Analysis
-
max time kernel
152s -
max time network
167s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 02:50
Static task
static1
Behavioral task
behavioral1
Sample
1959e75557754175dda83c4d92c83b34a4df625872b4697a364e3d3192c097ff.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
1959e75557754175dda83c4d92c83b34a4df625872b4697a364e3d3192c097ff.exe
Resource
win10v2004-en-20220112
General
-
Target
1959e75557754175dda83c4d92c83b34a4df625872b4697a364e3d3192c097ff.exe
-
Size
92KB
-
MD5
d4710bcca88b1b2e6e0ce2f5c64fac1f
-
SHA1
417c47961b09344d12bdd8f68315e2e9026440f8
-
SHA256
1959e75557754175dda83c4d92c83b34a4df625872b4697a364e3d3192c097ff
-
SHA512
4e6aa163188f9a5c09648c34585f425e1bf4901f4ea0e276ff7b8ce607ba6bdf06d9e258d93cff105f2d9dc4542bee576f8a80e6e9101e5e26fb2983fe6c6466
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1984 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1244 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
1959e75557754175dda83c4d92c83b34a4df625872b4697a364e3d3192c097ff.exepid process 1796 1959e75557754175dda83c4d92c83b34a4df625872b4697a364e3d3192c097ff.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
1959e75557754175dda83c4d92c83b34a4df625872b4697a364e3d3192c097ff.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 1959e75557754175dda83c4d92c83b34a4df625872b4697a364e3d3192c097ff.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
1959e75557754175dda83c4d92c83b34a4df625872b4697a364e3d3192c097ff.exedescription pid process Token: SeIncBasePriorityPrivilege 1796 1959e75557754175dda83c4d92c83b34a4df625872b4697a364e3d3192c097ff.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
1959e75557754175dda83c4d92c83b34a4df625872b4697a364e3d3192c097ff.execmd.exedescription pid process target process PID 1796 wrote to memory of 1984 1796 1959e75557754175dda83c4d92c83b34a4df625872b4697a364e3d3192c097ff.exe MediaCenter.exe PID 1796 wrote to memory of 1984 1796 1959e75557754175dda83c4d92c83b34a4df625872b4697a364e3d3192c097ff.exe MediaCenter.exe PID 1796 wrote to memory of 1984 1796 1959e75557754175dda83c4d92c83b34a4df625872b4697a364e3d3192c097ff.exe MediaCenter.exe PID 1796 wrote to memory of 1984 1796 1959e75557754175dda83c4d92c83b34a4df625872b4697a364e3d3192c097ff.exe MediaCenter.exe PID 1796 wrote to memory of 1244 1796 1959e75557754175dda83c4d92c83b34a4df625872b4697a364e3d3192c097ff.exe cmd.exe PID 1796 wrote to memory of 1244 1796 1959e75557754175dda83c4d92c83b34a4df625872b4697a364e3d3192c097ff.exe cmd.exe PID 1796 wrote to memory of 1244 1796 1959e75557754175dda83c4d92c83b34a4df625872b4697a364e3d3192c097ff.exe cmd.exe PID 1796 wrote to memory of 1244 1796 1959e75557754175dda83c4d92c83b34a4df625872b4697a364e3d3192c097ff.exe cmd.exe PID 1244 wrote to memory of 1492 1244 cmd.exe PING.EXE PID 1244 wrote to memory of 1492 1244 cmd.exe PING.EXE PID 1244 wrote to memory of 1492 1244 cmd.exe PING.EXE PID 1244 wrote to memory of 1492 1244 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\1959e75557754175dda83c4d92c83b34a4df625872b4697a364e3d3192c097ff.exe"C:\Users\Admin\AppData\Local\Temp\1959e75557754175dda83c4d92c83b34a4df625872b4697a364e3d3192c097ff.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1796 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1984 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\1959e75557754175dda83c4d92c83b34a4df625872b4697a364e3d3192c097ff.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1244 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1492
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
c12591e29c57d80181e214b232187c92
SHA159c07fddd674c364f50ab6cd2ccdba241fc5d473
SHA2564e5314a74431aaaf3335118f9372d0e28f3edca08ff20f86797f0b5a278a66ad
SHA512a50ae1592d072fe11b6ea25e82bf7b159998a4aac0d5b2152e8b2a0663e0d8abebe9bbe79cc68b62753e4b2fd67aaac7f38aaf68557f73672932eeebe1df19dc
-
MD5
c12591e29c57d80181e214b232187c92
SHA159c07fddd674c364f50ab6cd2ccdba241fc5d473
SHA2564e5314a74431aaaf3335118f9372d0e28f3edca08ff20f86797f0b5a278a66ad
SHA512a50ae1592d072fe11b6ea25e82bf7b159998a4aac0d5b2152e8b2a0663e0d8abebe9bbe79cc68b62753e4b2fd67aaac7f38aaf68557f73672932eeebe1df19dc