Analysis
-
max time kernel
149s -
max time network
157s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 03:04
Static task
static1
Behavioral task
behavioral1
Sample
18aefbd7bef8c442d31093c063004cf1fb26eba01fe00d5ac964a703cd516090.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
18aefbd7bef8c442d31093c063004cf1fb26eba01fe00d5ac964a703cd516090.exe
Resource
win10v2004-en-20220112
General
-
Target
18aefbd7bef8c442d31093c063004cf1fb26eba01fe00d5ac964a703cd516090.exe
-
Size
89KB
-
MD5
1b876e836dcfc62e153162d081c8c2ca
-
SHA1
7aab00368ee009729625c03caa234ce88a2d9627
-
SHA256
18aefbd7bef8c442d31093c063004cf1fb26eba01fe00d5ac964a703cd516090
-
SHA512
3a2d24689fe20227c1c71c63e810de29995dcdadb7949b8ae463cc10edb9e21db2286538ff13a3babfd3c6ddc63d5fe6d900b970566c962ec47d7a1dd827e3dd
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1744 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 748 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
18aefbd7bef8c442d31093c063004cf1fb26eba01fe00d5ac964a703cd516090.exepid process 1452 18aefbd7bef8c442d31093c063004cf1fb26eba01fe00d5ac964a703cd516090.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
18aefbd7bef8c442d31093c063004cf1fb26eba01fe00d5ac964a703cd516090.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 18aefbd7bef8c442d31093c063004cf1fb26eba01fe00d5ac964a703cd516090.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
18aefbd7bef8c442d31093c063004cf1fb26eba01fe00d5ac964a703cd516090.exedescription pid process Token: SeIncBasePriorityPrivilege 1452 18aefbd7bef8c442d31093c063004cf1fb26eba01fe00d5ac964a703cd516090.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
18aefbd7bef8c442d31093c063004cf1fb26eba01fe00d5ac964a703cd516090.execmd.exedescription pid process target process PID 1452 wrote to memory of 1744 1452 18aefbd7bef8c442d31093c063004cf1fb26eba01fe00d5ac964a703cd516090.exe MediaCenter.exe PID 1452 wrote to memory of 1744 1452 18aefbd7bef8c442d31093c063004cf1fb26eba01fe00d5ac964a703cd516090.exe MediaCenter.exe PID 1452 wrote to memory of 1744 1452 18aefbd7bef8c442d31093c063004cf1fb26eba01fe00d5ac964a703cd516090.exe MediaCenter.exe PID 1452 wrote to memory of 1744 1452 18aefbd7bef8c442d31093c063004cf1fb26eba01fe00d5ac964a703cd516090.exe MediaCenter.exe PID 1452 wrote to memory of 748 1452 18aefbd7bef8c442d31093c063004cf1fb26eba01fe00d5ac964a703cd516090.exe cmd.exe PID 1452 wrote to memory of 748 1452 18aefbd7bef8c442d31093c063004cf1fb26eba01fe00d5ac964a703cd516090.exe cmd.exe PID 1452 wrote to memory of 748 1452 18aefbd7bef8c442d31093c063004cf1fb26eba01fe00d5ac964a703cd516090.exe cmd.exe PID 1452 wrote to memory of 748 1452 18aefbd7bef8c442d31093c063004cf1fb26eba01fe00d5ac964a703cd516090.exe cmd.exe PID 748 wrote to memory of 1060 748 cmd.exe PING.EXE PID 748 wrote to memory of 1060 748 cmd.exe PING.EXE PID 748 wrote to memory of 1060 748 cmd.exe PING.EXE PID 748 wrote to memory of 1060 748 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\18aefbd7bef8c442d31093c063004cf1fb26eba01fe00d5ac964a703cd516090.exe"C:\Users\Admin\AppData\Local\Temp\18aefbd7bef8c442d31093c063004cf1fb26eba01fe00d5ac964a703cd516090.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1452 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1744 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\18aefbd7bef8c442d31093c063004cf1fb26eba01fe00d5ac964a703cd516090.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:748 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1060
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
9d99a6e6adae7dd7c3d4a8ddd8f8aa02
SHA12c210608a89f575767ca747e54054e9886a79903
SHA2566ac03e4c4f5c6f771b4a57eb1bf16cb70a74aaf6f8d37af673bed6793a8845d1
SHA51221665ed4d3aeff1b4db6a51d2a01429530c3e7a38d4b502a1feafcf0a5ff7702bbf15524d7cbd7f8ab150f52e2920f0908269091e254692ae3a4c9b23b40b5c3
-
MD5
9d99a6e6adae7dd7c3d4a8ddd8f8aa02
SHA12c210608a89f575767ca747e54054e9886a79903
SHA2566ac03e4c4f5c6f771b4a57eb1bf16cb70a74aaf6f8d37af673bed6793a8845d1
SHA51221665ed4d3aeff1b4db6a51d2a01429530c3e7a38d4b502a1feafcf0a5ff7702bbf15524d7cbd7f8ab150f52e2920f0908269091e254692ae3a4c9b23b40b5c3