Analysis
-
max time kernel
150s -
max time network
158s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 02:53
Static task
static1
Behavioral task
behavioral1
Sample
192fe613265f5df396bf6eb4703c593399db398018378e499b5cea140ed400eb.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
192fe613265f5df396bf6eb4703c593399db398018378e499b5cea140ed400eb.exe
Resource
win10v2004-en-20220113
General
-
Target
192fe613265f5df396bf6eb4703c593399db398018378e499b5cea140ed400eb.exe
-
Size
176KB
-
MD5
67611f49b6938475a2f829cbb9c5c740
-
SHA1
a137905fe8ff2c92ea5d4c6d1fbb304c7f1b4f9c
-
SHA256
192fe613265f5df396bf6eb4703c593399db398018378e499b5cea140ed400eb
-
SHA512
56668442cde29d335250c80d179b3d2e6dae20cb855cf508460eee932c00e8ec088a350f2a70b1929b6d9c2b7c833ccca55b9bdb7b92ad6658daf8f59dac800d
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral1/memory/1640-58-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral1/memory/960-59-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 960 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1288 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
192fe613265f5df396bf6eb4703c593399db398018378e499b5cea140ed400eb.exepid process 1640 192fe613265f5df396bf6eb4703c593399db398018378e499b5cea140ed400eb.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
192fe613265f5df396bf6eb4703c593399db398018378e499b5cea140ed400eb.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 192fe613265f5df396bf6eb4703c593399db398018378e499b5cea140ed400eb.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
192fe613265f5df396bf6eb4703c593399db398018378e499b5cea140ed400eb.exedescription pid process Token: SeIncBasePriorityPrivilege 1640 192fe613265f5df396bf6eb4703c593399db398018378e499b5cea140ed400eb.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
192fe613265f5df396bf6eb4703c593399db398018378e499b5cea140ed400eb.execmd.exedescription pid process target process PID 1640 wrote to memory of 960 1640 192fe613265f5df396bf6eb4703c593399db398018378e499b5cea140ed400eb.exe MediaCenter.exe PID 1640 wrote to memory of 960 1640 192fe613265f5df396bf6eb4703c593399db398018378e499b5cea140ed400eb.exe MediaCenter.exe PID 1640 wrote to memory of 960 1640 192fe613265f5df396bf6eb4703c593399db398018378e499b5cea140ed400eb.exe MediaCenter.exe PID 1640 wrote to memory of 960 1640 192fe613265f5df396bf6eb4703c593399db398018378e499b5cea140ed400eb.exe MediaCenter.exe PID 1640 wrote to memory of 1288 1640 192fe613265f5df396bf6eb4703c593399db398018378e499b5cea140ed400eb.exe cmd.exe PID 1640 wrote to memory of 1288 1640 192fe613265f5df396bf6eb4703c593399db398018378e499b5cea140ed400eb.exe cmd.exe PID 1640 wrote to memory of 1288 1640 192fe613265f5df396bf6eb4703c593399db398018378e499b5cea140ed400eb.exe cmd.exe PID 1640 wrote to memory of 1288 1640 192fe613265f5df396bf6eb4703c593399db398018378e499b5cea140ed400eb.exe cmd.exe PID 1288 wrote to memory of 432 1288 cmd.exe PING.EXE PID 1288 wrote to memory of 432 1288 cmd.exe PING.EXE PID 1288 wrote to memory of 432 1288 cmd.exe PING.EXE PID 1288 wrote to memory of 432 1288 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\192fe613265f5df396bf6eb4703c593399db398018378e499b5cea140ed400eb.exe"C:\Users\Admin\AppData\Local\Temp\192fe613265f5df396bf6eb4703c593399db398018378e499b5cea140ed400eb.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1640 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:960 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\192fe613265f5df396bf6eb4703c593399db398018378e499b5cea140ed400eb.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1288 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:432
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
5bdfbedad57d2b52f643ce17a010dd60
SHA19ab0ff598ccc7151db8057d1e93b3ad154c0f8de
SHA256c24755f373ac7c4f1e07ae75df8be543c951975b7fd999b019d2e75ba7eba3e0
SHA5124aea1232bb8eb545224aa4eae012f76b3fbe10239bbb8d9fb6063cdacc71cb9c1aecb0da62b662694fd4ddcd3197da1621851052c325c12b27194d7d58383cde
-
MD5
5bdfbedad57d2b52f643ce17a010dd60
SHA19ab0ff598ccc7151db8057d1e93b3ad154c0f8de
SHA256c24755f373ac7c4f1e07ae75df8be543c951975b7fd999b019d2e75ba7eba3e0
SHA5124aea1232bb8eb545224aa4eae012f76b3fbe10239bbb8d9fb6063cdacc71cb9c1aecb0da62b662694fd4ddcd3197da1621851052c325c12b27194d7d58383cde