Analysis
-
max time kernel
151s -
max time network
163s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
31-01-2022 01:12
Static task
static1
Behavioral task
behavioral1
Sample
8ad122388d4e0984b9319f04473010547b60e17b8406ba9eb541a97aca616de7.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
8ad122388d4e0984b9319f04473010547b60e17b8406ba9eb541a97aca616de7.exe
Resource
win10-en-20211208
General
-
Target
8ad122388d4e0984b9319f04473010547b60e17b8406ba9eb541a97aca616de7.exe
-
Size
89KB
-
MD5
04f17c37259533e301b01a8c64e476e6
-
SHA1
ed04cba2871e1c0a83beb00a4acb265fba24d1c7
-
SHA256
8ad122388d4e0984b9319f04473010547b60e17b8406ba9eb541a97aca616de7
-
SHA512
53f3ed1dee9412cb425d826c3703f0c37b2aab549be0c961ca4f33cca0b536a6913239c216ed4a47d93c2e223f4ebb37799a28273a478889b9c41f71afe47207
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1680 MediaCenter.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
8ad122388d4e0984b9319f04473010547b60e17b8406ba9eb541a97aca616de7.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 8ad122388d4e0984b9319f04473010547b60e17b8406ba9eb541a97aca616de7.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
8ad122388d4e0984b9319f04473010547b60e17b8406ba9eb541a97aca616de7.exedescription pid process Token: SeIncBasePriorityPrivilege 1008 8ad122388d4e0984b9319f04473010547b60e17b8406ba9eb541a97aca616de7.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
8ad122388d4e0984b9319f04473010547b60e17b8406ba9eb541a97aca616de7.execmd.exedescription pid process target process PID 1008 wrote to memory of 1680 1008 8ad122388d4e0984b9319f04473010547b60e17b8406ba9eb541a97aca616de7.exe MediaCenter.exe PID 1008 wrote to memory of 1680 1008 8ad122388d4e0984b9319f04473010547b60e17b8406ba9eb541a97aca616de7.exe MediaCenter.exe PID 1008 wrote to memory of 1680 1008 8ad122388d4e0984b9319f04473010547b60e17b8406ba9eb541a97aca616de7.exe MediaCenter.exe PID 1008 wrote to memory of 1660 1008 8ad122388d4e0984b9319f04473010547b60e17b8406ba9eb541a97aca616de7.exe cmd.exe PID 1008 wrote to memory of 1660 1008 8ad122388d4e0984b9319f04473010547b60e17b8406ba9eb541a97aca616de7.exe cmd.exe PID 1008 wrote to memory of 1660 1008 8ad122388d4e0984b9319f04473010547b60e17b8406ba9eb541a97aca616de7.exe cmd.exe PID 1660 wrote to memory of 420 1660 cmd.exe PING.EXE PID 1660 wrote to memory of 420 1660 cmd.exe PING.EXE PID 1660 wrote to memory of 420 1660 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\8ad122388d4e0984b9319f04473010547b60e17b8406ba9eb541a97aca616de7.exe"C:\Users\Admin\AppData\Local\Temp\8ad122388d4e0984b9319f04473010547b60e17b8406ba9eb541a97aca616de7.exe"1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1008 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1680 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\8ad122388d4e0984b9319f04473010547b60e17b8406ba9eb541a97aca616de7.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1660 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:420
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
c191d35746a183199abfc89099836dab
SHA19c2316613dafef4cacc0b5e8f1d9724fabf5c6a3
SHA25683d972d7a0a22c8a18f54006301470b8e8c4d8573cb0fdef43e2fde6fcc0960c
SHA5120c20eb212f9061c02cac61b5a0aec21825ef83143546cc1b0ebbd22cc28d3d67482c327727bd83bb5719aad17f6f7758cc95b9e82c042de5e97a83cf9c0d98e7
-
MD5
c191d35746a183199abfc89099836dab
SHA19c2316613dafef4cacc0b5e8f1d9724fabf5c6a3
SHA25683d972d7a0a22c8a18f54006301470b8e8c4d8573cb0fdef43e2fde6fcc0960c
SHA5120c20eb212f9061c02cac61b5a0aec21825ef83143546cc1b0ebbd22cc28d3d67482c327727bd83bb5719aad17f6f7758cc95b9e82c042de5e97a83cf9c0d98e7