Analysis
-
max time kernel
137s -
max time network
152s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 02:51
Static task
static1
Behavioral task
behavioral1
Sample
194601cec6556d32a0777a70888496a0caf4d52566c9b799165cd29794a679f6.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
194601cec6556d32a0777a70888496a0caf4d52566c9b799165cd29794a679f6.exe
Resource
win10v2004-en-20220112
General
-
Target
194601cec6556d32a0777a70888496a0caf4d52566c9b799165cd29794a679f6.exe
-
Size
200KB
-
MD5
721d86feeecdcbf5b98b9345f865b6c9
-
SHA1
d2a0986decdcc990b52bb0147303fdbe3080101d
-
SHA256
194601cec6556d32a0777a70888496a0caf4d52566c9b799165cd29794a679f6
-
SHA512
0f904d9eea0e7768d0274675556e7fe853d0b8de5f3a9ce5f30a38837f21e0a94d9add6b0939893f0269c47e0520da8496ab82f33c7752309c609c5d159eeb79
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral1/memory/764-59-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral1/memory/1144-60-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1144 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1012 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
194601cec6556d32a0777a70888496a0caf4d52566c9b799165cd29794a679f6.exepid process 764 194601cec6556d32a0777a70888496a0caf4d52566c9b799165cd29794a679f6.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
194601cec6556d32a0777a70888496a0caf4d52566c9b799165cd29794a679f6.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 194601cec6556d32a0777a70888496a0caf4d52566c9b799165cd29794a679f6.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
194601cec6556d32a0777a70888496a0caf4d52566c9b799165cd29794a679f6.exedescription pid process Token: SeIncBasePriorityPrivilege 764 194601cec6556d32a0777a70888496a0caf4d52566c9b799165cd29794a679f6.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
194601cec6556d32a0777a70888496a0caf4d52566c9b799165cd29794a679f6.execmd.exedescription pid process target process PID 764 wrote to memory of 1144 764 194601cec6556d32a0777a70888496a0caf4d52566c9b799165cd29794a679f6.exe MediaCenter.exe PID 764 wrote to memory of 1144 764 194601cec6556d32a0777a70888496a0caf4d52566c9b799165cd29794a679f6.exe MediaCenter.exe PID 764 wrote to memory of 1144 764 194601cec6556d32a0777a70888496a0caf4d52566c9b799165cd29794a679f6.exe MediaCenter.exe PID 764 wrote to memory of 1144 764 194601cec6556d32a0777a70888496a0caf4d52566c9b799165cd29794a679f6.exe MediaCenter.exe PID 764 wrote to memory of 1012 764 194601cec6556d32a0777a70888496a0caf4d52566c9b799165cd29794a679f6.exe cmd.exe PID 764 wrote to memory of 1012 764 194601cec6556d32a0777a70888496a0caf4d52566c9b799165cd29794a679f6.exe cmd.exe PID 764 wrote to memory of 1012 764 194601cec6556d32a0777a70888496a0caf4d52566c9b799165cd29794a679f6.exe cmd.exe PID 764 wrote to memory of 1012 764 194601cec6556d32a0777a70888496a0caf4d52566c9b799165cd29794a679f6.exe cmd.exe PID 1012 wrote to memory of 296 1012 cmd.exe PING.EXE PID 1012 wrote to memory of 296 1012 cmd.exe PING.EXE PID 1012 wrote to memory of 296 1012 cmd.exe PING.EXE PID 1012 wrote to memory of 296 1012 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\194601cec6556d32a0777a70888496a0caf4d52566c9b799165cd29794a679f6.exe"C:\Users\Admin\AppData\Local\Temp\194601cec6556d32a0777a70888496a0caf4d52566c9b799165cd29794a679f6.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:764 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1144 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\194601cec6556d32a0777a70888496a0caf4d52566c9b799165cd29794a679f6.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1012 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:296
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
ff672adff706a3fba6de06a96211dcfd
SHA1f255a25b9b8ddf5af36ca947d453ce13c981493b
SHA2561e908d577640cc2ba9a55ce11e6b3586c1bf5b92dfcee1e1543f0b39ec3ccea6
SHA512d2b8fa64b588b6e72b1ae5973a009281bc3e23ef40dfd3bfb17c58c9d51c60b6176c64f0a1e9f24847bb1a4b7b75a985c4074de1c919f0e4868171b2a66bdfb9
-
MD5
ff672adff706a3fba6de06a96211dcfd
SHA1f255a25b9b8ddf5af36ca947d453ce13c981493b
SHA2561e908d577640cc2ba9a55ce11e6b3586c1bf5b92dfcee1e1543f0b39ec3ccea6
SHA512d2b8fa64b588b6e72b1ae5973a009281bc3e23ef40dfd3bfb17c58c9d51c60b6176c64f0a1e9f24847bb1a4b7b75a985c4074de1c919f0e4868171b2a66bdfb9