Analysis
-
max time kernel
133s -
max time network
141s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 02:50
Static task
static1
Behavioral task
behavioral1
Sample
195ca2c2ed67c945395ef02a2c97c40ea794ac86019b21482da033f45b9c0756.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
195ca2c2ed67c945395ef02a2c97c40ea794ac86019b21482da033f45b9c0756.exe
Resource
win10v2004-en-20220113
General
-
Target
195ca2c2ed67c945395ef02a2c97c40ea794ac86019b21482da033f45b9c0756.exe
-
Size
89KB
-
MD5
0a8cbcc713f595a3da84ec235f3ee025
-
SHA1
dd3f59eb314b6b6dbd80a32cec588eff61b00a8a
-
SHA256
195ca2c2ed67c945395ef02a2c97c40ea794ac86019b21482da033f45b9c0756
-
SHA512
d710ea33fe904243667d53d6c239c47236554c0cc958585011a4c1cac2589ff899b9ae829a244d6fb3c411fd097efc285104eb974f83426553f17bbec0ca0495
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1096 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 684 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
195ca2c2ed67c945395ef02a2c97c40ea794ac86019b21482da033f45b9c0756.exepid process 840 195ca2c2ed67c945395ef02a2c97c40ea794ac86019b21482da033f45b9c0756.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
195ca2c2ed67c945395ef02a2c97c40ea794ac86019b21482da033f45b9c0756.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 195ca2c2ed67c945395ef02a2c97c40ea794ac86019b21482da033f45b9c0756.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
195ca2c2ed67c945395ef02a2c97c40ea794ac86019b21482da033f45b9c0756.exedescription pid process Token: SeIncBasePriorityPrivilege 840 195ca2c2ed67c945395ef02a2c97c40ea794ac86019b21482da033f45b9c0756.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
195ca2c2ed67c945395ef02a2c97c40ea794ac86019b21482da033f45b9c0756.execmd.exedescription pid process target process PID 840 wrote to memory of 1096 840 195ca2c2ed67c945395ef02a2c97c40ea794ac86019b21482da033f45b9c0756.exe MediaCenter.exe PID 840 wrote to memory of 1096 840 195ca2c2ed67c945395ef02a2c97c40ea794ac86019b21482da033f45b9c0756.exe MediaCenter.exe PID 840 wrote to memory of 1096 840 195ca2c2ed67c945395ef02a2c97c40ea794ac86019b21482da033f45b9c0756.exe MediaCenter.exe PID 840 wrote to memory of 1096 840 195ca2c2ed67c945395ef02a2c97c40ea794ac86019b21482da033f45b9c0756.exe MediaCenter.exe PID 840 wrote to memory of 684 840 195ca2c2ed67c945395ef02a2c97c40ea794ac86019b21482da033f45b9c0756.exe cmd.exe PID 840 wrote to memory of 684 840 195ca2c2ed67c945395ef02a2c97c40ea794ac86019b21482da033f45b9c0756.exe cmd.exe PID 840 wrote to memory of 684 840 195ca2c2ed67c945395ef02a2c97c40ea794ac86019b21482da033f45b9c0756.exe cmd.exe PID 840 wrote to memory of 684 840 195ca2c2ed67c945395ef02a2c97c40ea794ac86019b21482da033f45b9c0756.exe cmd.exe PID 684 wrote to memory of 1072 684 cmd.exe PING.EXE PID 684 wrote to memory of 1072 684 cmd.exe PING.EXE PID 684 wrote to memory of 1072 684 cmd.exe PING.EXE PID 684 wrote to memory of 1072 684 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\195ca2c2ed67c945395ef02a2c97c40ea794ac86019b21482da033f45b9c0756.exe"C:\Users\Admin\AppData\Local\Temp\195ca2c2ed67c945395ef02a2c97c40ea794ac86019b21482da033f45b9c0756.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:840 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1096 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\195ca2c2ed67c945395ef02a2c97c40ea794ac86019b21482da033f45b9c0756.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:684 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1072
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
9509a5a7180d7d36cd4e6ba77f41fdca
SHA1a6e80ef383c4c50addef94e538f5bd92a51a0b76
SHA256b33a5be6df16869bbce3c7108e82e39ec6d3a1d3235e18470c7f64dc2fd33752
SHA5121bb79178d31622ba4ade64b4b485bce11ba3963182c48f22d86b52dd038216a08684aa1da00057f77c71c97421670dbe715e24f04ffe83f8f09cb9e05af0c6f5
-
MD5
9509a5a7180d7d36cd4e6ba77f41fdca
SHA1a6e80ef383c4c50addef94e538f5bd92a51a0b76
SHA256b33a5be6df16869bbce3c7108e82e39ec6d3a1d3235e18470c7f64dc2fd33752
SHA5121bb79178d31622ba4ade64b4b485bce11ba3963182c48f22d86b52dd038216a08684aa1da00057f77c71c97421670dbe715e24f04ffe83f8f09cb9e05af0c6f5