Analysis
-
max time kernel
143s -
max time network
171s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 03:40
Static task
static1
Behavioral task
behavioral1
Sample
170886839f5b6494a7cb83aea4b7f7aaabf8c5c74cfaedfe0194cd7070a69ed6.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
170886839f5b6494a7cb83aea4b7f7aaabf8c5c74cfaedfe0194cd7070a69ed6.exe
Resource
win10v2004-en-20220112
General
-
Target
170886839f5b6494a7cb83aea4b7f7aaabf8c5c74cfaedfe0194cd7070a69ed6.exe
-
Size
92KB
-
MD5
856cd3e514f29f3befd0bc6f4e4f3d9d
-
SHA1
d3286fbebc645ca23309dc314d953925311ed661
-
SHA256
170886839f5b6494a7cb83aea4b7f7aaabf8c5c74cfaedfe0194cd7070a69ed6
-
SHA512
1b465bcf63e31b9d336013c6f8fe80798753290c5e30665017a4b0a8f424af2715bba44e45241ba21a4aa16e86da62bf50e329dc2dd0146c3647d4bba84badf4
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1612 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1468 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
170886839f5b6494a7cb83aea4b7f7aaabf8c5c74cfaedfe0194cd7070a69ed6.exepid process 1636 170886839f5b6494a7cb83aea4b7f7aaabf8c5c74cfaedfe0194cd7070a69ed6.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
170886839f5b6494a7cb83aea4b7f7aaabf8c5c74cfaedfe0194cd7070a69ed6.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 170886839f5b6494a7cb83aea4b7f7aaabf8c5c74cfaedfe0194cd7070a69ed6.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
170886839f5b6494a7cb83aea4b7f7aaabf8c5c74cfaedfe0194cd7070a69ed6.exedescription pid process Token: SeIncBasePriorityPrivilege 1636 170886839f5b6494a7cb83aea4b7f7aaabf8c5c74cfaedfe0194cd7070a69ed6.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
170886839f5b6494a7cb83aea4b7f7aaabf8c5c74cfaedfe0194cd7070a69ed6.execmd.exedescription pid process target process PID 1636 wrote to memory of 1612 1636 170886839f5b6494a7cb83aea4b7f7aaabf8c5c74cfaedfe0194cd7070a69ed6.exe MediaCenter.exe PID 1636 wrote to memory of 1612 1636 170886839f5b6494a7cb83aea4b7f7aaabf8c5c74cfaedfe0194cd7070a69ed6.exe MediaCenter.exe PID 1636 wrote to memory of 1612 1636 170886839f5b6494a7cb83aea4b7f7aaabf8c5c74cfaedfe0194cd7070a69ed6.exe MediaCenter.exe PID 1636 wrote to memory of 1612 1636 170886839f5b6494a7cb83aea4b7f7aaabf8c5c74cfaedfe0194cd7070a69ed6.exe MediaCenter.exe PID 1636 wrote to memory of 1468 1636 170886839f5b6494a7cb83aea4b7f7aaabf8c5c74cfaedfe0194cd7070a69ed6.exe cmd.exe PID 1636 wrote to memory of 1468 1636 170886839f5b6494a7cb83aea4b7f7aaabf8c5c74cfaedfe0194cd7070a69ed6.exe cmd.exe PID 1636 wrote to memory of 1468 1636 170886839f5b6494a7cb83aea4b7f7aaabf8c5c74cfaedfe0194cd7070a69ed6.exe cmd.exe PID 1636 wrote to memory of 1468 1636 170886839f5b6494a7cb83aea4b7f7aaabf8c5c74cfaedfe0194cd7070a69ed6.exe cmd.exe PID 1468 wrote to memory of 1528 1468 cmd.exe PING.EXE PID 1468 wrote to memory of 1528 1468 cmd.exe PING.EXE PID 1468 wrote to memory of 1528 1468 cmd.exe PING.EXE PID 1468 wrote to memory of 1528 1468 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\170886839f5b6494a7cb83aea4b7f7aaabf8c5c74cfaedfe0194cd7070a69ed6.exe"C:\Users\Admin\AppData\Local\Temp\170886839f5b6494a7cb83aea4b7f7aaabf8c5c74cfaedfe0194cd7070a69ed6.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1612 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\170886839f5b6494a7cb83aea4b7f7aaabf8c5c74cfaedfe0194cd7070a69ed6.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1468 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1528
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
47c0ce458a631a8f753aa324a03d9844
SHA16b99fc69e0820bc1b98b18972708378635b0da31
SHA256cde2301e0b571f885718c7acd7d1729b14d2c776a47b67f9a0be8d586bc6ceeb
SHA5129b971c3f4a76e35384d0b50ed88236c76bffd3af884ca367f51f704128b6f1533b4d1cf25a1251b65d60d0ad2d9aaa79eddfb83838ace541f3bda48714f4713c
-
MD5
47c0ce458a631a8f753aa324a03d9844
SHA16b99fc69e0820bc1b98b18972708378635b0da31
SHA256cde2301e0b571f885718c7acd7d1729b14d2c776a47b67f9a0be8d586bc6ceeb
SHA5129b971c3f4a76e35384d0b50ed88236c76bffd3af884ca367f51f704128b6f1533b4d1cf25a1251b65d60d0ad2d9aaa79eddfb83838ace541f3bda48714f4713c