Analysis
-
max time kernel
145s -
max time network
171s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
30-01-2022 18:01
Static task
static1
Behavioral task
behavioral1
Sample
1aac7739fb7413804e9d29d16497365d805ba00daf162461dcf043a970d23f4a.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
1aac7739fb7413804e9d29d16497365d805ba00daf162461dcf043a970d23f4a.exe
Resource
win10-en-20211208
General
-
Target
1aac7739fb7413804e9d29d16497365d805ba00daf162461dcf043a970d23f4a.exe
-
Size
89KB
-
MD5
63f171705b28a05c84b67750b7e0ebf7
-
SHA1
5c0a8f5abe59267e890e7ddf475a10a5598cfce3
-
SHA256
1aac7739fb7413804e9d29d16497365d805ba00daf162461dcf043a970d23f4a
-
SHA512
0ed18d0e3a1649d2aaf58def947c0cb4640431846fa205784dec1c1c54ad4b8aedc45b1ca068ae8f772e8f13f4e8ffa225b905a21a538be2bb146fed8b27814c
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 2636 MediaCenter.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
1aac7739fb7413804e9d29d16497365d805ba00daf162461dcf043a970d23f4a.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 1aac7739fb7413804e9d29d16497365d805ba00daf162461dcf043a970d23f4a.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
1aac7739fb7413804e9d29d16497365d805ba00daf162461dcf043a970d23f4a.exedescription pid process Token: SeIncBasePriorityPrivilege 3808 1aac7739fb7413804e9d29d16497365d805ba00daf162461dcf043a970d23f4a.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
1aac7739fb7413804e9d29d16497365d805ba00daf162461dcf043a970d23f4a.execmd.exedescription pid process target process PID 3808 wrote to memory of 2636 3808 1aac7739fb7413804e9d29d16497365d805ba00daf162461dcf043a970d23f4a.exe MediaCenter.exe PID 3808 wrote to memory of 2636 3808 1aac7739fb7413804e9d29d16497365d805ba00daf162461dcf043a970d23f4a.exe MediaCenter.exe PID 3808 wrote to memory of 2636 3808 1aac7739fb7413804e9d29d16497365d805ba00daf162461dcf043a970d23f4a.exe MediaCenter.exe PID 3808 wrote to memory of 1536 3808 1aac7739fb7413804e9d29d16497365d805ba00daf162461dcf043a970d23f4a.exe cmd.exe PID 3808 wrote to memory of 1536 3808 1aac7739fb7413804e9d29d16497365d805ba00daf162461dcf043a970d23f4a.exe cmd.exe PID 3808 wrote to memory of 1536 3808 1aac7739fb7413804e9d29d16497365d805ba00daf162461dcf043a970d23f4a.exe cmd.exe PID 1536 wrote to memory of 3908 1536 cmd.exe PING.EXE PID 1536 wrote to memory of 3908 1536 cmd.exe PING.EXE PID 1536 wrote to memory of 3908 1536 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\1aac7739fb7413804e9d29d16497365d805ba00daf162461dcf043a970d23f4a.exe"C:\Users\Admin\AppData\Local\Temp\1aac7739fb7413804e9d29d16497365d805ba00daf162461dcf043a970d23f4a.exe"1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3808 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:2636 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\1aac7739fb7413804e9d29d16497365d805ba00daf162461dcf043a970d23f4a.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1536 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:3908
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
b04cb1cbf96150060ab3a93038d0b8e0
SHA17c26be807e774ff6781278fd4d8ead1199e88a87
SHA2564ea4f1525626a891454060cb31c4c55cddf27f9edbea8a748ee7f78fbc6889ae
SHA51286b675a9c4c01be7dcf55012c1d5ded943bfb228d1558b1ee57fb20d99d6a226f34e01e75bab87608bbb6a0048ecde427b35bff669ce1a4b03dfdcc3b994747d
-
MD5
b04cb1cbf96150060ab3a93038d0b8e0
SHA17c26be807e774ff6781278fd4d8ead1199e88a87
SHA2564ea4f1525626a891454060cb31c4c55cddf27f9edbea8a748ee7f78fbc6889ae
SHA51286b675a9c4c01be7dcf55012c1d5ded943bfb228d1558b1ee57fb20d99d6a226f34e01e75bab87608bbb6a0048ecde427b35bff669ce1a4b03dfdcc3b994747d