Analysis
-
max time kernel
137s -
max time network
146s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
30-01-2022 18:01
Static task
static1
Behavioral task
behavioral1
Sample
25620250231753f08e62b21d998095572c5ab8dafe99a4a0016ebaab64593bb8.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
25620250231753f08e62b21d998095572c5ab8dafe99a4a0016ebaab64593bb8.exe
Resource
win10-en-20211208
General
-
Target
25620250231753f08e62b21d998095572c5ab8dafe99a4a0016ebaab64593bb8.exe
-
Size
89KB
-
MD5
64201ec97467910e74f40140c4aaa5ce
-
SHA1
98ebfabfae701dc7e6e7400356a5bb5a5c373ec8
-
SHA256
25620250231753f08e62b21d998095572c5ab8dafe99a4a0016ebaab64593bb8
-
SHA512
896017e88ce927e4784f622086e4b2f236d64e56ce9a4c70ebe2a64d137038d3a9ec9be104d16a6b963d4235682b9f57701ef900b9e0b5d23c3cf1d19273d369
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1928 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1980 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
25620250231753f08e62b21d998095572c5ab8dafe99a4a0016ebaab64593bb8.exepid process 1760 25620250231753f08e62b21d998095572c5ab8dafe99a4a0016ebaab64593bb8.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
25620250231753f08e62b21d998095572c5ab8dafe99a4a0016ebaab64593bb8.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 25620250231753f08e62b21d998095572c5ab8dafe99a4a0016ebaab64593bb8.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
25620250231753f08e62b21d998095572c5ab8dafe99a4a0016ebaab64593bb8.exedescription pid process Token: SeIncBasePriorityPrivilege 1760 25620250231753f08e62b21d998095572c5ab8dafe99a4a0016ebaab64593bb8.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
25620250231753f08e62b21d998095572c5ab8dafe99a4a0016ebaab64593bb8.execmd.exedescription pid process target process PID 1760 wrote to memory of 1928 1760 25620250231753f08e62b21d998095572c5ab8dafe99a4a0016ebaab64593bb8.exe MediaCenter.exe PID 1760 wrote to memory of 1928 1760 25620250231753f08e62b21d998095572c5ab8dafe99a4a0016ebaab64593bb8.exe MediaCenter.exe PID 1760 wrote to memory of 1928 1760 25620250231753f08e62b21d998095572c5ab8dafe99a4a0016ebaab64593bb8.exe MediaCenter.exe PID 1760 wrote to memory of 1928 1760 25620250231753f08e62b21d998095572c5ab8dafe99a4a0016ebaab64593bb8.exe MediaCenter.exe PID 1760 wrote to memory of 1980 1760 25620250231753f08e62b21d998095572c5ab8dafe99a4a0016ebaab64593bb8.exe cmd.exe PID 1760 wrote to memory of 1980 1760 25620250231753f08e62b21d998095572c5ab8dafe99a4a0016ebaab64593bb8.exe cmd.exe PID 1760 wrote to memory of 1980 1760 25620250231753f08e62b21d998095572c5ab8dafe99a4a0016ebaab64593bb8.exe cmd.exe PID 1760 wrote to memory of 1980 1760 25620250231753f08e62b21d998095572c5ab8dafe99a4a0016ebaab64593bb8.exe cmd.exe PID 1980 wrote to memory of 1836 1980 cmd.exe PING.EXE PID 1980 wrote to memory of 1836 1980 cmd.exe PING.EXE PID 1980 wrote to memory of 1836 1980 cmd.exe PING.EXE PID 1980 wrote to memory of 1836 1980 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\25620250231753f08e62b21d998095572c5ab8dafe99a4a0016ebaab64593bb8.exe"C:\Users\Admin\AppData\Local\Temp\25620250231753f08e62b21d998095572c5ab8dafe99a4a0016ebaab64593bb8.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1760 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1928 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\25620250231753f08e62b21d998095572c5ab8dafe99a4a0016ebaab64593bb8.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1836
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
2988ff7349bac798ccc4d5607df6babf
SHA19911e3ab267e4d8ea39263959c21c18226151a77
SHA256bc314e74de6f55bba70ff5c0894644ab52fc50b4bcca9b37bdd9894200cc49c6
SHA512797b0103ab366338e9b069dfd374ef99f2951808907f99f0dcf1900a7e6847478193e59974ae90cb7357501bdd83c742aa74e62e7bb675a00fdffc99d6cb36b2
-
MD5
2988ff7349bac798ccc4d5607df6babf
SHA19911e3ab267e4d8ea39263959c21c18226151a77
SHA256bc314e74de6f55bba70ff5c0894644ab52fc50b4bcca9b37bdd9894200cc49c6
SHA512797b0103ab366338e9b069dfd374ef99f2951808907f99f0dcf1900a7e6847478193e59974ae90cb7357501bdd83c742aa74e62e7bb675a00fdffc99d6cb36b2