Analysis
-
max time kernel
128s -
max time network
128s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
31-01-2022 01:12
Static task
static1
Behavioral task
behavioral1
Sample
8ad122388d4e0984b9319f04473010547b60e17b8406ba9eb541a97aca616de7.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
8ad122388d4e0984b9319f04473010547b60e17b8406ba9eb541a97aca616de7.exe
Resource
win10-en-20211208
General
-
Target
8ad122388d4e0984b9319f04473010547b60e17b8406ba9eb541a97aca616de7.exe
-
Size
89KB
-
MD5
04f17c37259533e301b01a8c64e476e6
-
SHA1
ed04cba2871e1c0a83beb00a4acb265fba24d1c7
-
SHA256
8ad122388d4e0984b9319f04473010547b60e17b8406ba9eb541a97aca616de7
-
SHA512
53f3ed1dee9412cb425d826c3703f0c37b2aab549be0c961ca4f33cca0b536a6913239c216ed4a47d93c2e223f4ebb37799a28273a478889b9c41f71afe47207
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 952 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1240 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
8ad122388d4e0984b9319f04473010547b60e17b8406ba9eb541a97aca616de7.exepid process 828 8ad122388d4e0984b9319f04473010547b60e17b8406ba9eb541a97aca616de7.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
8ad122388d4e0984b9319f04473010547b60e17b8406ba9eb541a97aca616de7.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 8ad122388d4e0984b9319f04473010547b60e17b8406ba9eb541a97aca616de7.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
8ad122388d4e0984b9319f04473010547b60e17b8406ba9eb541a97aca616de7.exedescription pid process Token: SeIncBasePriorityPrivilege 828 8ad122388d4e0984b9319f04473010547b60e17b8406ba9eb541a97aca616de7.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
8ad122388d4e0984b9319f04473010547b60e17b8406ba9eb541a97aca616de7.execmd.exedescription pid process target process PID 828 wrote to memory of 952 828 8ad122388d4e0984b9319f04473010547b60e17b8406ba9eb541a97aca616de7.exe MediaCenter.exe PID 828 wrote to memory of 952 828 8ad122388d4e0984b9319f04473010547b60e17b8406ba9eb541a97aca616de7.exe MediaCenter.exe PID 828 wrote to memory of 952 828 8ad122388d4e0984b9319f04473010547b60e17b8406ba9eb541a97aca616de7.exe MediaCenter.exe PID 828 wrote to memory of 952 828 8ad122388d4e0984b9319f04473010547b60e17b8406ba9eb541a97aca616de7.exe MediaCenter.exe PID 828 wrote to memory of 1240 828 8ad122388d4e0984b9319f04473010547b60e17b8406ba9eb541a97aca616de7.exe cmd.exe PID 828 wrote to memory of 1240 828 8ad122388d4e0984b9319f04473010547b60e17b8406ba9eb541a97aca616de7.exe cmd.exe PID 828 wrote to memory of 1240 828 8ad122388d4e0984b9319f04473010547b60e17b8406ba9eb541a97aca616de7.exe cmd.exe PID 828 wrote to memory of 1240 828 8ad122388d4e0984b9319f04473010547b60e17b8406ba9eb541a97aca616de7.exe cmd.exe PID 1240 wrote to memory of 572 1240 cmd.exe PING.EXE PID 1240 wrote to memory of 572 1240 cmd.exe PING.EXE PID 1240 wrote to memory of 572 1240 cmd.exe PING.EXE PID 1240 wrote to memory of 572 1240 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\8ad122388d4e0984b9319f04473010547b60e17b8406ba9eb541a97aca616de7.exe"C:\Users\Admin\AppData\Local\Temp\8ad122388d4e0984b9319f04473010547b60e17b8406ba9eb541a97aca616de7.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:828 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:952 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\8ad122388d4e0984b9319f04473010547b60e17b8406ba9eb541a97aca616de7.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1240 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:572
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
b9df8eb2d5991fa2544ed1774d3166cc
SHA1a40a413828848586c86cecf4a2dce6ec63471ddf
SHA256364100d5009e7b29c43d692fad1999458afb80f86b6b894c11f514c3d40cba02
SHA5120ff043fa6adb801c223f19d66036ffdf3faf1ec76a01386e85d74ccf95a14ffeae5b1c7b2099f1b57de29a9d64bbbff115e817d8955c68d9b1880a1aa2a26347
-
MD5
b9df8eb2d5991fa2544ed1774d3166cc
SHA1a40a413828848586c86cecf4a2dce6ec63471ddf
SHA256364100d5009e7b29c43d692fad1999458afb80f86b6b894c11f514c3d40cba02
SHA5120ff043fa6adb801c223f19d66036ffdf3faf1ec76a01386e85d74ccf95a14ffeae5b1c7b2099f1b57de29a9d64bbbff115e817d8955c68d9b1880a1aa2a26347