Analysis
-
max time kernel
134s -
max time network
140s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 03:40
Static task
static1
Behavioral task
behavioral1
Sample
1709486f5b27fff1fa5c34135bc8a5999e4e74e7041e1cefeb55fc75426543d1.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
1709486f5b27fff1fa5c34135bc8a5999e4e74e7041e1cefeb55fc75426543d1.exe
Resource
win10v2004-en-20220113
General
-
Target
1709486f5b27fff1fa5c34135bc8a5999e4e74e7041e1cefeb55fc75426543d1.exe
-
Size
216KB
-
MD5
c0cb2603d8b7146804f64d28aabf9dd1
-
SHA1
aac0df39bb5d9d123c403a51f75aa9eab7fffb97
-
SHA256
1709486f5b27fff1fa5c34135bc8a5999e4e74e7041e1cefeb55fc75426543d1
-
SHA512
9367dd04737cdebbc35b5b7f35b066bfd63d4fe83cb3cfccfd28381b2e2095ef869d4c7220b4fb10cc150c4adf84a58e022150a388f668fc5cca10e87b72cfb6
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral1/memory/856-58-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral1/memory/1212-59-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1212 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1996 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
1709486f5b27fff1fa5c34135bc8a5999e4e74e7041e1cefeb55fc75426543d1.exepid process 856 1709486f5b27fff1fa5c34135bc8a5999e4e74e7041e1cefeb55fc75426543d1.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
1709486f5b27fff1fa5c34135bc8a5999e4e74e7041e1cefeb55fc75426543d1.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 1709486f5b27fff1fa5c34135bc8a5999e4e74e7041e1cefeb55fc75426543d1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
1709486f5b27fff1fa5c34135bc8a5999e4e74e7041e1cefeb55fc75426543d1.exedescription pid process Token: SeIncBasePriorityPrivilege 856 1709486f5b27fff1fa5c34135bc8a5999e4e74e7041e1cefeb55fc75426543d1.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
1709486f5b27fff1fa5c34135bc8a5999e4e74e7041e1cefeb55fc75426543d1.execmd.exedescription pid process target process PID 856 wrote to memory of 1212 856 1709486f5b27fff1fa5c34135bc8a5999e4e74e7041e1cefeb55fc75426543d1.exe MediaCenter.exe PID 856 wrote to memory of 1212 856 1709486f5b27fff1fa5c34135bc8a5999e4e74e7041e1cefeb55fc75426543d1.exe MediaCenter.exe PID 856 wrote to memory of 1212 856 1709486f5b27fff1fa5c34135bc8a5999e4e74e7041e1cefeb55fc75426543d1.exe MediaCenter.exe PID 856 wrote to memory of 1212 856 1709486f5b27fff1fa5c34135bc8a5999e4e74e7041e1cefeb55fc75426543d1.exe MediaCenter.exe PID 856 wrote to memory of 1996 856 1709486f5b27fff1fa5c34135bc8a5999e4e74e7041e1cefeb55fc75426543d1.exe cmd.exe PID 856 wrote to memory of 1996 856 1709486f5b27fff1fa5c34135bc8a5999e4e74e7041e1cefeb55fc75426543d1.exe cmd.exe PID 856 wrote to memory of 1996 856 1709486f5b27fff1fa5c34135bc8a5999e4e74e7041e1cefeb55fc75426543d1.exe cmd.exe PID 856 wrote to memory of 1996 856 1709486f5b27fff1fa5c34135bc8a5999e4e74e7041e1cefeb55fc75426543d1.exe cmd.exe PID 1996 wrote to memory of 1968 1996 cmd.exe PING.EXE PID 1996 wrote to memory of 1968 1996 cmd.exe PING.EXE PID 1996 wrote to memory of 1968 1996 cmd.exe PING.EXE PID 1996 wrote to memory of 1968 1996 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\1709486f5b27fff1fa5c34135bc8a5999e4e74e7041e1cefeb55fc75426543d1.exe"C:\Users\Admin\AppData\Local\Temp\1709486f5b27fff1fa5c34135bc8a5999e4e74e7041e1cefeb55fc75426543d1.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:856 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1212 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\1709486f5b27fff1fa5c34135bc8a5999e4e74e7041e1cefeb55fc75426543d1.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1968
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
92cfedb7e528fe562464809aa78b126d
SHA1d7dbdb8c133e068dac6c498838992cad1a7c7f91
SHA256fe9f8239147451f1cd3ad0cae24b3c7c4435c8756d0dea9ccd4af3a66bb4f5bd
SHA512e4a38fe666f8a582ae5d46b617fb257b0c90a09121ed241aca92260dc2e0b676d01eb07f245ec0327818efb62d808a0a2624c5f32d8a79fd9cfade714c067b34
-
MD5
92cfedb7e528fe562464809aa78b126d
SHA1d7dbdb8c133e068dac6c498838992cad1a7c7f91
SHA256fe9f8239147451f1cd3ad0cae24b3c7c4435c8756d0dea9ccd4af3a66bb4f5bd
SHA512e4a38fe666f8a582ae5d46b617fb257b0c90a09121ed241aca92260dc2e0b676d01eb07f245ec0327818efb62d808a0a2624c5f32d8a79fd9cfade714c067b34