Analysis
-
max time kernel
152s -
max time network
172s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
30-01-2022 18:01
Static task
static1
Behavioral task
behavioral1
Sample
2c9aea3d2be2ca9ecdec74e5e783df43458b6b0c23d4ccda631fbe8aa160c6c7.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
2c9aea3d2be2ca9ecdec74e5e783df43458b6b0c23d4ccda631fbe8aa160c6c7.exe
Resource
win10-en-20211208
General
-
Target
2c9aea3d2be2ca9ecdec74e5e783df43458b6b0c23d4ccda631fbe8aa160c6c7.exe
-
Size
89KB
-
MD5
63c0978e2fa715a3cad6fb3068f70961
-
SHA1
9e119104c2597f0ab4542c512a1eb9fa2729852f
-
SHA256
2c9aea3d2be2ca9ecdec74e5e783df43458b6b0c23d4ccda631fbe8aa160c6c7
-
SHA512
5e750d3542bc41a9f2c4fc4f906f5d05dea7ee22c3b2f11f4f92324ddcb9dd89852f553d5c58583c4c79bd19dc1c7cbf77979b601196f69ffbaef57ede049729
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 4048 MediaCenter.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
2c9aea3d2be2ca9ecdec74e5e783df43458b6b0c23d4ccda631fbe8aa160c6c7.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 2c9aea3d2be2ca9ecdec74e5e783df43458b6b0c23d4ccda631fbe8aa160c6c7.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
2c9aea3d2be2ca9ecdec74e5e783df43458b6b0c23d4ccda631fbe8aa160c6c7.exedescription pid process Token: SeIncBasePriorityPrivilege 2400 2c9aea3d2be2ca9ecdec74e5e783df43458b6b0c23d4ccda631fbe8aa160c6c7.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
2c9aea3d2be2ca9ecdec74e5e783df43458b6b0c23d4ccda631fbe8aa160c6c7.execmd.exedescription pid process target process PID 2400 wrote to memory of 4048 2400 2c9aea3d2be2ca9ecdec74e5e783df43458b6b0c23d4ccda631fbe8aa160c6c7.exe MediaCenter.exe PID 2400 wrote to memory of 4048 2400 2c9aea3d2be2ca9ecdec74e5e783df43458b6b0c23d4ccda631fbe8aa160c6c7.exe MediaCenter.exe PID 2400 wrote to memory of 4048 2400 2c9aea3d2be2ca9ecdec74e5e783df43458b6b0c23d4ccda631fbe8aa160c6c7.exe MediaCenter.exe PID 2400 wrote to memory of 3220 2400 2c9aea3d2be2ca9ecdec74e5e783df43458b6b0c23d4ccda631fbe8aa160c6c7.exe cmd.exe PID 2400 wrote to memory of 3220 2400 2c9aea3d2be2ca9ecdec74e5e783df43458b6b0c23d4ccda631fbe8aa160c6c7.exe cmd.exe PID 2400 wrote to memory of 3220 2400 2c9aea3d2be2ca9ecdec74e5e783df43458b6b0c23d4ccda631fbe8aa160c6c7.exe cmd.exe PID 3220 wrote to memory of 1208 3220 cmd.exe PING.EXE PID 3220 wrote to memory of 1208 3220 cmd.exe PING.EXE PID 3220 wrote to memory of 1208 3220 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\2c9aea3d2be2ca9ecdec74e5e783df43458b6b0c23d4ccda631fbe8aa160c6c7.exe"C:\Users\Admin\AppData\Local\Temp\2c9aea3d2be2ca9ecdec74e5e783df43458b6b0c23d4ccda631fbe8aa160c6c7.exe"1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2400 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:4048 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\2c9aea3d2be2ca9ecdec74e5e783df43458b6b0c23d4ccda631fbe8aa160c6c7.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3220 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1208
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
a9f3d3a0a0982894a430013c029c7e4a
SHA15b86bf20cc6e05237242571e4db6d06dc3f76752
SHA25625adbd0a8463c32c6d245aea28abe68cee1b419553d42733b5bd352cf2e885ab
SHA512275a05d9b9a943dbe36e8b1e9aaff0648250a51a25af25e328ce2c23a808f5001de7f9350940e00109b995a7a2486b538965c466fb45eb024a3443a44efe168c
-
MD5
a9f3d3a0a0982894a430013c029c7e4a
SHA15b86bf20cc6e05237242571e4db6d06dc3f76752
SHA25625adbd0a8463c32c6d245aea28abe68cee1b419553d42733b5bd352cf2e885ab
SHA512275a05d9b9a943dbe36e8b1e9aaff0648250a51a25af25e328ce2c23a808f5001de7f9350940e00109b995a7a2486b538965c466fb45eb024a3443a44efe168c