Analysis
-
max time kernel
131s -
max time network
156s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
30-01-2022 18:01
Static task
static1
Behavioral task
behavioral1
Sample
2c9aea3d2be2ca9ecdec74e5e783df43458b6b0c23d4ccda631fbe8aa160c6c7.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
2c9aea3d2be2ca9ecdec74e5e783df43458b6b0c23d4ccda631fbe8aa160c6c7.exe
Resource
win10-en-20211208
General
-
Target
2c9aea3d2be2ca9ecdec74e5e783df43458b6b0c23d4ccda631fbe8aa160c6c7.exe
-
Size
89KB
-
MD5
63c0978e2fa715a3cad6fb3068f70961
-
SHA1
9e119104c2597f0ab4542c512a1eb9fa2729852f
-
SHA256
2c9aea3d2be2ca9ecdec74e5e783df43458b6b0c23d4ccda631fbe8aa160c6c7
-
SHA512
5e750d3542bc41a9f2c4fc4f906f5d05dea7ee22c3b2f11f4f92324ddcb9dd89852f553d5c58583c4c79bd19dc1c7cbf77979b601196f69ffbaef57ede049729
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1600 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1092 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
2c9aea3d2be2ca9ecdec74e5e783df43458b6b0c23d4ccda631fbe8aa160c6c7.exepid process 1580 2c9aea3d2be2ca9ecdec74e5e783df43458b6b0c23d4ccda631fbe8aa160c6c7.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
2c9aea3d2be2ca9ecdec74e5e783df43458b6b0c23d4ccda631fbe8aa160c6c7.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 2c9aea3d2be2ca9ecdec74e5e783df43458b6b0c23d4ccda631fbe8aa160c6c7.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
2c9aea3d2be2ca9ecdec74e5e783df43458b6b0c23d4ccda631fbe8aa160c6c7.exedescription pid process Token: SeIncBasePriorityPrivilege 1580 2c9aea3d2be2ca9ecdec74e5e783df43458b6b0c23d4ccda631fbe8aa160c6c7.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
2c9aea3d2be2ca9ecdec74e5e783df43458b6b0c23d4ccda631fbe8aa160c6c7.execmd.exedescription pid process target process PID 1580 wrote to memory of 1600 1580 2c9aea3d2be2ca9ecdec74e5e783df43458b6b0c23d4ccda631fbe8aa160c6c7.exe MediaCenter.exe PID 1580 wrote to memory of 1600 1580 2c9aea3d2be2ca9ecdec74e5e783df43458b6b0c23d4ccda631fbe8aa160c6c7.exe MediaCenter.exe PID 1580 wrote to memory of 1600 1580 2c9aea3d2be2ca9ecdec74e5e783df43458b6b0c23d4ccda631fbe8aa160c6c7.exe MediaCenter.exe PID 1580 wrote to memory of 1600 1580 2c9aea3d2be2ca9ecdec74e5e783df43458b6b0c23d4ccda631fbe8aa160c6c7.exe MediaCenter.exe PID 1580 wrote to memory of 1092 1580 2c9aea3d2be2ca9ecdec74e5e783df43458b6b0c23d4ccda631fbe8aa160c6c7.exe cmd.exe PID 1580 wrote to memory of 1092 1580 2c9aea3d2be2ca9ecdec74e5e783df43458b6b0c23d4ccda631fbe8aa160c6c7.exe cmd.exe PID 1580 wrote to memory of 1092 1580 2c9aea3d2be2ca9ecdec74e5e783df43458b6b0c23d4ccda631fbe8aa160c6c7.exe cmd.exe PID 1580 wrote to memory of 1092 1580 2c9aea3d2be2ca9ecdec74e5e783df43458b6b0c23d4ccda631fbe8aa160c6c7.exe cmd.exe PID 1092 wrote to memory of 1068 1092 cmd.exe PING.EXE PID 1092 wrote to memory of 1068 1092 cmd.exe PING.EXE PID 1092 wrote to memory of 1068 1092 cmd.exe PING.EXE PID 1092 wrote to memory of 1068 1092 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\2c9aea3d2be2ca9ecdec74e5e783df43458b6b0c23d4ccda631fbe8aa160c6c7.exe"C:\Users\Admin\AppData\Local\Temp\2c9aea3d2be2ca9ecdec74e5e783df43458b6b0c23d4ccda631fbe8aa160c6c7.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1580 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1600 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\2c9aea3d2be2ca9ecdec74e5e783df43458b6b0c23d4ccda631fbe8aa160c6c7.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1092 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1068
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
327bd9f03897faab03e891294a1428cf
SHA1ba657434e66ca9b7913f0ead0506622b53e4c175
SHA256659f819e4f7afaa3b6b58edd3173527a83aaefbebee732e206989fb2fb07636f
SHA51296c3cc0fd88dd1ed2989d688f20a42a9935c5b669711334c198c4c2b3d0f82823f956e386eb2a45893520ecacb07d8677b8488acf562f47883655a7d551044fb
-
MD5
327bd9f03897faab03e891294a1428cf
SHA1ba657434e66ca9b7913f0ead0506622b53e4c175
SHA256659f819e4f7afaa3b6b58edd3173527a83aaefbebee732e206989fb2fb07636f
SHA51296c3cc0fd88dd1ed2989d688f20a42a9935c5b669711334c198c4c2b3d0f82823f956e386eb2a45893520ecacb07d8677b8488acf562f47883655a7d551044fb