Analysis
-
max time kernel
134s -
max time network
138s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 02:49
Static task
static1
Behavioral task
behavioral1
Sample
196451192b115cc63e9356a098c6544f057c6bf9878a36e9502f477d98050505.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
196451192b115cc63e9356a098c6544f057c6bf9878a36e9502f477d98050505.exe
Resource
win10v2004-en-20220113
General
-
Target
196451192b115cc63e9356a098c6544f057c6bf9878a36e9502f477d98050505.exe
-
Size
116KB
-
MD5
a2081ebef15b714f8fed59557e49e389
-
SHA1
561673c7285704387ab3986f81bf0e40a86f2ab9
-
SHA256
196451192b115cc63e9356a098c6544f057c6bf9878a36e9502f477d98050505
-
SHA512
4e92d4d5ba4355e50b4e59a1779569a2365d7dcd1dc15d7feead4728231c2df67ec0451908202889e2de1df0ac248011099e5be78bef0f3543dd7ef800ae436b
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral1/memory/1884-58-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral1/memory/956-59-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 956 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1664 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
196451192b115cc63e9356a098c6544f057c6bf9878a36e9502f477d98050505.exepid process 1884 196451192b115cc63e9356a098c6544f057c6bf9878a36e9502f477d98050505.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
196451192b115cc63e9356a098c6544f057c6bf9878a36e9502f477d98050505.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 196451192b115cc63e9356a098c6544f057c6bf9878a36e9502f477d98050505.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
196451192b115cc63e9356a098c6544f057c6bf9878a36e9502f477d98050505.exedescription pid process Token: SeIncBasePriorityPrivilege 1884 196451192b115cc63e9356a098c6544f057c6bf9878a36e9502f477d98050505.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
196451192b115cc63e9356a098c6544f057c6bf9878a36e9502f477d98050505.execmd.exedescription pid process target process PID 1884 wrote to memory of 956 1884 196451192b115cc63e9356a098c6544f057c6bf9878a36e9502f477d98050505.exe MediaCenter.exe PID 1884 wrote to memory of 956 1884 196451192b115cc63e9356a098c6544f057c6bf9878a36e9502f477d98050505.exe MediaCenter.exe PID 1884 wrote to memory of 956 1884 196451192b115cc63e9356a098c6544f057c6bf9878a36e9502f477d98050505.exe MediaCenter.exe PID 1884 wrote to memory of 956 1884 196451192b115cc63e9356a098c6544f057c6bf9878a36e9502f477d98050505.exe MediaCenter.exe PID 1884 wrote to memory of 1664 1884 196451192b115cc63e9356a098c6544f057c6bf9878a36e9502f477d98050505.exe cmd.exe PID 1884 wrote to memory of 1664 1884 196451192b115cc63e9356a098c6544f057c6bf9878a36e9502f477d98050505.exe cmd.exe PID 1884 wrote to memory of 1664 1884 196451192b115cc63e9356a098c6544f057c6bf9878a36e9502f477d98050505.exe cmd.exe PID 1884 wrote to memory of 1664 1884 196451192b115cc63e9356a098c6544f057c6bf9878a36e9502f477d98050505.exe cmd.exe PID 1664 wrote to memory of 1196 1664 cmd.exe PING.EXE PID 1664 wrote to memory of 1196 1664 cmd.exe PING.EXE PID 1664 wrote to memory of 1196 1664 cmd.exe PING.EXE PID 1664 wrote to memory of 1196 1664 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\196451192b115cc63e9356a098c6544f057c6bf9878a36e9502f477d98050505.exe"C:\Users\Admin\AppData\Local\Temp\196451192b115cc63e9356a098c6544f057c6bf9878a36e9502f477d98050505.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1884 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:956 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\196451192b115cc63e9356a098c6544f057c6bf9878a36e9502f477d98050505.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1196
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
3110ddd18cacc5dd1e5fca3dc679fa26
SHA1a9119ba098447b85e3e4ecc74d04a2601713cb2e
SHA25674408ac929e13e254a84bc856dee0f03077a586a2cd3257739a9e44685d5fcc7
SHA51210c1901d5c9afbbdc09b889e4962fc2bc4e5a73e2765b8a1437823932e72adb5cd921df761dcd93a6e7bf844b5cf633c2b3e4c1e345826c736f4a1e9fd57faf1
-
MD5
3110ddd18cacc5dd1e5fca3dc679fa26
SHA1a9119ba098447b85e3e4ecc74d04a2601713cb2e
SHA25674408ac929e13e254a84bc856dee0f03077a586a2cd3257739a9e44685d5fcc7
SHA51210c1901d5c9afbbdc09b889e4962fc2bc4e5a73e2765b8a1437823932e72adb5cd921df761dcd93a6e7bf844b5cf633c2b3e4c1e345826c736f4a1e9fd57faf1