Analysis
-
max time kernel
140s -
max time network
150s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
30-01-2022 20:42
Static task
static1
Behavioral task
behavioral1
Sample
de8f6ef7026669e4e31bce66b7477a16e9e3d804d3618a5716e0bac2472b2a70.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
de8f6ef7026669e4e31bce66b7477a16e9e3d804d3618a5716e0bac2472b2a70.exe
Resource
win10-en-20211208
General
-
Target
de8f6ef7026669e4e31bce66b7477a16e9e3d804d3618a5716e0bac2472b2a70.exe
-
Size
89KB
-
MD5
3859b0ea4596d8f47677497d09bcc894
-
SHA1
e71caf1ac227478f4a95dc89170ca0f0dd755c72
-
SHA256
de8f6ef7026669e4e31bce66b7477a16e9e3d804d3618a5716e0bac2472b2a70
-
SHA512
e175e12a6b01ae3ae04840bfd9b80211aadd0c2ff1100bc3aa6ed1ac1a71544873a54f258139645b272758cc89a4cb04733e2aed16fd2d6e77615533891cfb04
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 3032 MediaCenter.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
de8f6ef7026669e4e31bce66b7477a16e9e3d804d3618a5716e0bac2472b2a70.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" de8f6ef7026669e4e31bce66b7477a16e9e3d804d3618a5716e0bac2472b2a70.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
de8f6ef7026669e4e31bce66b7477a16e9e3d804d3618a5716e0bac2472b2a70.exedescription pid process Token: SeIncBasePriorityPrivilege 600 de8f6ef7026669e4e31bce66b7477a16e9e3d804d3618a5716e0bac2472b2a70.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
de8f6ef7026669e4e31bce66b7477a16e9e3d804d3618a5716e0bac2472b2a70.execmd.exedescription pid process target process PID 600 wrote to memory of 3032 600 de8f6ef7026669e4e31bce66b7477a16e9e3d804d3618a5716e0bac2472b2a70.exe MediaCenter.exe PID 600 wrote to memory of 3032 600 de8f6ef7026669e4e31bce66b7477a16e9e3d804d3618a5716e0bac2472b2a70.exe MediaCenter.exe PID 600 wrote to memory of 3032 600 de8f6ef7026669e4e31bce66b7477a16e9e3d804d3618a5716e0bac2472b2a70.exe MediaCenter.exe PID 600 wrote to memory of 372 600 de8f6ef7026669e4e31bce66b7477a16e9e3d804d3618a5716e0bac2472b2a70.exe cmd.exe PID 600 wrote to memory of 372 600 de8f6ef7026669e4e31bce66b7477a16e9e3d804d3618a5716e0bac2472b2a70.exe cmd.exe PID 600 wrote to memory of 372 600 de8f6ef7026669e4e31bce66b7477a16e9e3d804d3618a5716e0bac2472b2a70.exe cmd.exe PID 372 wrote to memory of 1704 372 cmd.exe PING.EXE PID 372 wrote to memory of 1704 372 cmd.exe PING.EXE PID 372 wrote to memory of 1704 372 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\de8f6ef7026669e4e31bce66b7477a16e9e3d804d3618a5716e0bac2472b2a70.exe"C:\Users\Admin\AppData\Local\Temp\de8f6ef7026669e4e31bce66b7477a16e9e3d804d3618a5716e0bac2472b2a70.exe"1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:600 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:3032 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\de8f6ef7026669e4e31bce66b7477a16e9e3d804d3618a5716e0bac2472b2a70.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:372 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1704
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
29b5b55962aef809977b8d8fc137fffb
SHA14541462e69a10b5fdf0681d77e1113c268061ae5
SHA2560991d503a89769f598fc8cde90ca27985d2df60ed4d54fd24a84d50dbeebd02d
SHA5121f71d3f74f840f3127533ef501a52b18a364d93efd4c26003bfdf198cec0e7dc233701c862b7c560005ab0a9db27b06e86abc71ff2eec165a30024999193d15c
-
MD5
29b5b55962aef809977b8d8fc137fffb
SHA14541462e69a10b5fdf0681d77e1113c268061ae5
SHA2560991d503a89769f598fc8cde90ca27985d2df60ed4d54fd24a84d50dbeebd02d
SHA5121f71d3f74f840f3127533ef501a52b18a364d93efd4c26003bfdf198cec0e7dc233701c862b7c560005ab0a9db27b06e86abc71ff2eec165a30024999193d15c