Analysis
-
max time kernel
155s -
max time network
155s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
30-01-2022 20:42
Static task
static1
Behavioral task
behavioral1
Sample
de8f6ef7026669e4e31bce66b7477a16e9e3d804d3618a5716e0bac2472b2a70.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
de8f6ef7026669e4e31bce66b7477a16e9e3d804d3618a5716e0bac2472b2a70.exe
Resource
win10-en-20211208
General
-
Target
de8f6ef7026669e4e31bce66b7477a16e9e3d804d3618a5716e0bac2472b2a70.exe
-
Size
89KB
-
MD5
3859b0ea4596d8f47677497d09bcc894
-
SHA1
e71caf1ac227478f4a95dc89170ca0f0dd755c72
-
SHA256
de8f6ef7026669e4e31bce66b7477a16e9e3d804d3618a5716e0bac2472b2a70
-
SHA512
e175e12a6b01ae3ae04840bfd9b80211aadd0c2ff1100bc3aa6ed1ac1a71544873a54f258139645b272758cc89a4cb04733e2aed16fd2d6e77615533891cfb04
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 896 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1256 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
de8f6ef7026669e4e31bce66b7477a16e9e3d804d3618a5716e0bac2472b2a70.exepid process 1564 de8f6ef7026669e4e31bce66b7477a16e9e3d804d3618a5716e0bac2472b2a70.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
de8f6ef7026669e4e31bce66b7477a16e9e3d804d3618a5716e0bac2472b2a70.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" de8f6ef7026669e4e31bce66b7477a16e9e3d804d3618a5716e0bac2472b2a70.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
de8f6ef7026669e4e31bce66b7477a16e9e3d804d3618a5716e0bac2472b2a70.exedescription pid process Token: SeIncBasePriorityPrivilege 1564 de8f6ef7026669e4e31bce66b7477a16e9e3d804d3618a5716e0bac2472b2a70.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
de8f6ef7026669e4e31bce66b7477a16e9e3d804d3618a5716e0bac2472b2a70.execmd.exedescription pid process target process PID 1564 wrote to memory of 896 1564 de8f6ef7026669e4e31bce66b7477a16e9e3d804d3618a5716e0bac2472b2a70.exe MediaCenter.exe PID 1564 wrote to memory of 896 1564 de8f6ef7026669e4e31bce66b7477a16e9e3d804d3618a5716e0bac2472b2a70.exe MediaCenter.exe PID 1564 wrote to memory of 896 1564 de8f6ef7026669e4e31bce66b7477a16e9e3d804d3618a5716e0bac2472b2a70.exe MediaCenter.exe PID 1564 wrote to memory of 896 1564 de8f6ef7026669e4e31bce66b7477a16e9e3d804d3618a5716e0bac2472b2a70.exe MediaCenter.exe PID 1564 wrote to memory of 1256 1564 de8f6ef7026669e4e31bce66b7477a16e9e3d804d3618a5716e0bac2472b2a70.exe cmd.exe PID 1564 wrote to memory of 1256 1564 de8f6ef7026669e4e31bce66b7477a16e9e3d804d3618a5716e0bac2472b2a70.exe cmd.exe PID 1564 wrote to memory of 1256 1564 de8f6ef7026669e4e31bce66b7477a16e9e3d804d3618a5716e0bac2472b2a70.exe cmd.exe PID 1564 wrote to memory of 1256 1564 de8f6ef7026669e4e31bce66b7477a16e9e3d804d3618a5716e0bac2472b2a70.exe cmd.exe PID 1256 wrote to memory of 1100 1256 cmd.exe PING.EXE PID 1256 wrote to memory of 1100 1256 cmd.exe PING.EXE PID 1256 wrote to memory of 1100 1256 cmd.exe PING.EXE PID 1256 wrote to memory of 1100 1256 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\de8f6ef7026669e4e31bce66b7477a16e9e3d804d3618a5716e0bac2472b2a70.exe"C:\Users\Admin\AppData\Local\Temp\de8f6ef7026669e4e31bce66b7477a16e9e3d804d3618a5716e0bac2472b2a70.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1564 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:896 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\de8f6ef7026669e4e31bce66b7477a16e9e3d804d3618a5716e0bac2472b2a70.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1256 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1100
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
0c39a25f54b5e7fac9ba1e9abe168f5d
SHA10da5368cdf325c8077814b8a493b45e3066a80c2
SHA2568d59dd73fd8bc1289b4b9649ac9f38fb387682afac7f90d153c65693e223191a
SHA512766e9a5e571b64fcf5e98530a4eb58540ab80c97eb5228c9c3fcda74f542c2522e784104a54226b7cf3f77379022b204db59c7bde0dbf2d20ca0426ea8ef5387
-
MD5
0c39a25f54b5e7fac9ba1e9abe168f5d
SHA10da5368cdf325c8077814b8a493b45e3066a80c2
SHA2568d59dd73fd8bc1289b4b9649ac9f38fb387682afac7f90d153c65693e223191a
SHA512766e9a5e571b64fcf5e98530a4eb58540ab80c97eb5228c9c3fcda74f542c2522e784104a54226b7cf3f77379022b204db59c7bde0dbf2d20ca0426ea8ef5387