Analysis
-
max time kernel
150s -
max time network
170s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
30-01-2022 18:01
Static task
static1
Behavioral task
behavioral1
Sample
25620250231753f08e62b21d998095572c5ab8dafe99a4a0016ebaab64593bb8.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
25620250231753f08e62b21d998095572c5ab8dafe99a4a0016ebaab64593bb8.exe
Resource
win10-en-20211208
General
-
Target
25620250231753f08e62b21d998095572c5ab8dafe99a4a0016ebaab64593bb8.exe
-
Size
89KB
-
MD5
64201ec97467910e74f40140c4aaa5ce
-
SHA1
98ebfabfae701dc7e6e7400356a5bb5a5c373ec8
-
SHA256
25620250231753f08e62b21d998095572c5ab8dafe99a4a0016ebaab64593bb8
-
SHA512
896017e88ce927e4784f622086e4b2f236d64e56ce9a4c70ebe2a64d137038d3a9ec9be104d16a6b963d4235682b9f57701ef900b9e0b5d23c3cf1d19273d369
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 3264 MediaCenter.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
25620250231753f08e62b21d998095572c5ab8dafe99a4a0016ebaab64593bb8.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 25620250231753f08e62b21d998095572c5ab8dafe99a4a0016ebaab64593bb8.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
25620250231753f08e62b21d998095572c5ab8dafe99a4a0016ebaab64593bb8.exedescription pid process Token: SeIncBasePriorityPrivilege 1428 25620250231753f08e62b21d998095572c5ab8dafe99a4a0016ebaab64593bb8.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
25620250231753f08e62b21d998095572c5ab8dafe99a4a0016ebaab64593bb8.execmd.exedescription pid process target process PID 1428 wrote to memory of 3264 1428 25620250231753f08e62b21d998095572c5ab8dafe99a4a0016ebaab64593bb8.exe MediaCenter.exe PID 1428 wrote to memory of 3264 1428 25620250231753f08e62b21d998095572c5ab8dafe99a4a0016ebaab64593bb8.exe MediaCenter.exe PID 1428 wrote to memory of 3264 1428 25620250231753f08e62b21d998095572c5ab8dafe99a4a0016ebaab64593bb8.exe MediaCenter.exe PID 1428 wrote to memory of 3388 1428 25620250231753f08e62b21d998095572c5ab8dafe99a4a0016ebaab64593bb8.exe cmd.exe PID 1428 wrote to memory of 3388 1428 25620250231753f08e62b21d998095572c5ab8dafe99a4a0016ebaab64593bb8.exe cmd.exe PID 1428 wrote to memory of 3388 1428 25620250231753f08e62b21d998095572c5ab8dafe99a4a0016ebaab64593bb8.exe cmd.exe PID 3388 wrote to memory of 2232 3388 cmd.exe PING.EXE PID 3388 wrote to memory of 2232 3388 cmd.exe PING.EXE PID 3388 wrote to memory of 2232 3388 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\25620250231753f08e62b21d998095572c5ab8dafe99a4a0016ebaab64593bb8.exe"C:\Users\Admin\AppData\Local\Temp\25620250231753f08e62b21d998095572c5ab8dafe99a4a0016ebaab64593bb8.exe"1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1428 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:3264 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\25620250231753f08e62b21d998095572c5ab8dafe99a4a0016ebaab64593bb8.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3388 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:2232
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
73390b6904fb65a4df20ee9255031fba
SHA1315044114bd11cfa96fe51ba6644ffa587f32888
SHA2567e4d08d96dd92e8b9c9beb2e1401ba06bcef7950841dbb68c649dfab80294f5b
SHA512b4bce3a80ecb24e111df900ff38cfc41d7e18a1ba04f3135b3fa87faa8ffb45741ee0eebaf3db697702b85da5786c59d62fcf5d41550fc0bfd2bf70578677516
-
MD5
73390b6904fb65a4df20ee9255031fba
SHA1315044114bd11cfa96fe51ba6644ffa587f32888
SHA2567e4d08d96dd92e8b9c9beb2e1401ba06bcef7950841dbb68c649dfab80294f5b
SHA512b4bce3a80ecb24e111df900ff38cfc41d7e18a1ba04f3135b3fa87faa8ffb45741ee0eebaf3db697702b85da5786c59d62fcf5d41550fc0bfd2bf70578677516