Analysis
-
max time kernel
147s -
max time network
167s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 03:02
Static task
static1
Behavioral task
behavioral1
Sample
18c14e93f375304819d37f21a176ca47510ee745ce5a4271dcdf1b2744af7db3.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
18c14e93f375304819d37f21a176ca47510ee745ce5a4271dcdf1b2744af7db3.exe
Resource
win10v2004-en-20220112
General
-
Target
18c14e93f375304819d37f21a176ca47510ee745ce5a4271dcdf1b2744af7db3.exe
-
Size
89KB
-
MD5
49decba5ea63e659623f87b7362b5625
-
SHA1
88385e3220f69a9a710f18fb16708a4bcfec8b57
-
SHA256
18c14e93f375304819d37f21a176ca47510ee745ce5a4271dcdf1b2744af7db3
-
SHA512
28a9f00e94b8e593c7c4a192b709f052617ee56feaf9ef22d5d218185bf6638264363578feef81a5cbe8e0d7028a496546bbb679b8fc498070ad042cea98d982
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1752 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1148 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
18c14e93f375304819d37f21a176ca47510ee745ce5a4271dcdf1b2744af7db3.exepid process 952 18c14e93f375304819d37f21a176ca47510ee745ce5a4271dcdf1b2744af7db3.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
18c14e93f375304819d37f21a176ca47510ee745ce5a4271dcdf1b2744af7db3.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 18c14e93f375304819d37f21a176ca47510ee745ce5a4271dcdf1b2744af7db3.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
18c14e93f375304819d37f21a176ca47510ee745ce5a4271dcdf1b2744af7db3.exedescription pid process Token: SeIncBasePriorityPrivilege 952 18c14e93f375304819d37f21a176ca47510ee745ce5a4271dcdf1b2744af7db3.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
18c14e93f375304819d37f21a176ca47510ee745ce5a4271dcdf1b2744af7db3.execmd.exedescription pid process target process PID 952 wrote to memory of 1752 952 18c14e93f375304819d37f21a176ca47510ee745ce5a4271dcdf1b2744af7db3.exe MediaCenter.exe PID 952 wrote to memory of 1752 952 18c14e93f375304819d37f21a176ca47510ee745ce5a4271dcdf1b2744af7db3.exe MediaCenter.exe PID 952 wrote to memory of 1752 952 18c14e93f375304819d37f21a176ca47510ee745ce5a4271dcdf1b2744af7db3.exe MediaCenter.exe PID 952 wrote to memory of 1752 952 18c14e93f375304819d37f21a176ca47510ee745ce5a4271dcdf1b2744af7db3.exe MediaCenter.exe PID 952 wrote to memory of 1148 952 18c14e93f375304819d37f21a176ca47510ee745ce5a4271dcdf1b2744af7db3.exe cmd.exe PID 952 wrote to memory of 1148 952 18c14e93f375304819d37f21a176ca47510ee745ce5a4271dcdf1b2744af7db3.exe cmd.exe PID 952 wrote to memory of 1148 952 18c14e93f375304819d37f21a176ca47510ee745ce5a4271dcdf1b2744af7db3.exe cmd.exe PID 952 wrote to memory of 1148 952 18c14e93f375304819d37f21a176ca47510ee745ce5a4271dcdf1b2744af7db3.exe cmd.exe PID 1148 wrote to memory of 1192 1148 cmd.exe PING.EXE PID 1148 wrote to memory of 1192 1148 cmd.exe PING.EXE PID 1148 wrote to memory of 1192 1148 cmd.exe PING.EXE PID 1148 wrote to memory of 1192 1148 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\18c14e93f375304819d37f21a176ca47510ee745ce5a4271dcdf1b2744af7db3.exe"C:\Users\Admin\AppData\Local\Temp\18c14e93f375304819d37f21a176ca47510ee745ce5a4271dcdf1b2744af7db3.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:952 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1752 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\18c14e93f375304819d37f21a176ca47510ee745ce5a4271dcdf1b2744af7db3.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1148 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1192
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
59f391a59061558c847cbb69d3d599e5
SHA19a73b2e39b2025b538abbbef58785caa50a2b9e7
SHA2563d1f33d10b1b2e8739f69c9441f2f447e819535758bc5d6c4fb35ebb217a02e1
SHA5129c22dd6895ba6cfde7e0cbd296325956b90571d8ab3970d47b7dfd2ac3e5f8c864141b2804a70ab1ac88e41ce23e5f8f93a20dc20279c1eaa2bd8e27fa3241e2
-
MD5
59f391a59061558c847cbb69d3d599e5
SHA19a73b2e39b2025b538abbbef58785caa50a2b9e7
SHA2563d1f33d10b1b2e8739f69c9441f2f447e819535758bc5d6c4fb35ebb217a02e1
SHA5129c22dd6895ba6cfde7e0cbd296325956b90571d8ab3970d47b7dfd2ac3e5f8c864141b2804a70ab1ac88e41ce23e5f8f93a20dc20279c1eaa2bd8e27fa3241e2