Analysis
-
max time kernel
138s -
max time network
156s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 02:55
Static task
static1
Behavioral task
behavioral1
Sample
190bf8fddb5a7fb9328de25d5bae225d0a06e8f67d8afb8c622d1c0980fdec68.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
190bf8fddb5a7fb9328de25d5bae225d0a06e8f67d8afb8c622d1c0980fdec68.exe
Resource
win10v2004-en-20220113
General
-
Target
190bf8fddb5a7fb9328de25d5bae225d0a06e8f67d8afb8c622d1c0980fdec68.exe
-
Size
176KB
-
MD5
b21db582e4cf27142888b14aecf4883e
-
SHA1
5e75f1e58d450c9a078526e353623deca2ee8e37
-
SHA256
190bf8fddb5a7fb9328de25d5bae225d0a06e8f67d8afb8c622d1c0980fdec68
-
SHA512
718e5053c6192eefe5aebfca132e6b0da2783ec643d5da6510a48f5222d7e71f7cedbe01f41c7da728e4d731cd5416a0195d088d74828bb884ac65601202ae46
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral1/memory/1620-59-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral1/memory/944-60-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 944 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1644 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
190bf8fddb5a7fb9328de25d5bae225d0a06e8f67d8afb8c622d1c0980fdec68.exepid process 1620 190bf8fddb5a7fb9328de25d5bae225d0a06e8f67d8afb8c622d1c0980fdec68.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
190bf8fddb5a7fb9328de25d5bae225d0a06e8f67d8afb8c622d1c0980fdec68.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 190bf8fddb5a7fb9328de25d5bae225d0a06e8f67d8afb8c622d1c0980fdec68.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
190bf8fddb5a7fb9328de25d5bae225d0a06e8f67d8afb8c622d1c0980fdec68.exedescription pid process Token: SeIncBasePriorityPrivilege 1620 190bf8fddb5a7fb9328de25d5bae225d0a06e8f67d8afb8c622d1c0980fdec68.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
190bf8fddb5a7fb9328de25d5bae225d0a06e8f67d8afb8c622d1c0980fdec68.execmd.exedescription pid process target process PID 1620 wrote to memory of 944 1620 190bf8fddb5a7fb9328de25d5bae225d0a06e8f67d8afb8c622d1c0980fdec68.exe MediaCenter.exe PID 1620 wrote to memory of 944 1620 190bf8fddb5a7fb9328de25d5bae225d0a06e8f67d8afb8c622d1c0980fdec68.exe MediaCenter.exe PID 1620 wrote to memory of 944 1620 190bf8fddb5a7fb9328de25d5bae225d0a06e8f67d8afb8c622d1c0980fdec68.exe MediaCenter.exe PID 1620 wrote to memory of 944 1620 190bf8fddb5a7fb9328de25d5bae225d0a06e8f67d8afb8c622d1c0980fdec68.exe MediaCenter.exe PID 1620 wrote to memory of 1644 1620 190bf8fddb5a7fb9328de25d5bae225d0a06e8f67d8afb8c622d1c0980fdec68.exe cmd.exe PID 1620 wrote to memory of 1644 1620 190bf8fddb5a7fb9328de25d5bae225d0a06e8f67d8afb8c622d1c0980fdec68.exe cmd.exe PID 1620 wrote to memory of 1644 1620 190bf8fddb5a7fb9328de25d5bae225d0a06e8f67d8afb8c622d1c0980fdec68.exe cmd.exe PID 1620 wrote to memory of 1644 1620 190bf8fddb5a7fb9328de25d5bae225d0a06e8f67d8afb8c622d1c0980fdec68.exe cmd.exe PID 1644 wrote to memory of 1484 1644 cmd.exe PING.EXE PID 1644 wrote to memory of 1484 1644 cmd.exe PING.EXE PID 1644 wrote to memory of 1484 1644 cmd.exe PING.EXE PID 1644 wrote to memory of 1484 1644 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\190bf8fddb5a7fb9328de25d5bae225d0a06e8f67d8afb8c622d1c0980fdec68.exe"C:\Users\Admin\AppData\Local\Temp\190bf8fddb5a7fb9328de25d5bae225d0a06e8f67d8afb8c622d1c0980fdec68.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:944 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\190bf8fddb5a7fb9328de25d5bae225d0a06e8f67d8afb8c622d1c0980fdec68.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1644 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1484
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
02fe4c55eb030c75848df17fe080fbe1
SHA188d439273c2776bf858ac564cdfd59799c9a48d2
SHA256ff5b118af4f68b7bfdcd3c70d030cf092ae10605b4245ee5e835807bdca17f02
SHA5121d42be5e2679fda687303c0749e4861cd70c37f7423cf5faa140a3f4af7fe0a65e5086df70eb5a7d8336473a593cf3d5f9f5967ddc0190ac9a2ae6e6b6f4e8fa
-
MD5
02fe4c55eb030c75848df17fe080fbe1
SHA188d439273c2776bf858ac564cdfd59799c9a48d2
SHA256ff5b118af4f68b7bfdcd3c70d030cf092ae10605b4245ee5e835807bdca17f02
SHA5121d42be5e2679fda687303c0749e4861cd70c37f7423cf5faa140a3f4af7fe0a65e5086df70eb5a7d8336473a593cf3d5f9f5967ddc0190ac9a2ae6e6b6f4e8fa