc5.exe MediaCenter.exe PID 2808 wrote to memory of 1236 2808 942e69a2eff2b922c28ff36c4f02d08b5eb35123ab5de83a9d23fcfa806ccdc5.exe MediaCenter.exe PID 2808 wrote to memory of 1236 2808 942e69a2eff2b922c28ff36c4f02d08b5eb35123ab5de83a9d23fcfa806ccdc5.exe MediaCenter.exe PID 2808 wrote to memory of 816 2808 942e69a2eff2b922c28ff36c4f02d08b5eb35123ab5de83a9d23fcfa806ccdc5.exe cmd.exe PID 2808 wrote to memory of 816 2808 942e69a2eff2b922c28ff36c4f02d08b5eb35123ab5de83a9d23fcfa806ccdc5.exe cmd.exe PID 2808 wrote to memory of 816 2808 942e69a2eff2b922c28ff36c4f02d08b5eb35123ab5de83a9d23fcfa806ccdc5.exe cmd.exe PID 816 wrote to memory of 1588 816 cmd.exe PING.EXE PID 816 wrote to memory of 1588 816 cmd.exe PING.EXE PID 816 wrote to memory of 1588 816 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\942e69a2eff2b922c28ff36c4f02d08b5eb35123ab5de83a9d23fcfa806ccdc5.exe"C:\Users\Admin\AppData\Local\Temp\942e69a2eff2b922c28ff36c4f02d08b5eb35123ab5de83a9d23fcfa806ccdc5.exe"1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1236 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\942e69a2eff2b922c28ff36c4f02d08b5eb35123ab5de83a9d23fcfa806ccdc5.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:816 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1588
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
118a6e8c263452586fda342f54bcef44
SHA1077df08ba3eda4ae5d89775dab2361b237bd5486
SHA25668f24c9ef4cd177d9dd96d8fe9f8b560793f0ddeaf71b668a76b8b1f533ed303
SHA512f0b9dd5024646692299a5dda07948ac8e247bbcf84f63adf3298b067cae682c9ff87f9f6bb0d887aa7b144bf2bdbc4fc88db03c2a3f06ed9aa18638c8d2e9a8b
-
MD5
118a6e8c263452586fda342f54bcef44
SHA1077df08ba3eda4ae5d89775dab2361b237bd5486
SHA25668f24c9ef4cd177d9dd96d8fe9f8b560793f0ddeaf71b668a76b8b1f533ed303
SHA512f0b9dd5024646692299a5dda07948ac8e247bbcf84f63adf3298b067cae682c9ff87f9f6bb0d887aa7b144bf2bdbc4fc88db03c2a3f06ed9aa18638c8d2e9a8b